Effective Tabletop Breach Exercise Guidelines

Sample Tabletop Breach Exercises Tabletops are a good tool to prepare teams for an actual event. For a program customized to your environment and with updated threat vectors, we encourage you to consult with our Advisory team. 1

What Is a Tabletop Breach Exercise? Structured data breach response drill Triggers your incident response plan (IRP) for testing purposes Involves members of your incident response team (IRT) (both internal and external members) Tests the effectiveness and accuracy of the workflow of your current IRP and IRT 2 2

Leaking the Hypothetical Facts Break up the facts into realistic segments. Begin with a minimal amount of information, similar to the information you may receive when the incident is just discovered. Take a reasonable amount of time to come up with the plan and identify each IRT member s role in the response process. Continue to distribute facts of the incident, giving the IRT time with each additional fact to develop a plan and prepare relevant response roles. 3

Scenario 1 4

Tabletop Exercise It s 6 pm on a Friday evening. An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. 5

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 1 How will this incident be logged? To whom will this be reported? What is the threat level? Does it require escalation to other/senior management? What s the trigger for senior management notification? 6

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 1 Start an event log to track date and time of all actions, including first notice of incident, etc., with a description of facts and observations (what triggered the suspicion, etc.) Describe containment methods used to remove immediate threat Discuss with the ISO or other appropriate parties whether the affected services or resources can be disconnected from the network in light of relevant business considerations and disconnect if appropriate. 7

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 2 Which risks are reported to the IRT? Is there any threat level trigger that controls this decision? If an incident adversely affects regular communication channels, does the IRT member list provides home telephone numbers, mobile telephone and pager numbers? 8

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 3 How are threat levels determined? For example, threat levels could be as follows. A data security incident is defined as Level 1 if it can be determined that no mission-critical systems or resources are at risk, no confidential information, PI or PHI was accessed. Level 2 if mission-critical systems or resources may be at risk, if confidential information, PI or PHI may have been accessed. Level 3 if mission-critical systems or resources are at risk, or after determination that confidential information, PI or PHI was, in fact, accessed by an unauthorized individual. 9

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 4 Notify the IRT because there is a potential breach of PHI (what if it were only PI?) Who who are you contacting? What what are you telling them? When...how many minutes/ hours have elapsed (or could have elapsed)? Does it matter? Can this wait until Monday? Why why are you contacting the person (what is your goal)? How how do you get in touch with each person. Do you have a pre- defined method? Distribution list email? How do you reach them at home? Who decides whether to notify Beazley and/or engage outside legal counsel? 10

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 5 The IRT Leader hosts call/meeting to determine next steps. What what information do you need to know? What decision are you trying to make? Who who are you depending on to help decide the next steps? Who knows about the situation? Employees? When...do you need answers? Does it matter? Can this wait? What s the level of urgency? How do you know? How how are you going to find out the things you need to know? How are you going to control the spread of information? 11

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 6 Should HR handle employees who know by imposing a gag order ? 12

Tabletop Exercise Known facts: An Information Systems person has just reported that unusual server activity associated with malware and data exfiltration has been detected. The malware may have gained access to a file server containing PHI via a phishing email on a physician workstation. Step 7 What type of investigation is necessary? Or is only a HIPAA risk assessment needed? Do you have enough information to perform a HIPAA risk assessment yet? Does the IRP provide guidance? Should IT forensics perform hard-drive imaging to analyze the data? In- house? Outsource? 13

Tabletop Exercise Step 7 (continued) The IRP should guide the following actions: Identify the nature of the incident Containment limit the scope and magnitude of an incident as quickly as possible. All containment options should be evaluated by independent IT forensics experts. 1) what to do with critical information and/or computing services 2) whether the sensitive data should be left on the system or copied to media and taken off-line 3) should critical computing services be moved to another system on another network where there is considerably less chance of interruption 4) should the affected system be shut down entirely? disconnected from the network? or allowed to continue to run in its normal operational status Identify the Evidence To protect the evidence, IRT should number, date and sign notes and printouts, store complete logs in a safe, or copy the entire log to an alternate location and secure. Protect the Evidence Chain-of-Custody shall be provided that indicates the sequence of individuals who have handled the evidence and the sequence of locations where the evidence has been stored. Dates and times must be specified as well. At the direction of the ISO [or other party?], the affected resource shall be backed up and/or imaged and/or otherwise replicated, beginning with the files on the system in which suspicious events have been observed. What, if anything, should the IRT do while awaiting forensic analysis? For example, consider reporting to law enforcement. A. B. C. D. 14

Tabletop Exercise Early forensic report adds a few more facts Known facts: The IS team was just informed that the file server containing PHI was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The information connected to the prescriptions included names, addresses, diagnostic codes, name of medication prescribed, medication costs and some Social Security numbers. Estimate another 48 hours to complete forensic work. 15

Tabletop Exercise Known facts: The IS team was just informed that the file server containing PHI was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The information connected to the prescriptions included names, addresses, diagnostic codes, name of medication prescribed, medication costs and some Social Security numbers. Estimate another 48 hours to complete forensic work. Step 8 The IRT Leader reassembles the team to update and determine next steps. Severity? Do you have enough information to evaluate the severity of this event? Enough information to conduct a HIPAA risk assessment? If yes, how severe and next steps? If no, what additional information do you need to know? What decision are you trying to make? Involve law enforcement agencies? Prepare now for notification of covered entity/mass notification? 16

Tabletop Exercise Known facts: The IS team was just informed that the file server containing PHI was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The information connected to the prescriptions included names, addresses, diagnostic codes, name of medication prescribed, medication costs and some Social Security numbers. Estimate another 48 hours to complete forensic work. Step 9 Identify approved BBR fulfillment house that can generate up to 27,000 notification letters. Assign duty to contact vendor. Identify call center that can handle up to 27,000 calls from worried patients. Assign duty to contact vendor. Or consider if your organization can handle up to 27,000 calls from worried patients. Other tasks or decisions at this point? Start or finish a risk of harm analysis assuming that forensic review confirms the disclosure of PHI to unauthorized person? Engage in discussions with Beazley as to credit monitoring, if needed. 17

Tabletop Exercise 43 hours later, the forensic report adds the missing facts. Known facts: The IS team was just informed that the file server containing PHI was compromised and impermissibly accessed. The compromise did in fact expose the prescription records of 27,000 individuals to an unauthorized source. The information connected to the prescriptions included names, addresses, diagnostic codes, name of medication prescribed, medication costs and some Social Security numbers. Law Enforcement has found patient data for sale in commercial darknet markets. The patients reside in WA, ID and OR. 18

Tabletop Exercise Known facts: The IS team was just informed that the file server containing PHI was compromised and impermissibly accessed. The compromise did in fact expose the prescription records of 27,000 individuals to an unauthorized source. The information connected to the prescriptions included names, addresses, diagnostic codes, name of medication prescribed, medication costs and some Social Security numbers. Law Enforcement has found patient data for sale in commercial darknet markets. The patients reside in WA, ID and OR. Step 9 Game on. Notification per HIPAA (at least) probably required. 19

Tabletop Exercise Step 9 (continued) Assign duty to start (or finish) risk of harm review (assume risk confirmed) Prepare timeline for all events (how do you know? What if the deadlines conflict?) Assign duty to start building mailing lists per state Review Communications Plan and implement Assign duty to prepare notifications and coordinate with printer What forms should you use? How do you know? Assign duty to coordinate with call center and prepare scripts Assign duty to notify covered entity (if applicable) 20

Tabletop Exercise Step 9 (continued) Finalize discussions with Beazley regarding credit monitoring products Determine if AG office should be notified Assign duty to prepare press release to media To whom on your IRT? Assign duty to prepare for internal communications Employees Physicians Senior management Board of directors 21

Who needs to be notified? Patients Covered entities Government agencies Attorneys general Law enforcement Credit reporting agencies (CRAs) 22

When does notification need to happen? Protected health information (PHI) and personal identifying information (PII) involved HIPAA: Presumed breach, unless covered entity shows a low probability of compromise State law: acquisition or "risk-based" trigger Timing (HIPAA v. state law) Method of notification Varying states 23

What do regulators expect? Transparency: no cover up Prompt and thorough investigation Good attitude & cooperation (commitment to compliance and safeguarding PII) Appropriate and prompt notification Corrective action (know the root cause and address it; staff training; awareness program; technical safeguards; new policies/procedures/physical safeguards) Remediation and mitigation 24

Tabletop Exercise Step 10 Coordinate media release Coordinate website notice Determine if internal call center is needed to handle misdirected call (patient calls the affiliate instead of calling the call center) or escalated call from the call center 25

Tabletop Exercise Step 11 Grab helmet Place over head Hold on 26

Tabletop Exercise Step 12 Post mortem What went right What went wrong Did the IRP work as intended? Ways to improve? 27

Scenario 2 28

Tabletop Exercise Known facts: HospitalCo utilizes a cloud computing service provider ( CloudCo ) to host several of its internal systems, including some patient data. While on vacation overseas, the hospital Administrator (non-IT) who manages the relationship with CloudCo receives an email on December 14, 2017, from CloudCo indicating that it has detected some unusual activity on its network, but there is no cause for alarm. The administrator sees the email among hundreds of others but does not immediately grasp the content and quickly forgets about it while exploring the streets of Rome. Upon his return, while going through his emails on December 23, 2017, the Administrator notices the email and carefully reads it. He quickly sends the email to one of his friends in the IT department to get her opinion. Unfortunately, she too is out of the office for the holidays with little access to email. She doesn t see the email until December 27, 2017. 29

Tabletop Exercise Known facts: CloudCo has sent an email to a hospital administrator indicating a potential incident involving CloudCo s network. Step 1 Initial awareness of potential security incident Is this a security incident or a security breach under law or the hospital s incident response program? What s the trigger for notification and escalation? Are mid-level employees aware of the process? Who in the IT department receives the initial escalation notice? Is somebody on call during the holidays? What should he or she do with the email? How will this incident be categorized? Do we have enough information? 30

Tabletop Exercise The HospitalCo IT person calls her Administrator friend and informs him that large amounts of patient healthcare information is stored on the network in two databases. Database #1 contains patient healthcare information. She believes that DOB, healthcare ID number, treatment codes and zip code is present. However, she does not think the information is identifiable to any particular person because the database does not include name, Social Security number and street address. Database #2 contains patient health insurance information, including name, health insurance ID, address, and DOB. The IT person sends an email to the head of the Information Systems department and follows up with a phone message. The date is December 29, 2017. 31

Tabletop Exercise On December 30, 2017, the Administrator receives an email from his CloudCo counterpart (a CloudCo account executive) indicating that CloudCo believes that malicious persons accessed its network and achieved root level access to at least some segments of the network. The email indicates that HospitalCo and several other CloudCo customers may have been impacted, but CloudCo is unable to determine whether a particular customer s account was accessed. He also mentions that the login credentials for the remote access set up to provide the Hospital with support and access the Hospital s systems were on HospitalCo s server, but he is not aware of any evidence indicating that anybody used the remote access recently. No further details are provided. 32

Tabletop Exercise Known facts: The IS department has been made aware of a potential incident involving patient information. Step 2 Triage / determination as to a potential security incident What are the next steps for the IS Team? Remediation and containment? Who are the key technical contact points at CloudCo? What should the scope of the investigation be with respect to CloudCo? What information is needed at this point? Does HospitalCo have the rights or abilities necessary to conduct an appropriate investigation? Should the standing IRT be notified/activated? Any timing concerns at this point? 33

Tabletop Exercise Shortly after an internal meeting on December 30, 2017, the IS Team decided to retain an outside forensic investigator to help with an investigation. By the end of that day, the IS team has entered into a SOW with ForensicCo for breach remediation services. The IS team notifies and activates the members of the standing IRT Team on January 2, 2018. Meanwhile, the IT person who previously received the email from the Executive went out with a few of her HospitalCo coworkers on New Year s Eve and, after a few cocktails, told them in confidence that HospitalCo may have suffered a data breach impacting patient information. The IS team is not aware of HospitalCo s cyber/data breach response insurance and a claim has not yet been made. The risk manager is not aware of the incident. 34

Tabletop Exercise Known facts: IS has retained a forensic investigator to remediate on its own accord. The standing IRT has been activated. Step 3 Incident response team formation Who is on the standing IRT? Do other key players need to join the team for this incident? What should legal do about attorney-client privilege? Should law enforcement be contacted? What are next steps in the investigation? 35

Tabletop Exercise Known facts: IS has retained a forensic investigator to remediate on its own accord. The standing IRT has been activated. Step 3 (continued) Cyber/data breach response insurance notice and activation Who is aware of the existence of cyber/data breach response insurance and when should a claim be made? Who should be contacted to activate the cyber/data breach response insurance? Broker, hotline, other? What coverage is available to help respond to the breach? Does HospitalCo need carrier approval before retaining third parties like ForensicCo? 36

Tabletop Exercise On January 4, 2018 Legal and IS participate on a call with CloudCo. CloudCo is acting very cagey. They are getting requests from multiple customers and won t allow an independent forensic investigation because it would impact confidential data of other customers in the shared cloud environment. There is no way to get an image of the server upon which HospitalCo's data is hosted. CloudCo indicates that hackers accessed its network and could have accessed a computer containing administrative passwords for all of its customer s hosted environments. This access could have happened as far back as July 2014. In addition, HospitalCo discovers that some fields in Database #2 were encrypted, including the fields for health insurance ID number and data of birth. In all, if Database #1 (Patient Healthcare Info) was taken, approximately 300,000 patients may be at risk. If Database #2 was taken, approximately 400,000 more patients are at risk (with some overlap between the populations). 37

Tabletop Exercise Known facts: Investigation has confirmed presence of patient healthcare and health insurance information; CloudCo is refusing to allow an independent investigation or to provide an image of the server Step 4 Full investigation mode What are the investigative goals at this point? Who as set those goals and is directing the investigation? What are the next steps for IS/forensics? How is evidence to be collected and preserved? What evidence actually exists? What should legal be doing with the new information and details concerning potentially affected individuals? Has there been a legally defined security breach ? 38

Tabletop Exercise On January 5, 2018, ForensicCo discovers that the encryption keys for Database #2 are stored on the same system operated by CloudCo, but in a different file that is not obviously tied to Database #2. HospitalCo has no current evidence that Database #1 was accessed. However, HospitalCo only saved logs going back 60 days and does not have significant visibility from a log perspective prior to that date. In addition, based on the evidence seen by ForensicCo, they believe that evidence of access to Database #1 exists. However, they have no evidence of any unauthorized acquisition of any of the data contained in Database #1. CloudCo has lawyered up and information is coming very slowly. CloudCo will not allow an independent investigation. They have promised a summary of their investigation, but have not indicated when it will be done. 39

Tabletop Exercise Known facts: Forensic investigation shows evidence of access to Database #1, but no affirmative evidence of unauthorized acquisition of any data, or that Database #2 was accessed. Step 5 Forensic findings and considerations What was the vulnerability that allowed the breach to occur and has it been remediated? What data was actually acquired? And does it matter? How does the lack of logs beyond 60 days impact the investigation? What does HospitalCo need to do limit the scope of this incident? 40

Tabletop Exercise Known facts: Forensic investigation shows evidence of access to Database #1, but no affirmative evidence of unauthorized acquisition of any data, or that Database #2 was accessed. Step 6 Legal considerations What gray areas exist and can reasonable positions be developed concerning the scope of the incident based on the forensic findings? Is the encryption safe harbor available? Does the incident trigger breach notification laws? What deadlines exist for providing notice to affected individuals? Does HospitalCo need to comply with both Federal and State breach notification laws? What legal risks exists with respect to the patients? What vendors and resources exist to achieve compliance with notice laws? What should be done to ready the organization for potential litigation and regulatory actions? 41

Tabletop Exercise Meanwhile rumors are swirling within the hospital and patient community concerning a potential data breach. One disgruntled patient has taken it upon himself to start a new Facebook group page called: HospitalCo Breach Disaster. The group currently has 50 members (all HospitalCo patients) and there are instructions to spread the word about a healthcare information data breach. Many members have tweeted out the URL under #hospitalcodatadisaster There is no mention anywhere of the health insurance information contained in Database #2. Within 24 hours, 1000 members have joined the FB group and the hashtag is being tweeted and retweeted. On January 9, 2018, the CEO of HospitalCo gets a phone call from Brian Krebs, operator of a well-known security blog. Brian has indicated that while surfing the darkweb, he came across SSNs and health insurance information tied to HospitalCo. He is going out with the story in 48 hours and wants to give HospitalCo an opportunity to respond. 42

Tabletop Exercise Known facts: Social media frenzy may be at the beginning phases. Brian Krebs has called about breaking a story concerning HospitalCo's incident; forensics are currently inconclusive and the number of affected individual for the incident ranges from 300,000 to 700,000 individuals. Step 7 Public relations and business considerations Has PR/media been made aware of the situation and kept in the loop? Has any advance PR/messaging work been done? Should the organization attempt to pre-empt Krebs? What is the social media strategy? Considering that the factual situation is in flux, what should any public communication say? Can the PR freeze the situation to allow for more time? Who should receive messages and how? Customers? The press? Regulators? Are resources in place to allow for a mass communication, and the expected follow up from such a communication (i.e. call center)? Will any accommodations be offered such as free credit monitoring? 43

Tabletop Exercise On January 10, 2018, HospitalCo decided to scoop Krebs with an appropriate public communication that acknowledges the existence of an incident and buys more time for investigation without committing to a known number of affected customers. On January 14, 2018, the outside forensic team says based on the evidence it has, it does not appear that the file containing the encryption keys was accessed, but it cannot be fully ruled out based on the level of access the attackers would have had. It is possible that the attackers could have time-stomped (or otherwise modified) various log files related to Database #1, and there is some evidence suggesting that was done. On January 17, 2018, the outside forensic team indicates that it has ruled out any unauthorized access to HospitalCo s broader systems through CloudCo s remote access support point. 44

Tabletop Exercise Known facts: HospitalCo has provided a holding statement concerning a potential data incident; a potential position exists to say that the encryption key for Database #2 was not compromised, but that possibility cannot be fully eliminated; a lack of broader access to HospitalCo s systems has been confirmed. Step 8 Notification decisions and compliance phase Is formal notice required for Database #1 data even though no forensic evidence exists showing unauthorized acquisition of healthcare data? Since Database #1 has de-identified healthcare information, is notice necessary? Does HospitalCo have a reasonable legal position based on evidence to say that Database #2 s encryption keys were not compromised, and therefore notice is not necessary? What is the proper form of notice? Does HospitalCo have mailing addresses for all affected individuals? Who will create the mailing database? Is a credit monitoring or ID protection service offer appropriate? What are the press considerations? What is the strategy? Are third parties necessary to assist with the notice? Mailing services and/or call center services? 45 How much lead time is necessary to get the notice set up?

Tabletop Exercise On February 1, 2018, HospitalCo sends out written notice to the 300,000 patients whose data was contained in Database #1. HospitalCo also provides notice to various regulators, including the Department of Health & Human Services. HospitalCo has decided not to provide notice concerning Database #2. The HealthPlan data notice has caused a significant outcry amongst HospitalCo's patients on social media and a frenzy has ensued, including some employees openly encouraging class action litigation. It was also picked up by the press in HospitalCo's city it is threatening to go national. 46

Tabletop Exercise During the week of February 21st, HospitalCo gets a letter from the Indiana AG asking for a timeline of HospitalCo's discovery/investigation of the incident, including a strange question enquiring as to other databases that may have been affected. That same week HospitalCo's outside counsel (who sent the regulator letters) received a call from the Florida and Massachusetts's AG asking similar questions. HHS has also sent a letter to HospitalCo asking the HospitalCo health plan a series of detailed questions concerning the health plan s compliance with the HIPAA Security Rule. . 47

Tabletop Exercise Known facts: Notice to 300,000 individuals has gone out. Regulators have made certain inquiries, including concerning other databases . Step 9 Post-notice regulatory response and litigation readiness What is the press strategy at this point? Are more communications to the public warranted? Is a litigation hold necessary and has appropriate evidence been located and preserved? What should the regulatory response be? How should HospitalCo address questions about other databases? Will a second round of notice be necessary? Is the HospitalCo health plan compliant with the HIPAA Security Rule? How will HospitalCo establish its compliance? Is litigation looming? What are the chances of success? 48

Tabletop Exercise Overall Timing is difficult to manage and early detection is key for shortening the timeline Gray areas factually and legally will exist, and reasonable positions may be taken based on them If the company gets it wrong, however, the harm could be much worse Information Security Understand when to get legal involved, especially when retaining third parties Information is often lacking and judgment calls, supported by evidence and expertise is necessary Legal Contracts with vendors are important for ensuring a smoother response Gray area legal judgment calls are typical Communications There are many media channels to consider, including social media The press can put enormous timing pressure on the organization and require it to come out to early without adequate information 49

Scenario 3 50