Disaster Recovery Gets Personal

By Nicholas Takacs, CISSP CSSLP MSIA

With all of the focus on disaster recovery and business continuity in the last decade, coupled with an amazing growth of information assurance, we still get back to the common issue of people. How do we train them to act in secure and responsible manner? My mantra when doing any type of seminar or educational event is to focus on building knowledge that can be taken home and applied to the audience members' personal lives. Why? Because that's one of the easiest ways to develop good habits, similar in many ways to all of the other "good habits" we should have. Of course, you're probably thinking to yourself that good habits should start at home, much like parents should do for their kids. Unfortunately, with the rapidly changing pace of technology, it would be near impossible for any family to keep up with all of the critical changes, and know which ones were important enough to embed in their daily activities.

There's also a much bigger gap between protecting the real world versus protecting the electronic world. Consider this... what would you do if you woke up at 3am tomorrow morning and saw flames in your house... you would gather up the kids, pets, and get out of the house as fast as possible. Now, what would you do if your computer's hard drive "died" (super-techie term) containing financial information, documentation, pictures, and other personal information? Do you have a plan? Would you know what to do, other than calling a chain-geek squad member?

I wanted to take a moment to remind everyone that as important as security and disaster recovery planning is to your organization, it's just as important, if not more important for your personal life. With the costs of consumer technology coming down rapidly (a 1TB removable hard disk costs less than $100), making regular backups of critical data and information should be as routine as taking out the garbage or paying your bills. There's really no excuse... even consider Windows provides built-in backup software (not that I'm a proponent of it, but it's there, and it works as a basic solution). I confess though that I did forget to do a backup off of my netbook a few weeks back, and of course, Murphy's Law of Magnetic Disks kicked in, and I lost a bunch of information. Thankfully, I was able to recover most of it, but the time I spent going through that process could have been averted with a simple 10 minute automated backup. Shame on me as a professional for not knowing better. Take my example as a lesson learned. Make sure you have disaster recovery plans in place for your personal data and information. Disk is cheap... make a copy!

While I focused primarily on personal information protection, I want to be clear that having disaster recovery plans for your family is important for all aspects of your life. Human life comes first above all else... I firmly believe that after my wife and kids are safe, I'll make sure my pets are safe, then I'll worry about all the rest. I'd trade all the photos, videos, etc. any day if it meant the difference between life and death. I hope you can take something out of this short article and apply it to your home life. It will ultimately benefit you, your family, and believe it or not, your organization too.

Last Week’s Quiz Question
Who was Harold "Doc" Martin? in the history of Norwich University?

Answer: The first African American student admitted to Norwich U in 1916, where he majored in electrical engineering.

The winner is Sherryl Fraser. Congratulations Sherryl.

Below is a list of past winners. Remember that the person with the most wins at the end of the program gets a prize so awesome that we haven’t even conceived of it yet.

Matt Bambrick (2)
Andrey N. Ahernyaev (2)
Dianne Tarpy
Sam Moore
Autumn Crossett
Gil Varney, Jr.
Glen Calvo
Thomas Reardon
Sherryl Fraser

This Week’s Quiz Question
In 1992, Vermont’s capital city of Montpelier was inundated by flood waters in mid-winter. What caused the flood, and what is the name of the river?

The winner receives an original copy of the very first information security textbook, published in 1964, entitled: “Protecting your data center from intrusion and malicious attack: Understanding the tensile strength of steel and concrete.”

Send your entries to jorlando@norwich.edu

Is This A Security Breach? You Make the Call

by Rebecca Herold

I want to take a closer look at some of the issues and requirements within the HITECH Act, which dramatically expands the reach and requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA)...

So, what is a "breach" under the HITECH Act?
The general question of "what is a privacy breach" is one that too few organizations have really answered, documented, and prepared response plans to cover. The HITECH Act "SEC. 13400. DEFINITIONS" contains the following:

(1) BREACH.--
(A) IN GENERAL.--The term ''breach'' means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.
(B) EXCEPTIONS.--The term ''breach'' does not include--
(i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if--
(I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and
(II) such information is not further acquired, accessed, used, or disclosed by any person; or
(ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and
(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

A problem facing information security and privacy practitioners is that they have many different laws with breach response requirements that all define a "breach" differently. However, if an organization documents their own meaning of a breach to meet the most restrictive of the requirements, they should then be doing pretty good to hit most, if not all, of the compliance requirements with regard to a "breach."

Note that the HITECH Act definition does not limit a breach to just electronic information. This is good! Many, many breaches have occurred with print information, and also audio ("heard") information, though it is harder to determine if someone has overheard someone else talking about PII. Such circumstances would commonly occur in public places, or through phone systems and voice mail.

It is also good to specify exceptions to what is considered to be a breach. You do not want to start notifying individuals for every single little thing that MAY be, COULD have been, or POSSIBLY was something that was considered to be a breach. You don't want the general public to become complacent and get breach-notice-fatigue as a result of having so many people notifying them that their PII may have been inappropriately accessed, used or disclosed.

Don't get me wrong, I *WANT* organizations to tell the impacted individuals when they've lost their PII, when it's been stolen, or when it has otherwise been misused.
However, consider the following situations:

1) An employee mistakenly sends another employee within the same organization an email containing a file with customer PII. The errant recipient notices this right away, notifies the sender of the mistake, deletes the message, and mail logs confirm these activities.

I know an organization where this situation actually occurred, they decided to treat it as a breach, and went through their entire breach notification process to thousands of individuals. There resulted a whole mess of misunderstandings, the customers were alarmed, there was much bad press, and the entire situation was just downright bad.
If they had been using the HITECH Act breach definition, this would have likely been an exception under (B)(ii)

2) One of the cleaning folks found some medical records in a trash can in the office area of a clinic where they were contracted to work. The person cleaning recognized that the papers contained protected health information (PHI) and other PII (thanks to her training and ongoing awareness communications!) and she called the clinic manager. The manager went immediately to the clinic and collected the confidential papers from the cleaning person. The clinic did not notify the individuals whose PII papers had been found; they determined that the person cleaning did not make copies or otherwise use the information inappropriately.

Under the HITECH Act, this was likely appropriate under (B)(i) since the acquisition of the PHI was made during the course of the cleaning person's contracted job responsibilities and there was no further access, use or disclosure of the information.

3) In January 2008, an official from the Wisconsin Department of Health and Family Services announced in a public statement that a mailing contractor used by Plano, Texas-based EDS (to whom Wisconsin outsources Wisconsin's Medicaid, SeniorCare and BadgerCare state health plan computer processing activities) accidentally printed the Social Security number (SSN) on the mailing labels of 260,000 plan members. The Wisconsin agency notified all those who had their SSNs printed on the mailing labels and EDS offered free credit monitoring to the individuals.

Under the HITECH Act would this have been considered a breach, or a breach exception according to "(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person"?

This is a great question without one clear answer! Even though the SSN was on the mailing label for all with access to the letter to see, the U.S. postal service is generally considered as being a "secure" mode of delivery by the U.S. government, with trusted workers who do not do bad things. Of course, there have been several documented instances of USPS workers doing bad things with the mail, but in general the US government views the USPS as being trusted. Just talk to an IRS representative about tax returns not being delivered and they will tell you that!

I heard differing opinions from the information security practitioners, privacy officers and lawyers to whom I posed this question.

But what about all the other 48 U.S. state and territory breach notice laws; would these three situations have been considered as breaches under them?

An important part of security incident and privacy breach response planning is determining what types of situations are breaches, and clearly defining and documenting that definition. Then, providing training to personnel followed by ongoing awareness communications about what are and are not considered as being breaches.

Last Week’s Quiz Question
How many gallons of sap does it take to produce a gallon of maple syrup?

Answer: 40 gallons
(Note: There was some disagreement on this one, as The Cornell Sugar Maple Research & Extension Program asserts that it takes 42 gallons of sap to make a gallon of maple syrup. But the question refers to quality Vermont maple syrup, not inferior syrup from other states.

This week’s winner is Thomas Reardon. Congratulations Thomas.

This week’s Quiz Question
Who was Harold "Doc" Martin? in the history of Norwich University?

Winner receives a free copy of the new ISO 1,200 page information security policies standard.

Submit all answers to jorlando@norwich.edu