Privacy in the Technology Age Ms. Leslie Shaffer Director TMA Privacy Office April 23, 2008 HEALTH AFFAIRS TRICARE Management Activity
Privacy in the Technology Age
Ms. Leslie ShafferDirector
TMA Privacy Office
April 23, 2008
HEALTH AFFAIRSTRICARE
Management Activity
2
Privacy in the Technology Age
Purpose
Illustrate measures to protect information, ensure privacy, and respond to challenges in the face of changing technology
3
Privacy in the Technology Age
Objectives
Describe the unique environment of the Military Health System (MHS)
Contrast benefits and challenges in ensuring privacy for current and future technologies
Discuss safeguards about special considerations for protecting privacy in a technology-rich environment
Illustrate some of TMA’s experiences and Lessons Learned in responding to data breaches
Military Health System Environment
5
MHS Environment
TMA Privacy Office TRICARE Management Activity (TMA)
Privacy Office Mission is: “To ensure stakeholders’ personally
identifiable and health information are protected at the highest level as TRICARE delivers the best medical support possible to those entrusted to our care.”
6
MHS Environment
What is the Military Health System?
Source: TRICARE Stakeholders Report 2008
Beneficiaries 9.2 million
FY07 DoD Health Care Expenditures
$42.2 billion
Direct Care Facilities Approximately 900 Facilities 413 Medical Clinics 413 Dental Clinics 63 Hospitals and Medical Centers
MHS Personnel 133,500+ highly mobile workforce
Distinct Branches of Service
Integrate large organizational units with distinct business processes (Army, Navy, Marines, Air Force, Coast Guard, and Reserves)
7
MHS Environment
Military Health System Oversight
• Congress
• Office of Management and Budget
(OMB)
• US-CERT (Computer Emergency
Response Team)
• Dept of Health and Human
Services (HHS)
• Assistant Secretary of
Defense (Networks & Information Integration)
• DoD Inspector General (IG)
• DoD Privacy Office
Freedom of Information Act of 1966
Privacy Act of 1974
Health Insurance
Portability and Accountability
Act of 1996
44 USC Ch. 31 Records
Management Program
Computer Security
Act of 1987
Federal Laws
DoD Governance
Sensitive Information (SI) Categories
Electronic Protected Health
Information
(ePHI)
Protected Health
Information
(PHI)
Personally Identifiable Information
(PII)
E-Government Act of 2002
DoDI 8510.01 DIACAP
DoD CIO Memo Privacy Impact Assessments
(PIA) Guidance
DoD 5400.7-R DoD Freedom of Information
Program
DoD 5400.11-R DoD Privacy
Program
DoD 5200.1-R Information
Security Program
DoD 8580.02-R DoD Health Information
Security Regulation
DoD 6025.18-R DoD Health Information Privacy Regulation
DoD 8500.1 & 2 Information
Assurance (IA)
ASD(HA) Memo Breach Notification
Reporting for the MHS
Federal Information Security Management
Act (FISMA)
Reporting Requirements
Challenges with Current Technology
9
Challenges in Current Technology
Challenges
10
Challenges in Current Technology
Using Technology to Protect Privacy
The emergence of the Electronic Health Record and the Personal Health Record
A hybrid environment of legacy and current systems Future technology innovations
Even with internal controls and the proper policies and procedures, challenges to protecting privacy still exist. Challenges facing the Military Health System include:
11
Challenges in Current Technology
Hybrid TechnologyHybrid Technology
The complexity and size of an organization’s operating environment contribute to the current blend of legacy systems and newer, more innovative technology
New SystemsNew Systems
Benefits: Capability Interoperability Security
Challenges Data Conversion Cost Complexity
Benefits: Capability Interoperability Security
Challenges Data Conversion Cost Complexity
Legacy SystemsLegacy Systems
Benefits: Cost Widespread Usage Stability
Challenges Data Conversion Support Security Design
Benefits: Cost Widespread Usage Stability
Challenges Data Conversion Support Security Design
12
Challenges in Current Technology
Electronic and Personal Health Records
BenefitsBenefits Greater patient access to a
wide array of their health information, data, and knowledge
Cost efficiency in chronic disease management, medication, and wellness programs
Ability to management and control care, schedule appointments. or contact their Provider directly
Greater patient access to a wide array of their health information, data, and knowledge
Cost efficiency in chronic disease management, medication, and wellness programs
Ability to management and control care, schedule appointments. or contact their Provider directly
ChallengesChallenges Individual privacy concerns
Lack of clear standards and interoperability
Ensuring accuracy and completeness of data in the PHR
Lack of clear financial models and sources of funding
Individual privacy concerns
Lack of clear standards and interoperability
Ensuring accuracy and completeness of data in the PHR
Lack of clear financial models and sources of funding
EHR versus PHR
Electronic Health Record (EHR) - individual patient's medical record in digital format, usually accessed on a computer, often over a network and maintained by a provider for that provider’s use
Personal Health Record (PHR) - typically a health record that is initiated and maintained by an individual
Safeguardsto Protect Privacy
14
Safeguards to Protect Privacy
Risk Identification and ManagementThe organizational security management process examines TMA’s Directorates and the offices within each functional area to ensure administrative, physical, and technical safeguards are properly addressed
Administrative Safeguards Physical Safeguards Technical Safeguards
People, Policies, and Processes
System Users and Procedures
Network, Systems, and Applications
Risk Management in an Organization
C & A
PIA
DUA
15
Safeguards to Protect Privacy
Data Use Agreements Specify under what conditions particular data may be used
and document the parameters under which organizations will conduct tasks related to a specific project, research, survey, or secondary purpose
Non-DoD personnel are required to complete a DUA which: Describes the user's relationship to TMA, (for example,
contractual) Describes the specific purpose and use of the data and
validates the requestors 'need-to-know' Delineates the individuals who are granted access to
the data Emphasizes the user's responsibility to comply with
privacy legislation and regulations
16
Safeguards to Protect Privacy
Certification and Accreditation (C&A) The Certification and Accreditation (C&A) process provides
reasonable assurances that an IT system has undergone Information Assurance Testing.
The C&A process follows the general outline of: Security Test & Evaluation Plan of Action & Milestones (POA&M) Residual Risk Analysis
C&A provides an overall view of IT governance, Strategic Risk Aversion, and Executive Decision Making.
The resulting C&A documentation is a quantifiable product that is monitored and updated as changes occur to the system.
17
Safeguards to Protect Privacy
Privacy Impact Assessments
Privacy Impact Assessments (PIAs): Specialized risk assessment performed internally to
ensure the protection of privacy
Analysis of how information is handled and protected in an Information Technology (IT) system
Mitigation of breaches as expressed in recent events
Emerging Technology
19
Emerging Technology
Identity Solutions Emerging Technology seems to present a
myriad of choices Any technology solution needs to fit the
organization’s needs Even within DoD, there is no one solution
to fit all our needs
20
Identification vs. Authentication Importance of Integration Leveraging technology to maximize security and utility Authentication Controls
Emerging Technology
Integrated Identity Solutions
Goal
Single credential for personnel identification, building or facility access, and for systems and network access
21
Emerging Technology
Encryption for Data at Rest
ChallengesChallenges Level of encryption Diligence with inventory
Hardware Keys
Policy-based automation Key management
interoperability standards Keys at risk of loss or theft
Level of encryption Diligence with inventory
Hardware Keys
Policy-based automation Key management
interoperability standards Keys at risk of loss or theft
BenefitsBenefits Lessen the potential risk of a
data breach More control over who
accesses data Scalability
Application-based or server hosted
Devices and applications End-to-end encryption
Lessen the potential risk of a data breach
More control over who accesses data
Scalability Application-based or
server hosted Devices and applications
End-to-end encryption
GoalGoal
All embargoed data residing on the network or any portable storage media should be encrypted to limit access and use to authorized individuals
All embargoed data residing on the network or any portable storage media should be encrypted to limit access and use to authorized individuals
22
Emerging Technology
Content Monitoring and Data Loss Prevention
ChallengesChallenges
Depending on the size of the organization, data analysis may be very intensive
Additional resources may need to be dedicated to enforcement and monitoring of tool
Proper policies and procedures must be in place before implementation of tool
Depending on the size of the organization, data analysis may be very intensive
Additional resources may need to be dedicated to enforcement and monitoring of tool
Proper policies and procedures must be in place before implementation of tool
BenefitsBenefits
Control – leverage filters to protect privacy data and intellectual property
Discover – detect sensitive content at rest
Monitor – classify and analyze all content in motion
Prevent – block and filter to control what information is being sent or stored at all times
Capture – gain perspective through logging and storage of all events
Control – leverage filters to protect privacy data and intellectual property
Discover – detect sensitive content at rest
Monitor – classify and analyze all content in motion
Prevent – block and filter to control what information is being sent or stored at all times
Capture – gain perspective through logging and storage of all events
GoalGoal
Content Monitoring and Data prevention tools facilitate the enforcement of business processes and policies
Content Monitoring and Data prevention tools facilitate the enforcement of business processes and policies
23
Emerging Technology
Trusted Internet Connections
ChallengesChallenges Currently, analysis is done
manually (although it is anticipated that Version 2 will provide automated analysis)
Aggressive timeline for such a large initiative (completion of milestones by June 2008)
Will require agencies to agree to standard policies
Currently, analysis is done manually (although it is anticipated that Version 2 will provide automated analysis)
Aggressive timeline for such a large initiative (completion of milestones by June 2008)
Will require agencies to agree to standard policies
BenefitsBenefits Looks for suspicious patterns of
activity for participating Federal agencies Builds cyber-related situational awareness across the Federal government
Common solution for Federal government
Reduces the number of external internet connections to 50; DoD currently has 19
Looks for suspicious patterns of activity for participating Federal agencies Builds cyber-related situational awareness across the Federal government
Common solution for Federal government
Reduces the number of external internet connections to 50; DoD currently has 19
GoalGoal Trusted Internet Connections (TIC) are cyber security initiatives with
common goals: secure Federal networks while minimizing costs
Trusted Internet Connections (TIC) are cyber security initiatives with common goals: secure Federal networks while minimizing costs
24
Emerging Technology
Federal Desktop Core Configuration
ChallengesChallenges
Ensure compliance with current infrastructure, including policies and processes
Receive buy-in from across the Federal government
Prohibits the use of wireless settings
Ensure compliance with current infrastructure, including policies and processes
Receive buy-in from across the Federal government
Prohibits the use of wireless settings
BenefitsBenefits
Increase IT security Increase application
compatibility (common configurations versus hundreds of locally created configurations)
Reduce overall IT costs
Increase IT security Increase application
compatibility (common configurations versus hundreds of locally created configurations)
Reduce overall IT costs
GoalGoal Federal Desktop Core Configuration (FDCC) provides a single, standard,
enterprise-wide managed environment for desktops and laptops
Federal Desktop Core Configuration (FDCC) provides a single, standard, enterprise-wide managed environment for desktops and laptops
25
Emerging Technology Radio Frequency Identification Devices
A Radio Frequency Identification Device (RFID) is an Automated Identification and Capture (AIDC) Technology that allows:
Identification of Objects Communication over great distances No optical line of sight Inventory Management Tool
RFID Extranet
Data Breaches
27
Data Breaches
Breaches in the News
Some TRICARE Beneficiary Data Put At Risk
“Data for nearly 600,000 households enrolled in TRICARE stored on a government-contractor’s unprotected computer server could have been exposed to hackers, defense officials announced today. Beneficiaries’ names, addresses, Social Security Numbers, birth dates and some health information was stored on a computer server that was not using a firewall and did not have adequate password protection, TRICARE Management Activity officials said…”
Source: www.defenselink.com, July 20, 2007
Privacy Rights Clearinghouse
http://www.privacyrights.org/
Record Number Of Data Breaches Reported In 2007
“Researchers with the Identity Theft Resource Center cited 443 breaches in the U.S. in 2007 in their annual report, compared to the 315 they identified in 2006.”
Source: www.informationweek.com, December 31, 2007
28
Lost, stolen or compromised information, otherwise termed a breach, is the actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected
Data Breaches
DoD Definition of a Breach
29
Data Breaches
Incident Response Plan An effective Incident Response Plan includes the following steps
The steps might not be followed in a linear fashion; however each step needs to be addressed to effectively mitigate breaches
RECOVERY
FOLLOW-UP
ERADICATION
PREPARATIONAND
PREVENTION
INCIDENT IDENTIFICATION
CONTAINMENT
MITIGATION
Notification Reporting
Notification Reporting
Definition A Risk Based
Approach to notify
Definition A Risk Based
Approach to notify
INCIDENT IDENTIFICATION
30
Data Breaches
Reporting and Notification
TMA Components Non-TMA Components
Leadership – Immediately TMA Privacy Office – Within 1
Hour US CERT – Within 1 Hour DoD Privacy Office – Within 48
Hours
Leadership – Immediately US CERT – Within 1 Hour Sr. Component Officials for
Privacy – Within 24 Hours TMA Privacy Office – Within 24
Hours DoD Privacy Office – Within 48
Hours
Note: Notify issuing banks if government issued credit cards are involved; law enforcement, if necessary; and all affected individuals within 10
working days of breach and identity discovery, if necessary. (See Determining Notification)
When a loss, theft, or compromise of information occurs, the breach shall be reported to:
31
Data Breaches Determining Notification
When determining whether notification of a breach is required, the DoD Component will assess the likely risk of harm caused by the breached information and then assess the relative likelihood of the risk occurring (risk level).
Five factors that need to be considered when assessing the likelihood of risk and/or harm include:
1. Nature of the data elements breached2. Number of individuals affected3. Likelihood of the information is accessible and usable4. Likelihood the breach may lead to harm5. Ability of the agency to mitigate the risk of harm
Breaches are classified as Low, Moderate, or High:
32
Data Breaches
Reporting Timeline
Pre-Breach Activities
Post-Breach Activities
10 Day Breach Response Activities Timeline
Notify US-CERT within one hour
Notify Service Component
Official for Privacy within 24 hours
Notify Defense Privacy Office and Component Head
within 48 hours
Communicate with Chain-of-
Command initially and throughout
Develop a notebook of chronology
Implement Breach Notification SOP
Continue to gather and verify data
Establish Command and Control Center
Maintain list of current POCs
Updates to Senior Leadership as
neededNotify Congress
and media
Create daily status reports
Contact DMDC for demographic data
Communicate information to
affected individuals
* Activities are not all inclusive nor in a specific order
33
Data Breaches
Lessons Learned
In response to breaches, the organization must: Commit to ensuring the affected beneficiaries remain a
top priority Develop strong policies and procedures Assign specific roles and responsibilities to Incident
Response Team members before a breach occurs Establish and test the communication plan for internal and
external stakeholders Document all aspects of the incident (timeline, reports,
incident response checklist, etc.) Communicate to Senior Leadership (via emails, Executive
Summaries, and briefings) Develop Lessons Learned and/or an After Action Report
34
Privacy in the Technology Age
Resources
TRICARE Management Activity: http://www.tricare.osd.mil
Privacy Act of 1974, as amended (5 U.S.C. 552a)
DoD Regulation 5400.11-R, “DoD Privacy Program,” May 14, 2007
DoD Regulation 6025.11-R, “DoD Health Information Privacy Regulation,” January 24, 2003
DoD Regulation 8580.02-R, “DoD Health Information Security Regulation,” July 12, 2007
DoD Memorandum, “DoD Guidance on Protecting Personally Identifiable Information (PII),” August 18, 2006
OMB M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” May 22, 2007
Office of the Secretary of Defense (OSD) Memorandum 15041-07, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” September 21, 2007