Lessons Learned from a Cross- Organizational Data Loss Security - - PowerPoint PPT Presentation

lessons learned from a cross organizational data loss
SMART_READER_LITE
LIVE PREVIEW

Lessons Learned from a Cross- Organizational Data Loss Security - - PowerPoint PPT Presentation

Jan 25, 2023 337 likes •467 views

Lessons Learned from a Cross- Organizational Data Loss Security Incident Tom Siu Chief Information Security Officer Welcome to a Compliance Brown Bag Welcome to a Compliance Brown Bag Lunch Event Lunch Presentation Information about

slide-1
SLIDE 1

Lessons Learned from a Cross- Organizational Data Loss Security Incident

Tom Siu Chief Information Security Officer

slide-2
SLIDE 2

Welcome to a Compliance Brown Bag Lunch Event

  • Information about these events:
  • Informal (bring your lunch!) Training or informative sessions

that cover a variety of compliance related topics.

  • Open to all University community members, but each event

typically has a target audience.

  • If you like what you hear don’t be afraid to ask for a repeat

presentation in your own department.

  • E-mail notifications of future events available – please

contact boyd.kumher@case.edu to be added to distribution list.

Welcome to a Compliance Brown Bag Lunch Presentation

slide-3
SLIDE 3

Welcome to a Compliance Brown Bag Lunch Event

  • Purpose
  • Outline, document, assess, and support the University’s

compliance efforts

  • Encourage compliance by providing support, training, and

educational resources.

  • More Information
  • Brochures available at door.
  • www.case.edu/compliance
  • Contact Boyd Kumher, the University Compliance Officer, at

216-368-0833.

About the Compliance Program Event

slide-4
SLIDE 4

Lessons Learned from a Cross-Organizational Data Loss Security Incident

Lessons Learned: Thomas S iu CWRU, Oct 23, 2012

slide-5
SLIDE 5

Overview

  • Novel Incident
  • Changed CWRU response process
  • Case S

tudy

  • Policy and Procedure Implications
  • Lessons Learned
slide-6
SLIDE 6

Background

  • Researcher collects digital audio recordings

in research protocol

  • S

ubj ects given study numbers

  • Field data collection from non-campus

location

  • S

OP is to return equipment to CWRU after field data collection

  • S

tudy includes subj ects from UH, CCF, Metro

slide-7
SLIDE 7

Incident Summary

  • Computer, equipment theft
  • Researcher notifes PI
  • PI notifies IRB
  • IRB notifies HIPAA S

ecurity at Metro Health

  • Metro notifies CWRU Research Admin
  • CWRU Information S

ecurity notified

  • Incident investigation begins
  • Coordinated risk evaluation between
  • rganizations
slide-8
SLIDE 8

Facts

  • Data gathering procedure
  • CWRU initially determined negligible risk of

disclosure from computers

  • Paper records also lost
  • Laptop not using encryption
  • Equipment not in our possession
slide-9
SLIDE 9

Investigation

  • Forensic analysis of representative laptop
  • Evaluated the (remaining) S

D cards used

  • Possibility that some audio files could be

exposed to thief

slide-10
SLIDE 10
slide-11
SLIDE 11

Complications

  • Probability of sensitive data on the lost S

D card

  • Decision to review ALL data
  • Time crunch to meet mandated reporting

time window

  • Different organizations have differing
  • pinions on "breach" status
  • CWRU is not a Covered Entity, not subj ect

to HIPAA/ HITECH

slide-12
SLIDE 12

Lessons Learned

  • Relationships: Engage conversations with

UH, Metro, CCF before incidents

  • CWRU has higher risk tolerance threshold
  • HITECH audits spawn fuear of HHS

audit and fines

  • Researchers need to inform CWRU Research

Admin when a theft of data or devices

  • ccurs
  • Collaboration: Counsel, Compliance,

Information S ecurity, Research Admin