Requests Regarding Privacy/Security Events

00:00

Hello again and welcome to the H C I s P P certification course with Sai Buri

00:06

requests regarding privacy and security events.

00:10

My name is Charlene Hutchins and I'm your instructor.

00:17

In this video, we will cover breach notification goals,

00:22

information dissemination, policies and standards,

00:26

risk assessment activities

00:28

and chain of custody.

00:33

Health care entities may have specific regulatory requirements for timely reporting of incidents. For example,

00:42

here in the United States, the high tech act requires breach notification no later than 60 days from the date of discovery.

00:51

So it's important not only that the primary entity have a plan in the event of a breach,

00:56

but also that those requirements are clearly articulated and contracts with third party vendors.

01:02

It's important that the vendor have a communication plan, including contract information for use in the event of a breach.

01:11

As an example,

01:11

the primary entity may require the vendor to report suspected or known breaches to the primary entities. Help this or to a specific email address.

01:23

Whatever the method, the receiving individuals at the primary entity must be trained to capture the appropriate information about the suspected breach, including how it happened

01:38

the duration of the event,

01:41

what is being done to contain it,

01:44

how many individuals are affected

01:48

and what data elements were exposed.

01:51

As part of due diligence, the primary entity needs to understand the incident response processes in place at its third parties.

02:00

The goal should be to foster as much consistency as possible, regardless of the vendor involved.

02:12

The third party vendor must have a clear understanding of how the primary entity wants to handle communication and notifications surrounding a security incident,

02:22

particularly every beach.

02:23

Facts about a breach should be communicated with a non essential

02:29

parties on the need to know basis so that misinformation does not start to spread.

02:36

The primary entity may elect to notify individuals directly rather than rely on the third party vendor to deliver the message.

02:44

This should be spelled out in the contract so that questions do not arise during an actual event.

02:51

This also includes regulatory reporting in media enquiries related to a breach.

02:58

The primary entity should ensure that third party knows what activities it's us authorized to conduct.

03:06

Additionally, the primary entity and vendor should have contractual provisions in place to govern the conduct of an investigation, such as

03:15

what level of participation the primary entity can have in the investigation.

03:27

When a security incident occurs that results in a breach, the primary entity and the vendor must each contribute information that allows for an appropriate assessment of risk level.

03:39

The purpose of the risk assessment is to determine the extent of the damage to the primary entity and, most importantly to the individual whose data was exposed or compromised.

03:52

The primary entity must determine the harm to the impact of individuals to determine what an appropriate notification must include, for example, free credit monitoring for a defined period,

04:04

as well as the overall financial and reputational harm to the primary entity.

04:12

If the incident is believed to have been caused by an illegal activity such as hacking the primary entity and the vendor must bring in law enforcement,

04:26

it's important to be prepared in case of a breach.

04:30

Um, that happens at the vendor.

04:31

If everyone is aware responsibilities ahead of time,

04:35

it can prevent confusion and missteps. One of breach occurs.

04:41

The vendor must be aware of whom to contact at the primary entity.

04:47

The primary entity must ensure that this incident response procedures account for protocols that cover a breach reported by a third party.

04:58

It's important that the primary entity understand if the breach has been or is in the process of being contained.

05:06

In other words, is there still the possibility that additional data could be exposed?

05:15

The primary entity needs to understand the volume and type of data that was breached at the point of reaches reported.

05:24

The third party made or may not know the exact individuals whose information is at risk

05:30

if they do not know yet.

05:32

It is important for the primary entity in the third party to state in regular contact, so that data can be collected as quickly as possible.

05:44

As the investigation ensues, the primary entity needs to stay in close contact with a third party toe, understand the details and possibly even assist, especially if the primary entity has forensic security expertise.

06:00

The principle of chain of custody is critical to ensure that the facts are in order and the evidence is appropriately collected and maintained, especially if the situation requires involved involvement by law enforcement.

06:16

The third party must also keep the primary entity aware activities designed to prevent future occurrences off the same type of breach

06:30

so today we talked about breach, notification, rules,

06:34

information dissemination, policies and standards,

06:39

risk assessment activities and chain of custody.