Data Breach Response

In its Standards for Cancer Registries Volume III: Standards for Completeness, Quality, Analysis, Management, Security and Confidentiality of Data, the North American Association for Central Cancer Registries (NAACCR) states, "Confidentiality is the cancer registry's responsibility to the patients whose data are in the database and is of paramount concern to all cancer registries. There may be no greater threat to the operation and maintenance of a cancer registry than an actual or perceived breach of confidentiality. In fact, an actual or perceived breach of confidentiality in one registry may threaten all registries."

Planning for a security breach ensures that appropriate action is taken to minimize the consequences of a virus, malicious software, or an intrusion (hackers, fraud, and cybercrime), and that emergency response procedures and responsibilities are documented, understood, and executed properly when necessary. When experiencing a data breach, it is the program's responsibility to execute its response plan. Without a data breach response plan, NPCR programs are at risk of failing to comply with legislation, suffering repeated breaches, losing staff productivity, and gaining unwanted publicity.

Breach Response Team (BRT)

Each NPCR program is responsible for the security of the information that the public has entrusted to it, including personally identifiable information (PII), such as a name or Social Security number, which can be used to determine an individual's identity. Each NPCR program is encouraged to make efforts to reduce the risks associated with the loss or unapproved disclosure of PII by establishing a BRT to develop processes for responding to any suspected or confirmed PII breaches.

The BRT is a designated group of people within the program with information technology expertise that will investigate and resolve attempts at unauthorized access, compromise of proprietary data by computer, computer misuse, hardware or software vulnerability, and loss of data or computer availability sufficient to impact the NPCR program. Its responsibilities include—

• Developing processes for the NPCR program to maintain system logs for intrusion detection systems, proactive system scans, and incident reports.



• Evaluating the appropriateness and effectiveness of PII breach response activities and identifying what actions should be taken and the process to determine if there is evidence of actual harm.



• Ensuring that all suspected or confirmed PII breaches of systems are identified, tracked, and responded to in an effective, consistent, and timely manner that minimizes risk to the program and individuals.



• Notifying affected individuals, the NPCR program consultant, and the program's public health department or other agencies as appropriate of all suspected or confirmed PII breaches of systems.



• Investigating the cause of any data breach using a defined process for effective response planning.



• Creating training procedures that ensure all program personnel are aware of breach response policy and incorporate it into computer security briefings and training programs, and providing guidance for determining what constitutes criminal intent and employee misconduct.

Reference

U.S. Department of Health & Human Services. Policy for Responding to Breaches of Personally Identifiable Information (PII). April 15, 2008.