Imagine waking up one morning, opening your newspaper and being greeted by the news that your organization is implicated in a major privacy breach. This was my reality on December 10, 2002 when I was the Chief Privacy and Security Officer for the Ontario Smart Systems for Health Agency (predecessor to what is now Ehealth Ontario). The agency had just launched the Chatham-Kent IT Transition Pilot Project, one of the first physician EMR pilot projects in Canada. The alleged breach made front page of the Globe and Mail’s national edition.
The Globe article kicked off almost five months of intense activity that consumed most of my waking hours. It culminated in a report by
the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, that largely exonerated the agency. Even though the claims in the article were unfounded, there was a considerable cost to the agency, its partners and clients.
Real or imagined, a privacy breach is a serious matter. If you are interested in knowing more about this incident, you can download the full report from the Commissioner’s website.
Breaches are going to happen. One of my big takeaways from the Smart Systems experience is that regulators and other stakeholders are generally forgiving of breaches, provided that we have taken reasonable measures to prevent the breach and effectively responded to the breach when it occurred. However, unpreparedness and inaction are inexcusable. If your organization does not take privacy and security seriously, you will be in for a very rough ride.
Most breaches are highly predictable. They tend to fall into the following categories:
Human error caused by carelessness, mistakes or lack of knowledge about correct procedures.
Lost or stolen mobile devices including laptops, tablets, smart phones, USB drives containing unencrypted personal information or user security credentials.
Malware – viruses, trojans, worms, ransomware, spyware etc.
Failure to adequately maintain software caused by weak processes supporting patch management and software upgrades.
Deliberate or malicious acts – by internal or external agents including hackers and disgruntled employees.
While it is impossible prevent every breach, we can be prepared to respond quickly and effectively when a breach does occur. Every organization needs to establish a Breach Management Protocol. The protocol should prescribe specific steps to deal with privacy breaches. This includes:
Prevention – To reduce risk to tolerable levels, organizations must do what they can to prevent breaches from occurring. This includes measures such as privacy and security awareness training for all staff and contractors, keeping antivirus software up to date, and ensuring that software patches and upgrades are installed. Privacy Impact Assessments (PIAs) and Threat and Risk Assessments (TRAs) are risk assessment tools that enable us to proactively anticipate privacy breaches and implement appropriate safeguards to prevent breaches from occurring.
Detection – Organizations must implement measures to continuously monitor system and business activity to detect privacy breaches or attempted breaches as they occur. This includes monitoring and audit of user access by personnel including employees, contractors and other authorized agents, monitoring and audit of access or attempted access by external malicious agents, and receiving complaints from individuals that might indicate that a breach has occurred.
Response – Once detected, the organization must effectively respond to the breach. Any staff member or agent who becomes aware of a breach, or suspects that a breach may have occurred, must immediately notify their manager, privacy officer or other designated official. Staff must be trained on how to recognize and report a breach.
Upon notification of a breach, the privacy officer should initiate the breach management protocol. The privacy officer may form an Incident Response Team comprised of organizational officials who will be responsible for managing and coordinating the process to plan, execute and report on the observed or suspected breach. Where there may be a risk of litigation, fines or censure under privacy law you will need to engage legal counsel to provide advice as you respond to the incident
Containment – Immediately upon determining that a privacy breach has occurred, the privacy officer must take measures to contain the incident. Measures may include suspending access to users who may have been party to the incident, requiring authorized users to change their passwords, and even temporarily shutting
down the system.
Immediately upon determining that a privacy breach has occurred, the privacy officer must secure all audit logs and any other evidence associated with the incident and take measures to mitigate any harm to individuals as a result of the breach.
Notification – where is has been determined that a breach of PHI has occurred, the organization must comply with applicable laws for breach notification. Depending on the jurisdiction, this may include notification to individuals, healthcare providers, regulators (e.g. privacy commissioners) in some cases the media.
Keep in mind that once notified, your clients or regulator may initiate their own investigations that will require your cooperation and involvement.
Investigation – Once a privacy breach has been appropriately contained, it should be investigated by the Incident Response Team. The investigation will identify the root cause of the breach as well as the information assets, individual(s)/organization(s), and IT systems and hardware involved in the incident or breach. Evidence will be collected to support the investigation and remediation activities.
Remediation – Based on the findings of the investigation, the Incident Response Team will determine short-term and long-term remediation strategies which should be documented in a Privacy Breach Management Report. The report, including the recommendations emanating from the investigation, should be approved by the CEO or other designated executive and implemented within the stated timeframe.
Once you have established your breach management protocol, you will need to ensure that everyone in the organization knows their role and how to respond in the event of breach. Your privacy and security awareness training program for all staff members should include how to recognize and report a breach. It is recommended that members of your Incident Response Team receive specific training about the breach management protocol and participate in “tabletop” exercises where the team works through case studies of privacy breaches that may occur in your organization.
It’s only a matter of time before you experience your first privacy breach. It behooves us to do everything we can to prevent a breach from occurring. However, in the final analysis we will not be judged on the fact that a breach occurred, but rather on our response to the breach and our ability to mitigate any harm.