Breachvs.SecurityIncident.pptVIP

 Security Incident Reporting  State policy requires Departments to follow specified notification and reporting processes when information security incidents occur. “…It is Department policy to maintain a record of security incidents and breaches and employ security measures that preserve the privacy of confidential, personal, or sensitive information and prevent the release or destruction of confidential, personal, or sensitive information through theft, loss, damage, unauthorized destruction or modification, unintentional or inappropriate release, misuse, accident, sabotage or other criminal activity, or natural disaster.” What do you do if you encounter an incident (or even suspect it)? Contact your supervisor immediately! HAM 6-1060.1 requires…” Department employees shall, in the most expedient time possible and without unreasonable delay, report any suspected or confirmed incident to the employee’s Division Chief via the employee’s chain of command”… If you are the supervisor, or your supervisor is not available call the IT Help Desk and open a Remedy ticket. (See Website Reference page at the conclusion of this training). What is a Breach? A “breach of the security of the system”: Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” AND Must be disclosed to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Examples ofPaper Breaches Misdirected paper faxes with PHI/PCI outside of DHCS Loss or theft of paper documents containing PHI/PCI Mailings to incorrect providers or beneficiaries Examples of Electronic Breaches Stolen, unencrypted laptops, hard drives, PCs with PHI/PCI Stolen, unencrypted thumb drives with PHI/PCI Stolen briefcases with unencrypted compact discs containing PHI/PCI Misdirected electronic fax wit