Lisa Copp and Meredith Phillips presented on privacy and security incident management. They discussed how CNO Financial Group and Henry Ford Health System manage incidents across different teams. Both organizations use a single intake system called RADAR to coordinate incident response and ensure consistent analysis, documentation, and risk assessment. The presentation emphasized the importance of cross-team collaboration and having clearly defined roles to effectively manage privacy and security incidents.
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Coordinating Privacy and Security Incident Response
1.
2. Lisa Copp
Chief Privacy Officer & Assistant General Counsel
CNO Financial Group
Meredith Phillips
Chief Information Privacy & Security Officer
Henry Ford Health System
3. • Publicly traded insurance holding company
• CNO affiliated insurance brands provide life and supplemental
health insurance products to middle income Americans
• Not all products are HIPAA governed – life, annuity, accident, disability
income
• CNO insurance companies are licensed in all States, DC and PR
4. CHIEF PRIVACY OFFICER
• Reports through Law Department
• Oversees regulatory compliance
• Primary accountability for “non-
technical” incidents
• Metrics focused on incidents as an
impact on privacy as an objective –
incidents (quantity/root
cause/character of data)
DIRECTOR OF
INFORMATION SECURITY
• Reports through IT Infrastructure
• Oversees technical control environment
• Primary accountability for “technical”
incidents
• Metrics focused on incidents as impact
on function of security processes
Coordinated Activities Between Privacy & Security Teams
• Metrics reported to Enterprise Risk Mgt Committee
• RADAR web form single intake point for all types of incidents
• RADAR incident management tool for all types of incidents
• Consistency between check lists and analysis tools
governance
accountability
AND
5. Building Security
Primary
investigators for
loss and theft of
equipment or
materials
containing PII
Effective incident management requires a variety of skill sets to perform a variety of functions
Privacy & Security
Incident Management
Teamwork Across the CNO Enterprise
Technology tools for incident reporting and management allow efficiency and consistency
IT Security
Expertise in
systems security
Investigation and
analysis check lists
for technical
incidents
Technical incident
management
Fraud Unit
Primary
investigators for
internal and
external fraud
involving misuse of
PII
Enterprise Risk
Mgt
Conduct root
cause analysis for
process-related
incidents
Consumer
Relations
Process incidents
in RADAR
Issue consumer
breach notification
letters
Manage credit
monitoring codes
Regulatory
Affairs
Liaison with state
Departments of
Insurance
Privacy
Compliance
Provide attorney
oversight
Investigation and
analysis check lists
for non-technical
incidents
Non-technical
incident mgt
Framework for
sanctions
Issue regulator
breach notification
letters
6. value of automated
• Investigate incident
• Investigate impacted consumers
• Understand breach standards in relevant jurisdictions
• Understand consumer notice standards in relevant jurisdictions
• Understand regulator notice standards in relevant jurisdictions
• Investigate root cause(s)
• Develop corrective action
• Monitor corrective action
• Recommend sanctions
• Monitor sanctions
incident management
Single
Source
of
Truth
• Repeatable analysis
• “Evidence room”
• Single intake point with customized Web
Form regardless of incident type
• Stolen briefcase
• Misdirected mail
• Malware
• Social engineering
Coordinates
a
Non-linear
Workflow
7. • Risk thresholds
• Risk based metrics
• Number of individuals
impacted
• Character of data
• Root cause
Automates selection of breach
notification letter
• Jurisdiction
• HIPAA or non-HIPAA
• Mandatory or voluntary
notice
• Special states
key elements of our program
ideas to share
Risk assessment
Check lists
• Loss/theft
• Process issues/root cause
• Corrective action plans
• Sanctions
“Letter picker”
Common repository
• Evidence of repeatable process
• Consistent analysis
• Consistent documentation
8. • Then…Prior to 2012
– Privacy was a subset of Corporate Compliance
– Security was a subset of Information Technology
– Decentralized approach throughout the System with lean resources to carry out the
Privacy & Security Mission
• Observation
– Due to lean resources (i.e., budget, FTEs, etc.), competing priorities and fragmented
oversight, Privacy & Security compliance was at times misaligned with the HFHS Mission
& Vision
– Organizational mindset saw privacy & security compliance as a “necessary evil” –
Regulatory issue…not clinical!
– We struggled with being a part of the solution and was seen as a barrier to patient care
– Roles were not clearly defined thus creating misalignment during incident response
THEN vs. NOW
9. • Now…
– Named the System’s Chief Information Privacy & Security Officer
– Combined the Information Privacy & Information Security into one department under one leader
– Launched a System-wide internal marketing campaign to communicate the new governance
structure, responsibility, mission, vision, goals, etc.
– Priorities have further been streamlined and standardized within the IPSO to establish Service Level
Agreements with each Business Unit
– Investigative process & re-education will be managed by the IPSO team while maintaining
coordination with the key stakeholders (i.e., business unit leadership, Privacy/Security Champions,
Human Resources, etc.)
• Observations
– HFHS entered into new territory to ensure synergy between Privacy & Security – Culture of
Confidentiality – through organizational structure
– Incident reporting has increased by 26% from 2013 to 2014
– Employees “Think Privacy & Security First”…when in doubt, they call the IPSO…we are here to save
the day!
– The “necessary evil” mindset has diminished…we are now a welcomed partner and resource to the
organization and leaders
THEN vs. NOW
11. • Any routine investigations that may result in a breach must be forwarded to the IPSO for a Code
A(ssessment) and potential Code B Alert
• Investigations are led by the IPSO (i.e., privacy & security) in conjunction with operational or medical staff
management, Human Resources, Legal Affairs, Risk Management & the Police Authority Unit
• All investigative documentation (i.e., notes, interview transcripts, audit logs, etc.) should be stored in our
centralized repository to ensure the ability for metric reporting
• All incidents must be receive a breach risk assessment using RADAR to ensure consistent assessments are
performed and documented
• Corrective Action always recommended by the IPSO in accordance with the outcome of the investigation
– Application of corrective action is consistent across business units and employee types
• Re-education required for the entire department within 30 days of investigation closure not just the
offender
CENTRALIZED INVESTIGATIVE
PROCESS
12. • The HFHS Privacy & Security Council is an oversight council that
approves System policies and procedures related to privacy & security
regulations
• The Code B Alert Team is a rapid-response workgroup established to
centrally respond and manage all System data breaches & incidents
• The Office for Civil Rights Response Team will review all OCR data
requests related to privacy & security violations and respond on behalf
of the System and/or specific business unit
“These teams are coordinated by our office and have been added to the BFF
circle of collaboration. We all are working towards the common goal of
ensuring our Culture of Confidentiality is maintained for all of our patients,
members, guests and employees. Without each other, we would definitely
fail!”
-Meredith Phillips
IPSO COUNCILS &
RESPONSE TEAMS
IPSO
13. Resources
1. Presentation Slides: To download a copy of these
presentation slides please go to:
http://www.idexpertscorp.com/IAPPwebinar1214
2. Download Whitepaper: The CISO’s Secret Weapon for
Reducing Enterprise Risk
http://www2.idexpertscorp.com/resources/single/incident-
response-management-software-the-cisos-secret-weapon-for-
reducing/r-radar
14. A Word from our Sponsors
Security and privacy incident
response software
www.idexpertscorp.com/radar-software
15. For a copy of these presentation slides and to view the recording of this web conference
(to be posted approximately 48 hours following the live event) please go to:
http://www.idexpertscorp.com/IAPPwebinar1214
Questions & Answers
Lisa Copp
Chief Privacy Officer &
Assistant General Counsel
CNO Financial Group
Lisa.Copp@CNOinc.com
Meredith Phillips
Chief Information Privacy & Security Officer
Henry Ford Health System
mphilli2@hfhs.org