Data Breach Investigation and Mitigation Checklist by fdh56iuoui


									                        Data Breach Investigation and Mitigation Checklist

    Actions to Be Taken Immediately upon Identification of an Incident
	    1.	   Notification	Process                                                  D
                                                                         	 	 ☐		 	 etermine	need	to	contact	other	additional	external	
	     	    ☐	 Notify	privacy	and	security	officers                               stakeholders:
	     	    ☐		 Initiate	security	incident	report	form                              C
                                                                         	 	 	 •		 orporate	office
	     	    ☐		 Record	name	and	contact	information	of	reporter                     L
                                                                         	 	 	 •		 icensing	or	accrediting	agencies
	     	    ☐		 Gather	description	of	event                                         C
                                                                         	 	 	 •		 enters	for	Medicare	and	Medicaid	Services,	Office	
	     	    ☐		 Identify	location	of	event                                          for	Civil	Rights	(self-reporting	is	not	required	by	
                                                                                   regulation,	it	is	an	organizational	decision)
	 2.	 Investigation	Steps                                                          B
                                                                         	 	 	 •		 usiness	associates	or	partners
	 	 ☐		 	 stablish	security	incident	response	team	(e.g.,	secu-
         rity	officer,	privacy	officer,	risk	manager,	administra-        Other Actions as Applicable
         tion,	and	others	as	needed)	and	identify	team	leader	           	 1.	 Contact	Law	Enforcement	Officials
         (e.g.,	privacy	or	security	officer)                                       V
                                                                         	 	 ☐		 	 erify	event	constitutes	a	crime	and	is	reportable
	 	 ☐		 	 dentify	and	take	immediate	action	to	stop	the	source	                    D
                                                                         	 	 ☐		 	 etermine	appropriate	law	enforcement	agency	and	
         (e.g.,	hacking)	or	entity	responsible	(e.g.,	work	force	                  contact
         member,	vendor)                                                           I
                                                                         	 	 ☐		 	 n	cooperation	with	local	law	enforcement	officials,	
	 	 ☐		 	 dentify	system,	application,	or	electronic	PHI	                          determine	the	need	to	involve	other	external	law	
         compromised	and	then	immediately	begin	identifica-                        enforcement	agencies	(e.g.,	FTC,	FBI,	Social	Security	
         tion	process	of	those	patients	whose	information	was	                     Administration,	Inspector	General)
         compromised	and	what	data	elements	were	included	                         O
                                                                         	 	 ☐		 	 btain	name	of	law	enforcement	contact	to	provide	
         (e.g.,	name,	age,	date	of	birth,	Social	Security	number,	                 upon	victim	request
	 	 ☐		 	 etermine	need	to	notify	key	internal	stakeholders	             	   Collection	of	Evidence
         not	represented	on	the	team:                                    	   ☐		 	 ecurity	incidence	response	form
	 	 	 •		 IM	department	(if	necessary	to	sequester	records)              	   ☐		 	 T	forensic	evidence	(e.g.,	reports,	logs,	audits)
	 	 	 •		 illing	and	patient	accounts	department	(if	neces-              	   ☐		 	 ecords	of	communications	(e.g.,	phone	logs,	e-mail,	
            sary	to	suspend	billing	process)                                     letters)
	 	 	 •		 uman	resources	department	(if	a	work	force	                            L
                                                                         	 	 ☐		 	 aw	enforcement	agency	and	police	reports
            member	is	suspected)                                                 L
                                                                         	 	 ☐		 	 egal	counsel	guidance
	 	 	 •		 endor	relations	or	purchasing	leadership
	 	 	 •		 thers	as	necessary                                             	 3.	 Notification	of	Victims	
	 	 ☐		 	 dentify	the	source	or	suspects	involved	in	event:                       D
                                                                         	 	 ☐		 	 etermine	need	to	notify	victims.	Consider:
	 	 	 •		 f	the	source	is	identified	as	a	vendor	or	business	                       L
                                                                         	 	 	 •		 ikelihood	of	harm	(e.g.,	stolen	laptop	protected	by	
            associate,	determine	if	business	associate	agreement	                   password	or	encryption,	PHI	limited	to	first	names	
            has	been	established	(collect	as	evidence)                              and	dates	only)
	 	 	 •		 f	the	source	is	identified	as	a	work	force	member,	                       R
                                                                         	 	 	 •		 ecipient	of	information,	if	known	(e.g.,	if	recipient	
            establish	existence	of	criminal	background	check,	                      is	known	covered	entity,	there	is	less	risk	than	if	
            privacy	and	security	education	and	training,	etc.	                      PHI	was	disclosed	to	other	individuals)
            Coordinate	with	human	resources	to	determine	                           R
                                                                         	 	 	 •		 egulatory	reporting	and	disclosure	requirements	
            appropriate	sanctions.                                                  (review	state	regulations)
	 	 	 •		 f	the	source	is	external,	work	with	law	enforcement	                      T
                                                                         	 	 	 •		 ype	of	incident	(e.g.,	targeted	theft	of	data	or	
            agency	to	determine	appropriate	actions                                 incidental	as	part	of	crime	of	opportunity	such	as	
	 	 ☐		 	 arry	out	IT	forensic	investigation	to	gather	evidence	                    laptop	left	unaccompanied	in	airport	waiting	area)
         and	determine	course	of	events	as	well	as	identify	                        A
                                                                         	 	 	 •		 ctions	of	other	organizations	if	involved	in	event	
         electronic	PHI	compromised                                                 (e.g.,	information	system	of	vendor	hacked	contain-
	 	 ☐		 	 dentify	and	sequester	pertinent	medical	records,	                         ing	multiple	healthcare	clients)
         files,	and	other	documents	(paper	and	electronic)                          H
                                                                         	 	 	 •		 istorical	responses	by	others	involved	in	similar	
	 	 ☐		 	 etermine	need	for	external	notification	or	involve-
         D                                                                          events
         ment	(see	individual	sections	following):                                P
                                                                         	 	 ☐		 	 repare	a	communication	plan	to	cover	oral	and	
	 	 	 •		 egal	counsel	(identify	all	communications	as	                           written	communications	to	victims	as	well	as	
            “Privileged	and	Confidential	Attorney-Client	Com-                     information	to	assist	them	with	personal	needs	(FTC	
            munication/Work	Product”)                                             guidance)	and	organizational	contact	person	for	
	 	 	 •		 T	forensics	support                                                     questions	and	concerns	(privacy	officer)
	 	 	 •		 aw	enforcement	agency	(local	and	federal)                               P
                                                                         	 	 ☐		 	 rovide	information	regarding	law	enforcement	contacts
	 	 	 •		 edia                                                                    C
                                                                         	 	 ☐		 	 onsider	provision	of	credit	monitoring	services	(e.g.,	
	 	 	 •		 ictims                                                                  fees	paid	by	organization?	If	so,	how	long?)

Journal of AHIMA/January 2008 - 79/1                                                                                                        67
                         Data Breach Investigation and Mitigation Checklist

     Actions to Be Taken Immediately upon Identification of an Incident
 	 4.	 Communication	with	Media                                                   D
                                                                          	 	 ☐		 	 etermine:
 	 	 ☐		 	 etermine	need	to	proactively	contact	media	or	pre-                       H
                                                                          	 	 	 •		 ow	well	did	the	work	force	members	respond	to	
         pare	press	release	in	response	to	inquiries.	Consider:                     event?
 	 	 	 •		 ikelihood	of	media	awareness	or	investigation                            W
                                                                          	 	 	 •		 ere	documented	procedures	followed?	Were	they	
 	 	 	 •		 cope	of	event	(e.g.,	number	of	individuals	                              adequate?
           impacted,	type	of	information	disclosed,	threat	of	                      W
                                                                          	 	 	 •		 hat	information	was	needed	sooner?
           harm	to	victims)                                                         W
                                                                          	 	 	 •		 ere	there	any	steps	or	actions	that	might	have	
 	 	 	 •		 otential	for	harm	to	individuals	(e.g.,	patients,	                       inhibited	recovery?
           business	associates,	clients,	others)                                    W
                                                                          	 	 	 •		 hat	could	work	force	members	do	differently	the	
 	 	 	 •		 rganizational	preventive	safeguards	and	practices                        next	time	an	incident	occurs?
 	 	 	 •		 itigation	efforts                                                        W
                                                                          	 	 	 •		 hat	corrective	actions	can	prevent	similar	events	
 	 	 	 •		 reparation	of	talking	points	for	public	affairs	                         in	the	future?
           department	outlining	organizations	privacy	and	                          W
                                                                          	 	 	 •		 hat	additional	resources	are	needed	to	detect,	
           security	safeguards                                                      analyze,	and	mitigate	future	incidents?
 	 	 	 •		 imitations	of	disclosure	as	advised	by	legal	counsel	                    C
                                                                          	 	 	 •		 an	missing	electronic	PHI	be	recreated	to	provide	
           or	law	enforcement                                                       continuity	of	care?
                                                                          	 	 	 •		 hat	external	resources	and	contacts	proved	help-
 	 5.	 Other	Organizational	Processes	to	Be	Considered                              ful?
 	 	 ☐		 	 etermine	how	best	to	account	for	disclosures	of	PHI	                     O
                                                                          	 	 	 •		 ther	conclusions	or	recommendations
          (HIPAA	requirement):
 	 	 	 •		 pdate	each	health	record	(paper	or	electronic)	                	 2.	 Follow-Up
            with	disclosure	information                                             S
                                                                          	 	 ☐		 	 ecurity	incident	response	form	completed	and	sup-
 	 	 	 •		 rovide	list	of	patients	to	privacy	officer	in	response	                  porting	documentation	made	part	of	form	or	filed	as	
            to	accounting	of	disclosure	requests	(may	be	pre-                       attachments	(consider	restricting	access	to	the	form)
            ferred	for	large	numbers	of	disclosures)                                P
                                                                          	 	 ☐		 	 olicy	and	process	review	completed	and	all	neces-
 	 	 ☐		 	 f	event	is	result	of	a	business	associate’s	failure	to	                  sary	changes	made	based	on	shortcomings	identified	
          safeguard	PHI,	consider	need	to	terminate	relation-                       through	managing	event
          ship	(refer	to	business	associate	agreement)                              T
                                                                          	 	 ☐		 	 raining,	education,	and	awareness	activities	carried	
                                                                                    out	(balancing	need	for	awareness	with	disclosure	of	
 Follow-Up Activities, Identifying Opportunities for Improvement                    event)
 	 1.	 Evaluation	of	Security	Incident	Response		                                   E
                                                                          	 	 ☐		 	 vent	documented	as	educational	case	study	(de-
       (Document	on	Form)                                                           identified)	for	internal	use
 	 	 ☐		 	 dentify	actions:
 	 	 	 •		 dentification	measures	(incident	verified,	assessed,	          	 3.	 Other
            options	evaluated)                                                     C
                                                                          	 	 ☐		 	 onsider	the	offer	of	a	reward	for	return	of	lost	or	
 	 	 	 •		 vidence	collected                                                       stolen	equipment	v
 	 	 	 •		 radication	measures
 	 	 	 •		 ecovery	measures

68                                                                                                    Journal of AHIMA/January 2008 - 79/1

To top