Introduction

Whenever there is an incident that has potentially compromised the security or privacy of CMS information or information systems, it is investigated by the Incident Management Team (IMT). They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. 

At this point (in collaboration with the Business Owner and the Information System Security Officer), the IMT may decide that a Breach Analysis Team should be convened, and notifies ISPG. This handbook is a guide for members of the Breach Analysis Team (BAT) to follow as they work to assess and mitigate the risks caused by a suspected breach.

Who is on the BAT?

The BAT consists of breach response stakeholders in leadership positions and security and privacy subject matter experts for the affected system. This may include:

• Representatives from the Incident Management Team (IMT) within the CMS Cybersecurity Integration Center (CCIC)
• Representatives from ISPG (which may include the DCTSO Incident Commander and Senior Official for Privacy)
• Business and/or System Owner of the affected system
• Other people as needed:
  • Information System Security Officer (ISSO)
  • System Maintainer
  • Contracting Officer Representative (COR) – if the affected system is a contractor system
  • CPI point of contact

BAT responsibilities and steps

Once convened, the Breach Analysis Team is responsible for the following:

Conduct risk assessment

The BAT conducts a risk assessment (using the Risk Assessment for Breach Notification worksheet) to determine the risk of harm to the affected individuals whose PII/PHI has been compromised. The assessment also helps determine who should be notified of the breach, and to what extent (if any).

When conducting the Risk Assessment, consider the following elements:

How sensitive is the PII?

Determine the nature and sensitivity of the PII potentially compromised by the breach, including the potential harms that an individual could experience from the compromise of that type of PII. These are the minimum data points that must be considered at this step:

• Data Elements – analysis of the sensitivity of each individual data element as well as the sensitivity of all the data elements together
• Context – purpose for which the PII was collected, maintained, and used
• Private Information – extent to which the PII, in a given context, may reveal particularly private information about an individual
• Vulnerable Populations – extent to which the PII identifies or disproportionately impacts a particularly vulnerable population
• Permanence – the continued relevance and utility of the PII over time and whether it is easily replaced or substituted

How likely is the PII to be accessed and used?

Determine the likelihood of access and use of the compromised PII, including whether it was properly encrypted or rendered partially or completely inaccessible by other means. These are the minimum data points that must be considered at this step:

• Security Safeguards – whether the PII was properly encrypted or rendered partially or completely inaccessible by other means
• Format and Media – whether the format of the PII may make it difficult and resource-intensive to use
• Duration of Exposure – how long the PII was exposed
• Evidence of Misuse – any evidence confirming that the PII is being misused or that it was never accessed

What kind of breach and who is involved?

Determine and document the type of breach, including the circumstances of the breach, as well as the actors involved and their intent. These are the minimum data points that must be considered at this step:

• Intent – whether the PII was compromised intentionally or unintentionally (or if the intent is unknown)
• Recipient – whether the PII was disclosed to a known or unknown recipient, and the trustworthiness of a known recipient

What is CMS’ ability to mitigate risk?

Within an information system, the risk of harm will depend on how CMS is able to mitigate further compromise of the system(s) affected by a breach.

Consider how best to mitigate the identified risks and whether to notify individuals potentially affected by breach (including whether to offer credit monitoring services).

Document risk assessment results

Document the results of the above risk assessment on the Risk Assessment for Breach Notification worksheet, and submit the completed form to the CMS Senior Official for Privacy: privacy@cms.hhs.gov 

If the above risk assessment indicates that there is a low probability that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.

Low risk determination

If the above risk assessment indicates that there is a low probability that the PII has been compromised, inform the Incident Management Team of the risk assessment so they can coordinate with the CMS Computer Security Incident Response Team (CSIRT) to update and close the applicable ticket.

Medium or high risk determination

If the above risk assessment indicates that there is a medium or high probability that the PII has been compromised, coordinate with the HHS Privacy Incident Response Team (PIRT) to perform the following:

Notification measures for PII

The CMS Senior Official for Privacy and Business Owner coordinate to notify, without unreasonable delay, the individuals affected.

Notification measures for PHI

This step does not apply unless PHI (as defined by HIPAA) is involved. If the data is only PII (as defined by the Privacy Act), then proceed to the next step: Recommendations to HHS PIRT.

If the PHI breach involves 500 or more individuals:

• The Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) of the breach via the OCR website using the form: “Submit a notice for a breach affecting 500 or more individuals”. This provides the Secretary with notice of the breach without unreasonable delay – and never later than 60 days from discovery of the breach.

If the PHI breach involves fewer than 500 individuals:

• The Director of the Division of Security, Privacy Policy, and Oversight (DSPPO) and the Business Owner coordinate to notify HHS Office for Civil Rights (OCR) within the deadline via the OCR website using the form “Submit a notice for a breach affecting fewer than 500 individuals”.

If the PHI breach involves more than 500 residents of a State or Jurisdiction:

• The CMS Senior Official for Privacy and Business Owner coordinate to notify prominent media outlets serving the applicable State or Jurisdiction of the breach.

Recommendations to HHS PIRT 

The last step is to make a recommendation about breach notification to the HHS Privacy Incident Response Team (PIRT). Do this by creating a draft plan for notification and mitigation using the HHS PIRT Response Plan Template. Submit this draft to HHS PIRT so they can review it.

The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.

Closing breach response activities

Verify all of the above steps have been completed fully (as necessary, depending on the type of breach, type of sensitive information, level of risk, and so on.) Then, coordinate with the Incident Management Team to update and close the applicable ticket.

For more details on breach notification responsibilities and procedures, see the CMS Breach Response Handbook.