Effective: 10-07-21
Supersedes: NA
Purpose:
The purpose of this policy is to establish the goals and the vision for the information security incident response process. Brewster Ambulance Service, Inc. is committed to protecting its employees, patients, customers, and partner agencies from illegal or damaging data security actions by individuals, either knowingly or unknowingly. Brewster’s intention for publishing an information security incident response policy is to focus attention on the potential risk of information security incidents.
Security incidents involving Company owned devices or personal devices containing sensitive data can have serious consequences. It is the responsibility of the Brewster Ambulance IT Department to investigate and respond to potential incidents promptly and efficiently. This helps protect other company assets (e.g., data, computers, networks) and supports compliance with state and federal law, and company policy.
Any individual who suspects that a theft, breach or exposure of confidential or protected information systems has occurred, should immediately contact the Information Technology Department at IT@BrewsterAmbulance.com, (781) 808-9099, internally at x49099, or by the on-call/after-hours IT Department contact numbers.
Definitions:
Incident - An actual or potential event involving loss or compromise of data or the loss of functionality of an information system or network. An information security incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of data or services used or provided by the Company and may occur within the Brewster computer network or with an outside entity. An incident will meet one or more of the following:
· Violation of Federal law or State law, or Company Policy involving a Brewster Ambulance Service IT asset or sensitive or protected information in any form.
· A breach, attempted breach, or other unauthorized access of a Brewster IT Asset. Unauthorized access is any action or attempt to utilize, alter or degrade a company owned or operated IT resource in a manner inconsistent with company IT policies.
· Any Internet malware, viruses, or phishing attacks.
· Any conduct using in whole or in part a Brewster Ambulance Service Information Technology Asset which could be construed as harassing, or in violation of Company Policies.
· The loss or theft of a Brewster Ambulance Service computing device (including desktop, laptop computers, mobile devices) or the loss of any personal computing device containing protected patient information.
Compromise – A confirmed security incident resulting in harm to the businesses reputation, assets, information or ability to operate.
Breach – A security incident that may result in the acquisition or disclosure of private information to unauthorized parties.
Response:
As recommended by the National Institute of Standards and Technology (NIST)[1], our response will focus on: Preparation, Detection, Analysis, Containment, Eradication, and Recovery of data. When a data incident is reported or discovered, this response plan is immediately set into motion.
Identify:
· Validate the Data breach: examine the initial information to confirm that a breach has occurred.
· If criminal activity is suspected, notify law enforcement.
· If a breach has occurred, determine if there was a breach of Personally Identifiable Information (PII).
· If possible, identify the type of information disclosed and estimate the method of disclosure (internal/external disclosure, malicious attack, or accidental); and begin breach response documentation and reporting process.
Detect and Protect:
· Immediately determine the status of the breach (on-going, active, or post breach).
· If the breach is active or on-going, take action to prevent further data loss by securing and blocking unauthorized access to systems/data and preserve evidence for investigation.
· Document all mitigation efforts for later analysis.
· Advise staff who are informed of the breach to keep breach details in confidence until notified otherwise.
Determine the Scope and Composition of the Breach:
· Identify all affected data, machines, and devices.
· Conduct interviews with key personnel and document facts (if criminal activity is suspected, coordinate these interviews with law enforcement).
· When possible, preserve evidence (backups, images, hardware, etc.) for later forensic examination.
· Locate, obtain, and preserve (when possible) all written and electronic logs and records applicable to the breach for examination.
· Work collaboratively with data owners to secure sensitive data, mitigate the damage that may arise from the breach, and determine the root cause(s) of the breach to devise mitigating strategies and prevent future occurrences.
Recover:
· Collect and review any breach response documentation and analyses reports.
· Assess the data breach to determine the probable cause(s) and minimize the risk of future occurrence.
· Address and/or mitigate the cause(s) of the data breach.
· Solicit feedback from the responders and any affected entities.
· Review breach response activities and feedback from involved parties to determine response effectiveness.
· Make necessary modifications to the Company’s breach response strategy to improve the response process.
· Enhance and modify as necessary security and training programs, which includes developing countermeasures to mitigate and remediate previous breaches.
Notification:
1. Where appropriate and/or required, and in consultation with the company’s legal team, notification shall be made to individuals and/or business partners whose unsecured sensitive, non-public (“confidential” information) has been, or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of a breach. Such notification shall be made without unreasonable delay and in accordance with timelines required by law.
2. The required notification shall be written in plain language and shall include, to the extent possible and/or permitted by law:
a. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
b. A description of the types of unsecured “confidential” information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
c. Steps Individuals should take to protect themselves from potential harm resulting from the breach;
d. A brief description of what the Company has done/is doing to investigate the breach, to mitigate harm to Individuals, and to protect against any further breaches; and
e. Contact procedures for Individuals to ask questions or learn additional information.
3. Depending on the number of residents potentially affected, notifications to the media may also be required. Brewster will make notifications to individuals, the media, and regulatory agencies in accordance with all applicable requirements.
Massachusetts: Massachusetts General Law Chapter 93H: “Security Breaches”, https://www.mass.gov/info-details/requirements-for-data-breach-notifications
Rhode Island: 11-49.3-4 (state.ri.us)
New Hampshire: Section 359-C:20 Notification of Security Breach Required. (state.nh.us)