Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response
April 5, 2010
Policy 2010-0004 - OCIO
Table of Contents
5. Roles and Responsibilities. 6
5.1 HHS Chief Information Officer (CIO) 6
5.4 HHS OIG Computer Crimes Unit (CCU) 6
5.5 Office for Civil Rights (OCR) 7
5.8 OPDIV Chief Information Officers (CIOs) 8
6. Applicable Laws/Guidance. 8
7. Information and Assistance. 9
8. Effective Date/Implementation. 9
This Policy supersedes the HHS IRM Policy for Establishing an Incident Response Capability, dated January 8, 2001. It also supplements the HHS Policy for Responding to Breaches of Personally Identifiable Information, dated November 17, 2008, and the HHS Computer Security Incident Response Center (CSIRC) Concept of Operations (CONOPS).[1]
Increased threats to critical cyber-based infrastructure systems have created a need for Government agencies to augment their computer security efforts. Incidents involving cyber security and privacy threats, such as viruses, malicious user activity, and vulnerabilities associated with highly interconnected technology require a skilled and rapid response to mitigate their likelihood and impact to computing resources, loss or destruction of data, loss of funds, loss of productivity, and damage to the agency’s reputation. These situations require that agencies have a coordinated computer security incident response capability as an extension to their contingency planning process. The DHS defines a privacy incident as “a suspected or confirmed incident involving PII.” PII is any information that permits the identity of an individual to be directly or indirectly inferred, including any other information that is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, legal permanent resident, or a visitor to the U.S. A privacy incident is an adverse event or action that is unplanned, unusual, and unwanted that happened as a result of non-compliance with the privacy policies and procedures of the Department. It must pertain to the unauthorized use or disclosure of PII including “accidental disclosure” such as misdirected e-mails or faxes.
The US-CERT was established in 2003 and is responsible for providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry, and international partners. The Federal Information Security Management Act (FISMA) requires the Department to establish policies and procedures for reporting and responding to security incidents in order to mitigate risks. FISMA also requires the Department to consult with, and to report security and privacy incidents to the United States Computer Emergency Readiness Team (US CERT). To meet Federal requirements and provide the Department with centralized incident reporting and response services, the Department established the HHS CSIRC to serve as the lead organization for coordinating Department-wide cyber security information sharing, analysis, and response activities.
The HHS Policy for Responding to Breaches of Personally Identifiable Information, which this Policy supplements, was issued as a separate policy in 2008 due to the government-wide high level of attention placed on incidents involving the loss of PII, and the fact that OMB guidance mandated specific processes for personally identifiable information (PII) breach response that are different from the processes for responding to IT security incidents. In addition, for breaches involving unsecured protected health information (PHI), interim final breach notification regulations were issued in August 2009, implementing section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act. It requires HIPAA covered entities and their business associates to provide notification following a breach of PHI. The breach notification interim final rule requires covered entities to provide the HHS Secretary with notice of breaches of unsecured protected health information (45 CFR 164.408). The specific processes for breach notification involving unsecured PHI are available from the HHS Office for Civil Rights (OCR).
This Policy applies to all HHS organizational components (i.e., Operating Divisions (OPDIVs) and Staff Divisions[2] (STAFFDIVs)) and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. This Policy does not supersede any other applicable law, higher-level agency directive, or existing labor management agreement in place as of the effective date of this Policy.
Department officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this Policy shall be incorporated into applicable contract language and grant agreements, as appropriate.
OPDIVs shall use this Policy or may create a more restrictive policy, but not one that is less restrictive or comprehensive than, or less compliant with, this document.
- 1 The HHS CSIRC, as overseen by the HHS Chief Information Security Officer (CISO), shall serve as the primary entity in the Department that is responsible for maintaining Department-wide operational IT security situational awareness, and determining the overall IT security risk posture of HHS. The HHS CSIRC shall establish and maintain a partnership with OPDIV CSIRTs to ensure the HHS CSIRC is aware of security and privacy vulnerabilities, threats, and incidents that may negatively impact the ability of the OPDIV and/or the Department to fulfill its mission and functions.
In partnership with OPDIV CSIRTs, the HHS CSIRC shall do the following:
4.1.1 Report HHS IT security and privacy incidents to US-CERT. If the incident involves the actual or suspected loss of control of PII[3] or PHI[4] the HHS CSIRC shall also report the incident to the HHS PII Breach Response Team (BRT);
4.1.2 Coordinate the Department-wide response to IT security vulnerabilities, threats, and incidents;
4.1.3 Facilitate information sharing across the Department regarding IT security vulnerabilities, threats, and incidents; and
4.1.4 Provide (or augment existing) analysis capabilities and/or forensic services with respect to IT security vulnerabilities, threats and incidents, particularly if the OPDIV does not have these capabilities.
4.2 OPDIVs shall establish and maintain IT security and privacy incident response capabilities, or ensure that incident response capabilities are performed on their behalf.
4.3 Each OPDIV CSIRT shall serve as the primary entity in the OPDIV responsible for maintaining OPDIV-wide operational IT security situational awareness, and facilitate the determination of the overall IT security risk posture of the OPDIV. Each OPDIV CSIRT shall establish and maintain a partnership with the HHS CSIRC to ensure each OPDIV CSIRT is aware of security vulnerabilities, threats, and incidents that may negatively impact the ability of the OPDIV and/or the Department to fulfill its mission and functions.
In partnership with HHS CSIRC, each OPDIV CSIRT shall do the following:
4.3.1 Specifically, incidents involving the actual loss or suspected loss of control over PII must be reported.
4.3.2 Coordinate with Senior Official for Privacy (SOP) for PII and PHI in accordance with BRT processes.
4.3.3 Coordinate the OPDIV-wide overall response to IT security vulnerabilities, threats, and incidents;
4.3.4 Facilitate information sharing across the OPDIV regarding IT security vulnerabilities, threats, and incidents; and
4.3.5 Provide (or augment existing) analysis capabilities and/or forensic services with respect to IT security vulnerabilities, threats and incidents.
4.4 OPDIVs shall report IT security and privacy incidents to the HHS CSIRC in accordance with the HHS CSIRC CONOPs, which implements the reporting guidance specified in US-CERT and NIST SP 800-61 (as amended), Computer Security Incident Handling Guide.[5] Specifically, incidents involving the actual loss or suspected loss of control over PII must be reported.
4.4.1 If the incident involves a confirmed or suspected violation of the law, or employee or contractor misconduct, OPDIV CSIRTs shall report the incident to the Office of Inspector General (OIG) in accordance with established Department and OPDIV policies and procedures. The OIG shall update the HHS CSIRC regarding such incidents, in accordance with established OIG processes.
4.4.2 If the incident involves a suspected or confirmed loss of PHI, OPDIVs that are also HIPAA covered entities may have an obligation to report the incident to the Office for Civil Rights (OCR)[6] in addition to the HHS CSIRC, in accordance with reporting requirements for breach notifications at 45 CFR 164.408.
4.5 The HHS CSIRC, OPDIV CSIRTs, OIG, and the Office of Security and Strategic Information (OSSI) shall collaborate in the reporting and exchange of classified information about IT security and privacy incidents.
5.1 HHS Chief Information Officer (CIO)
The responsibilities of the HHS Chief Information Officer (CIO) include but are not limited to the following:
5.1.1 Establish, implement, and enforce a Department-wide framework to facilitate an incident response program that ensures proper and timely reporting to the US-CERT.
5.2 HHS CISO
The responsibilities of the HHS CISO include but are not limited to the following:
5.2.1 Ensure the Department-wide implementation of Federal policies and procedures related to IT security and privacy incident response; and
5.2.2 Manage the resources that support HHS CSIRC operations.
5.3 HHS CSIRC
The responsibilities of the HHS CSIRC include but are not limited to the following:
5.3.1 Serve as the primary entity in the Department responsible for maintaining Department-wide operational IT security situational awareness and determining the overall IT security risk posture of HHS;
5.3.2 Serve as the lead organization for coordinating Department-wide cyber security information sharing, analysis, and response activities;
5.3.3 Report HHS IT security and privacy incidents to US-CERT; and
5.3.4 Serve as the Department's primary point of contact with US-CERT.
5.4 HHS OIG Computer Crimes Unit (CCU)
The responsibilities of the OIG Computer Crimes Unit (CCU) include but are not limited to the following:
5.4.1 Investigate confirmed or suspected violations of the law pertaining to information systems;
5.4.2 Coordinate with the HHS CSIRC to respond to IT security incidents that involve a violation of the law;
5.4.3 Provide assistance to the Department in resolving questions of suspected criminal activity and other investigative policy questions; and
5.4.4 Serve as the Department's central point of contact to law enforcement agencies and to the Department of Justice (DoJ).
5.5 Office for Civil Rights (OCR)
The responsibilities of the OCR include but are not limited to the following:
5.5.1 Enforcement of the regulatory standards and requirements in the HIPAA Privacy and Security Rule and Notification of Breaches of Unsecured Protected Health Information under the HITECH Act, including receiving complaints or reports of alleged violations, investigation of such reports, obtaining corrective action and imposing civil money penalties as appropriate and necessary;
5.5.2 Receive reports of breaches of unsecured protected health information on behalf of the Secretary and refer for investigation as appropriate; and
5.5.3 Posting on the website entities reporting breaches of unsecured protected health information affecting 500 or more individuals.
5.6 OSSI
The responsibilities of the OSSI include but are not limited to the following:
5.5.1 Providing overall leadership for the development, coordination, application, and evaluation of all policies and activities within the Department that relate to physical and personnel security, the security of classified information, and the exchange and coordination of national security-related strategic information with other Federal agencies and the national security community, including national security-related relationships with law enforcement organizations (LEOs) and public safety agencies;
5.5.2 Provide current and timely information to the HHS CSIRC and OPDIV CSIRCs and other key personnel as deemed necessary; and
5.5.3 Ensure communications security, including secure telecommunications equipment and classified information systems, for the discussion and handling of classified information in support of the detection, defense, and response to security and privacy vulnerabilities, threats, and incidents.
5.7 HHS PII BRT
The responsibilities of the HHS BRT are defined in the HHS Policy for Responding to Breaches of Personally Identifiable Information (PII), dated November 17, 2008.
5.8 OPDIV Chief Information Officers (CIOs)
The responsibilities of the OPDIV Chief Information Officers (CIOs) include but are not limited to the following:
5.9.1 Establish, implement, and enforce an OPDIV-wide framework to facilitate an incident response program that ensures proper and timely reporting to the HHS CSIRC.
5.9 OPDIV CISOs
The responsibilities of the OPDIV CISOs include but are not limited to the following:
5.8.1 Ensure OPDIV-wide implementation of Department and OPDIV policies and procedures that relate to IT security and privacy incident response.
5.10 OPDIV CSIRT
The responsibilities of the OPDIV CSIRT include but are not limited to the following:
5.9.1 Serve as the primary entity in the OPDIV responsible for maintaining OPDIV-wide operational IT security situational awareness and determining the overall IT security risk posture of the OPDIV;
5.9.2 Serve as the lead organization for coordinating OPDIV-wide cyber security information sharing, analysis, and response activities;
5.9.3 Report OPDIV IT security and privacy incidents to HHS CSIRC; and
5.9.4 Serve as the OPDIV's primary point of contact with HHS CSIRC.
- Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347, December 2002.
- Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, dated November 28, 2000.
- OMB Memorandum (M) 06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, dated July 12, 2006.
- OMB M-07-16, Safeguarding against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007.
- NIST SP 800-61 (as amended), Computer Security Incident Handling Guide, dated March 2008.
- Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, dated March 2006.
- HHS-OCIO-2008-0001.003, HHS Policy for Responding to Breaches of Personally Identifiable Information, signed November 17, 2008.
- HHS-OCIO-2009-0003, HHS Policy for Information Systems Security and Privacy, signed June 25, 2009.
HHS OCIO policies are posted on the following website: http://www.hhs.gov/ocio/policy/index.html.
Direct any questions, comments, suggestions, or requests for further information to the HHS Information Security and Privacy Program at (202) 690-6162.
The effective date of this Policy is the date on which the Policy is approved.
Requirements stated in this Policy are consistent with law, regulations and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations. It is HHS policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
/s/ | April 5, 2010 | |
Michael W. Carleton | DATE |
HHS Chief Information Officer
Breach (as it relates to PHI) — The unauthorized acquisition, access, use, or disclosure of protected health information, which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. (Defined in the American Recovery and Reinvestment Act of 2009)
Breach (as it relates to PII) — The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. (Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information)
Incident — The act of violating an explicit or implied security policy. Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations.
These include but are not limited to:
- attempts (either failed or successful) to gain unauthorized access to a system or its data
- unwanted disruption or denial of service
- the unauthorized use of a system for the processing or storage of data; and
- changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent. (US CERT)
Information — Any communication or representation of knowledge such as facts, data, or opinions in any medium or form; including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (Defined in OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources, 6(a))
Information Technology Resources - includes but is not limited to: personal computers and related peripheral equipment and software, network and web servers, telephones, facsimile machines, photocopiers, Internet connectivity and access to internet services, e-mail and, for the purposes of this policy, office supplies. It includes data stored in or transported by such resources for HHS purposes.
Information System — A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Appendix B)
Protected Health Information (PHI) — "Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The HIPAA Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. (Defined in the HIPAA Privacy Rule)
Personally Identifiable Information (PII) — Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information)
Privacy — The appropriate use of personal information. (Defined in the International Association of Privacy Professionals site glossary)
Privacy Incident — an incident that involves personally identifiable information or protected health information. (US CERT)
BRT | Breach Response Team |
CCU | Computer Crimes Unit |
CFR | Code of Federal Regulations |
CIO | Chief Information Officer |
CISO | Chief Information Security Officer |
CONOPS | Concept of Operations |
CSIRC | Computer Security Incident Response Center |
CSIRT | Computer Security Incident Response Team |
DoJ | Department of Justice |
FIPS | Federal Information Processing Standard |
FISMA | Federal Information Security Management Act |
HHS | Health and Human Services |
HIPAA | Health Insurance Portability and Accountability Act |
HITECH | Health Information Technology for Economic and Clinical Health Act |
IT | Information Technology |
LEO | Law Enforcement Organization |
M | Memorandum |
NIST | National Institute of Standards and Technology |
OCISO | Office of the Chief Information Security Officer |
OCR | Office for Civil Rights |
OIG | Office of the Inspector General |
OMB | Office of Management and Budget |
OPDIV | Operating Division |
OSSI | Office of Security and Strategic Information |
PHI | Protected Health Information |
PII | Personally Identifiable Information |
POC | Point of Contact |
SP | Special Publication |
STAFFDIV | Staffing Division |
US-CERT | United States Computer Emergency Readiness Team |
[6] OPDIVs that are also HIPAA covered entities should consult the breach notification regulations at 45 CFR 164, subpart D to determine if the loss of PHI constitutes a breach and, if so, how to report the breach to the Secretary The breach notification reporting form and instructions for reporting the loss of control of PHI can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.