How to Take Action When a Security Breach Hits
October 28, 2010 How to Take Action When a Security Breach Hits Photo here Best Practices for Breach Incident Response -- Forensics Investigation and Risk Assessment & Remediation PRESENTERS Winston Krone, Esq. Kai Lintumaa Mahmood Sher-Jan ID Experts [email protected] Kivu Consulting, Inc. www.kivuconsulting.com How to Take Action When a Data Breach Hits October 28, 2010 2 TOPICS » Introductions » Data Breach Lifecycle » Common data breach scenarios • Managing the first 24 - 72 hours • Determining if a breach has occurred • Closing a network breach-v-preserving evidence » Organizational Risk Assessment • PHI/PII determination & harm • Compliance to regulations » Q& A How to Take Action When a Data Breach Hits October 28, 2010 3 COMPREHENSIVE DATA BREACH SERVICES Holistic approach to addressing data breach risk Focused on delivering the most positive outcomes How to Take Action When a Data Breach Hits October 28, 2010 4 DATA BREACH LIFECYCLE Risk Analysis & Planning Risk Assessment Breach event Investigation Respond & Assist customers Legal Notification Compliance Obligations Media How to Take Action When a Data Breach Hits October 28, 2010 5 INVESTIGATING A DATA BREACH Winston Krone, Esq. Kai Lintumaa Kivu Consulting, Inc. How to Take Action When a Data Breach Hits October 28, 2010 6 INVESTIGATING A DATA BREACH • Different vectors of attack • Educating your workforce • An organization should be prepared to learn of a data breach through any of its communications channels. How to Take Action When a Data Breach Hits October 28, 2010 7 AREAS OF RESPONSE • Contain/ Isolate/ Eradicate • Assess the loss • Collect Evidence • Assess overall risk to organization • Remediation/ Prevention How to Take Action When a Data Breach Hits October 28, 2010 8 INCIDENT RESPONSE PLAN • “How to respond” = “Use your plan” • Stay calm • Technical Response v. Breach Analysis • Need for objective oversight How to Take Action When a Data Breach Hits October 28, 2010 9 RAISING THE ALARM • Intrusion Detection Systems (IDS) • IT anomalies/ network failure • Complaints from end-users How to Take Action When a Data Breach Hits October 28, 2010 10 NETWORK ATTACKS – KEY POINTS 1. Opportunistic –v- targeted attacks 2. Hackers may not be after your data 3. Network compromise does not necessarily mean data loss How to Take Action When a Data Breach Hits October 28, 2010 11 RESPONSE IN FIRST 48 HOURS » Technical Response » Fix the problem(s) Restore the system Breach Analysis What happened? What data might have been exposed? What data was definitely exposed? Available safeguards? How to Take Action When a Data Breach Hits October 28, 2010 12 EVIDENCE COLLECTION 1. Volatile memory 2. Forensic images/ metadata 3. Logs/ traffic analysis 4. IT testimony/ documentation How to Take Action When a Data Breach Hits October 28, 2010 13 THE STOLEN LAPTOP • Confirming details of the loss – problems with the “human element” • Possible need for skilled investigators/ interviewers • Determining contents of a lost laptop • Reviewing protocols • Forensic comparison w/ other laptops • Any protection or mitigation? How to Take Action When a Data Breach Hits October 28, 2010 14 LIAISING WITH LAW ENFORCEMENT Lose control of investigation Lose focus on priorities You’re doing something Speedier subpoena responses How to Take Action When a Data Breach Hits October 28, 2010 15 Organizational Risk Assessment Best Practices Beyond Forensics Investigation How to Take Action When a Data Breach Hits October 28, 2010 16 DATA BREACH REGULATORY COMPLEXITY » HITECH Act -- the biggest change to the health care privacy and security » 46 states with breach notification laws & a few include PHI » Courtesy notices are a thing of the past as more agencies are getting interested » More rule changes expected How to Take Action When a Data Breach Hits October 28, 2010 17 BEST PRACTICE BREACH RESPONSE PROCESS Data Legal Risk Analysis Response RISK MITIGATION How to Take Action When a Data Breach Hits October 28, 2010 18 DATA RISK ANALYSIS Data PHI / PII Segmentation & Confirmation • Unknowns Data Sensitivity Level & Context Legal Risk Analysis Limited Data Set (LDS) De-Identified Data Response How to Take Action When a Data Breach Hits October 28, 2010 19 Ready for Data Breaches Under the HITECH Act? September 23, 2010 20 LEGAL OBLIGATIONS Federal – HITECH Act Data State privacy laws Legal Risk Analysis Contractual (Agent v Independent) Downstream sub-contractors Response Reporting/Notice Requirements How to Take Action When a Data Breach Hits October 28, 2010 21 ORGANIZATIONAL RISK ANALYSIS Severity of the incident Data Sensitivity of the data Legal Context of the incident Risk Analysis Response Incident resolution status Safe-Harbor & Exceptions - Federal Law - State Law How to Take Action When a Data Breach Hits October 28, 2010 22 Ready for Data Breaches Under the HITECH Act? September 23, 2010 23 RESPONSE SCOPE ANALYSIS Affected Population Segments & Size - Demographic - Special Needs Considerations - ID Theft Protection Services(?) Data Legal Risk Analysis Response Notification & Tracking Methods - Timeline (Fed vs. State) - Letter / Email - Substitute Notice - Call Center - Website - Tracking & Archiving Inquiries & Investigations - Fed & State - Media How to Take Action When a Data Breach Hits October 28, 2010 24 HHS INVESTIGATION-REQUESTED DATA ELEMENTS • Primary designated contact with OCR • Detailed explanation of the breach • Copy of Notice of Privacy Practices (NPP) • Copy of policies & procedures for safeguarding PHI • Copy of policies & procedures for accounting of PHI disclosures • Number of patients served annual • Copy of notification of the breach as required by 45 C.F.R. 164.404 • Copy of media notification as required by 45 C.F.R. 164.406 • Evidence of any action taken to determine root cause of the breach • Evidence of any steps to ensure it does not recur • Evidence & tracking of the notification of affected individuals How to Take Action When a Data Breach Hits October 28, 2010 25 26 BREACH RESPONSE BEST PRACTICES SUMMARY Investigate & Determine Root Cause • Preserve evidence Assess Overall Organizational Risks • Fed & state law requirements • Document risk analysis Execute Incident Response Plan (IRP) • Report; Notify & track as required Handle Post Incident Response Investigations • Evidence of compliance How to Take Action When a Data Breach Hits October 28, 2010 27 CONCLUSION » Q&A Winston Krone, Esq. Kai Lintumaa Mahmood Sher-Jan ID Experts [email protected] Kivu Consulting, Inc. www.kivuconsulting.com How to Take Action When a Data Breach Hits October 28, 2010 28
© Copyright 2024