Privacy In The Technology Age

Privacy in the Technology Age

Ms. Leslie ShafferDirector

TMA Privacy Office

April 23, 2008

HEALTH AFFAIRSTRICARE

Management Activity

2


Purpose

Illustrate measures to protect information, ensure privacy, and respond to challenges in the face of changing technology

3


Objectives

Describe the unique environment of the Military Health System (MHS)

Contrast benefits and challenges in ensuring privacy for current and future technologies

Discuss safeguards about special considerations for protecting privacy in a technology-rich environment

Illustrate some of TMA’s experiences and Lessons Learned in responding to data breaches

Military Health System Environment

5

MHS Environment

TMA Privacy Office TRICARE Management Activity (TMA)

Privacy Office Mission is: “To ensure stakeholders’ personally

identifiable and health information are protected at the highest level as TRICARE delivers the best medical support possible to those entrusted to our care.”

6

MHS Environment

What is the Military Health System?

Source: TRICARE Stakeholders Report 2008

Beneficiaries 9.2 million

FY07 DoD Health Care Expenditures

$42.2 billion

Direct Care Facilities Approximately 900 Facilities 413 Medical Clinics 413 Dental Clinics 63 Hospitals and Medical Centers

MHS Personnel 133,500+ highly mobile workforce

Distinct Branches of Service

Integrate large organizational units with distinct business processes (Army, Navy, Marines, Air Force, Coast Guard, and Reserves)

7

MHS Environment

Military Health System Oversight

• Congress

• Office of Management and Budget

(OMB)

• US-CERT (Computer Emergency

Response Team)

• Dept of Health and Human

Services (HHS)

• Assistant Secretary of

Defense (Networks & Information Integration)

• DoD Inspector General (IG)

• DoD Privacy Office

Freedom of Information Act of 1966

Privacy Act of 1974

Health Insurance

Portability and Accountability

Act of 1996

44 USC Ch. 31 Records

Management Program

Computer Security

Act of 1987

Federal Laws

DoD Governance

Sensitive Information (SI) Categories

Electronic Protected Health

Information

(ePHI)

Protected Health

Information

(PHI)

Personally Identifiable Information

(PII)

E-Government Act of 2002

DoDI 8510.01 DIACAP

DoD CIO Memo Privacy Impact Assessments

(PIA) Guidance

DoD 5400.7-R DoD Freedom of Information

Program

DoD 5400.11-R DoD Privacy

Program

DoD 5200.1-R Information

Security Program

DoD 8580.02-R DoD Health Information

Security Regulation

DoD 6025.18-R DoD Health Information Privacy Regulation

DoD 8500.1 & 2 Information

Assurance (IA)

ASD(HA) Memo Breach Notification

Reporting for the MHS

Federal Information Security Management

Act (FISMA)

Reporting Requirements

Challenges with Current Technology

9

Challenges in Current Technology

Challenges

10


Using Technology to Protect Privacy

The emergence of the Electronic Health Record and the Personal Health Record

A hybrid environment of legacy and current systems Future technology innovations

Even with internal controls and the proper policies and procedures, challenges to protecting privacy still exist. Challenges facing the Military Health System include:

11


Hybrid TechnologyHybrid Technology

The complexity and size of an organization’s operating environment contribute to the current blend of legacy systems and newer, more innovative technology

New SystemsNew Systems

Benefits: Capability Interoperability Security

Challenges Data Conversion Cost Complexity

Benefits: Capability Interoperability Security

Challenges Data Conversion Cost Complexity

Legacy SystemsLegacy Systems

Benefits: Cost Widespread Usage Stability

Challenges Data Conversion Support Security Design

Benefits: Cost Widespread Usage Stability

Challenges Data Conversion Support Security Design

12


Electronic and Personal Health Records

BenefitsBenefits Greater patient access to a

wide array of their health information, data, and knowledge

Cost efficiency in chronic disease management, medication, and wellness programs

Ability to management and control care, schedule appointments. or contact their Provider directly

Greater patient access to a wide array of their health information, data, and knowledge

Cost efficiency in chronic disease management, medication, and wellness programs

Ability to management and control care, schedule appointments. or contact their Provider directly

ChallengesChallenges Individual privacy concerns

Lack of clear standards and interoperability

Ensuring accuracy and completeness of data in the PHR

Lack of clear financial models and sources of funding

Individual privacy concerns

Lack of clear standards and interoperability

Ensuring accuracy and completeness of data in the PHR

Lack of clear financial models and sources of funding

EHR versus PHR

Electronic Health Record (EHR) - individual patient's medical record in digital format, usually accessed on a computer, often over a network and maintained by a provider for that provider’s use

Personal Health Record (PHR) - typically a health record that is initiated and maintained by an individual

Safeguardsto Protect Privacy

14

Safeguards to Protect Privacy

Risk Identification and ManagementThe organizational security management process examines TMA’s Directorates and the offices within each functional area to ensure administrative, physical, and technical safeguards are properly addressed

Administrative Safeguards Physical Safeguards Technical Safeguards

People, Policies, and Processes

System Users and Procedures

Network, Systems, and Applications

Risk Management in an Organization

C & A

PIA

DUA

15


Data Use Agreements Specify under what conditions particular data may be used

and document the parameters under which organizations will conduct tasks related to a specific project, research, survey, or secondary purpose

Non-DoD personnel are required to complete a DUA which: Describes the user's relationship to TMA, (for example,

contractual) Describes the specific purpose and use of the data and

validates the requestors 'need-to-know' Delineates the individuals who are granted access to

the data Emphasizes the user's responsibility to comply with

privacy legislation and regulations

16


Certification and Accreditation (C&A) The Certification and Accreditation (C&A) process provides

reasonable assurances that an IT system has undergone Information Assurance Testing.

The C&A process follows the general outline of: Security Test & Evaluation Plan of Action & Milestones (POA&M) Residual Risk Analysis

C&A provides an overall view of IT governance, Strategic Risk Aversion, and Executive Decision Making.

The resulting C&A documentation is a quantifiable product that is monitored and updated as changes occur to the system.

17


Privacy Impact Assessments

Privacy Impact Assessments (PIAs): Specialized risk assessment performed internally to

ensure the protection of privacy

Analysis of how information is handled and protected in an Information Technology (IT) system

Mitigation of breaches as expressed in recent events

Emerging Technology

19

Emerging Technology

Identity Solutions Emerging Technology seems to present a

myriad of choices Any technology solution needs to fit the

organization’s needs Even within DoD, there is no one solution

to fit all our needs

20

Identification vs. Authentication Importance of Integration Leveraging technology to maximize security and utility Authentication Controls

Emerging Technology

Integrated Identity Solutions

Goal

Single credential for personnel identification, building or facility access, and for systems and network access

21

Emerging Technology

Encryption for Data at Rest

ChallengesChallenges Level of encryption Diligence with inventory

Hardware Keys

Policy-based automation Key management

interoperability standards Keys at risk of loss or theft

Level of encryption Diligence with inventory

Hardware Keys

Policy-based automation Key management

interoperability standards Keys at risk of loss or theft

BenefitsBenefits Lessen the potential risk of a

data breach More control over who

accesses data Scalability

Application-based or server hosted

Devices and applications End-to-end encryption

Lessen the potential risk of a data breach

More control over who accesses data

Scalability Application-based or

server hosted Devices and applications

End-to-end encryption

GoalGoal

All embargoed data residing on the network or any portable storage media should be encrypted to limit access and use to authorized individuals

All embargoed data residing on the network or any portable storage media should be encrypted to limit access and use to authorized individuals

22

Emerging Technology

Content Monitoring and Data Loss Prevention

ChallengesChallenges

Depending on the size of the organization, data analysis may be very intensive

Additional resources may need to be dedicated to enforcement and monitoring of tool

Proper policies and procedures must be in place before implementation of tool

Depending on the size of the organization, data analysis may be very intensive

Additional resources may need to be dedicated to enforcement and monitoring of tool

Proper policies and procedures must be in place before implementation of tool

BenefitsBenefits

Control – leverage filters to protect privacy data and intellectual property

Discover – detect sensitive content at rest

Monitor – classify and analyze all content in motion

Prevent – block and filter to control what information is being sent or stored at all times

Capture – gain perspective through logging and storage of all events

Control – leverage filters to protect privacy data and intellectual property

Discover – detect sensitive content at rest

Monitor – classify and analyze all content in motion

Prevent – block and filter to control what information is being sent or stored at all times

Capture – gain perspective through logging and storage of all events

GoalGoal

Content Monitoring and Data prevention tools facilitate the enforcement of business processes and policies

Content Monitoring and Data prevention tools facilitate the enforcement of business processes and policies

23

Emerging Technology

Trusted Internet Connections

ChallengesChallenges Currently, analysis is done

manually (although it is anticipated that Version 2 will provide automated analysis)

Aggressive timeline for such a large initiative (completion of milestones by June 2008)

Will require agencies to agree to standard policies

Currently, analysis is done manually (although it is anticipated that Version 2 will provide automated analysis)

Aggressive timeline for such a large initiative (completion of milestones by June 2008)

Will require agencies to agree to standard policies

BenefitsBenefits Looks for suspicious patterns of

activity for participating Federal agencies Builds cyber-related situational awareness across the Federal government

Common solution for Federal government

Reduces the number of external internet connections to 50; DoD currently has 19

Looks for suspicious patterns of activity for participating Federal agencies Builds cyber-related situational awareness across the Federal government

Common solution for Federal government

Reduces the number of external internet connections to 50; DoD currently has 19

GoalGoal Trusted Internet Connections (TIC) are cyber security initiatives with

common goals: secure Federal networks while minimizing costs

Trusted Internet Connections (TIC) are cyber security initiatives with common goals: secure Federal networks while minimizing costs

24

Emerging Technology

Federal Desktop Core Configuration

ChallengesChallenges

Ensure compliance with current infrastructure, including policies and processes

Receive buy-in from across the Federal government

Prohibits the use of wireless settings

Ensure compliance with current infrastructure, including policies and processes

Receive buy-in from across the Federal government

Prohibits the use of wireless settings

BenefitsBenefits

Increase IT security Increase application

compatibility (common configurations versus hundreds of locally created configurations)

Reduce overall IT costs

Increase IT security Increase application

compatibility (common configurations versus hundreds of locally created configurations)

Reduce overall IT costs

GoalGoal Federal Desktop Core Configuration (FDCC) provides a single, standard,

enterprise-wide managed environment for desktops and laptops

Federal Desktop Core Configuration (FDCC) provides a single, standard, enterprise-wide managed environment for desktops and laptops

25

Emerging Technology Radio Frequency Identification Devices

A Radio Frequency Identification Device (RFID) is an Automated Identification and Capture (AIDC) Technology that allows:

Identification of Objects Communication over great distances No optical line of sight Inventory Management Tool

RFID Extranet

Data Breaches

27

Data Breaches

Breaches in the News

Some TRICARE Beneficiary Data Put At Risk

“Data for nearly 600,000 households enrolled in TRICARE stored on a government-contractor’s unprotected computer server could have been exposed to hackers, defense officials announced today. Beneficiaries’ names, addresses, Social Security Numbers, birth dates and some health information was stored on a computer server that was not using a firewall and did not have adequate password protection, TRICARE Management Activity officials said…”

Source: www.defenselink.com, July 20, 2007

Privacy Rights Clearinghouse

http://www.privacyrights.org/

Record Number Of Data Breaches Reported In 2007

“Researchers with the Identity Theft Resource Center cited 443 breaches in the U.S. in 2007 in their annual report, compared to the 315 they identified in 2006.”

Source: www.informationweek.com, December 31, 2007

28

Lost, stolen or compromised information, otherwise termed a breach, is the actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected

Data Breaches

DoD Definition of a Breach

29

Data Breaches

Incident Response Plan An effective Incident Response Plan includes the following steps

The steps might not be followed in a linear fashion; however each step needs to be addressed to effectively mitigate breaches

RECOVERY

FOLLOW-UP

ERADICATION

PREPARATIONAND

PREVENTION

INCIDENT IDENTIFICATION

CONTAINMENT

MITIGATION

Notification Reporting

Notification Reporting

Definition A Risk Based

Approach to notify

Definition A Risk Based

Approach to notify

INCIDENT IDENTIFICATION

30

Data Breaches

Reporting and Notification

TMA Components Non-TMA Components

Leadership – Immediately TMA Privacy Office – Within 1

Hour US CERT – Within 1 Hour DoD Privacy Office – Within 48

Hours

Leadership – Immediately US CERT – Within 1 Hour Sr. Component Officials for

Privacy – Within 24 Hours TMA Privacy Office – Within 24

Hours DoD Privacy Office – Within 48

Hours

Note: Notify issuing banks if government issued credit cards are involved; law enforcement, if necessary; and all affected individuals within 10

working days of breach and identity discovery, if necessary. (See Determining Notification)

When a loss, theft, or compromise of information occurs, the breach shall be reported to:

31

Data Breaches Determining Notification

When determining whether notification of a breach is required, the DoD Component will assess the likely risk of harm caused by the breached information and then assess the relative likelihood of the risk occurring (risk level).

Five factors that need to be considered when assessing the likelihood of risk and/or harm include:

1. Nature of the data elements breached2. Number of individuals affected3. Likelihood of the information is accessible and usable4. Likelihood the breach may lead to harm5. Ability of the agency to mitigate the risk of harm

Breaches are classified as Low, Moderate, or High:

32

Data Breaches

Reporting Timeline

Pre-Breach Activities

Post-Breach Activities

10 Day Breach Response Activities Timeline

Notify US-CERT within one hour

Notify Service Component

Official for Privacy within 24 hours

Notify Defense Privacy Office and Component Head

within 48 hours

Communicate with Chain-of-

Command initially and throughout

Develop a notebook of chronology

Implement Breach Notification SOP

Continue to gather and verify data

Establish Command and Control Center

Maintain list of current POCs

Updates to Senior Leadership as

neededNotify Congress

and media

Create daily status reports

Contact DMDC for demographic data

Communicate information to

affected individuals

* Activities are not all inclusive nor in a specific order

33

Data Breaches

Lessons Learned

In response to breaches, the organization must: Commit to ensuring the affected beneficiaries remain a

top priority Develop strong policies and procedures Assign specific roles and responsibilities to Incident

Response Team members before a breach occurs Establish and test the communication plan for internal and

external stakeholders Document all aspects of the incident (timeline, reports,

incident response checklist, etc.) Communicate to Senior Leadership (via emails, Executive

Summaries, and briefings) Develop Lessons Learned and/or an After Action Report

34


Resources

TRICARE Management Activity: http://www.tricare.osd.mil

Privacy Act of 1974, as amended (5 U.S.C. 552a)

DoD Regulation 5400.11-R, “DoD Privacy Program,” May 14, 2007

DoD Regulation 6025.11-R, “DoD Health Information Privacy Regulation,” January 24, 2003

DoD Regulation 8580.02-R, “DoD Health Information Security Regulation,” July 12, 2007

DoD Memorandum, “DoD Guidance on Protecting Personally Identifiable Information (PII),” August 18, 2006

OMB M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” May 22, 2007

Office of the Secretary of Defense (OSD) Memorandum 15041-07, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” September 21, 2007