- Isolate the device
Make sure the system is disconnected from the network. This is to protect UAB from any additional impact from the incident.
Determine the affected data.
Confirm whether or not sensitive data was housed on the compromised device. This includes employee, student, patient, or research data. Determine if any sensitive data was inappropriately accessed. If so, immediately escalate to both your local management and the UAB Data Security (https://silo.dso.uab.edu/incident or call 205-975-0842).
If sensitive data is at risk, do not perform additional activity until you have spoken with Data Security.
- Perform Root Cause Analysis
Establish the reason that the system was exploited. Ask yourself these questions:
- Did an end user install something harmful?
- Was it caused by a weak password?
- Was the system missing a patch?
- Remediate the issue
The best way to restore a compromised machine is frofm a trusted backup or to do a clean installation. Even what used to be routine virus infections have become so advanced that we cannot trust a system once it's been infected.
Perform password changes for end users and any administrators that may have used the system as well. This includes BlazerIDs and other accounts such as websites that were accessed from the compromised machines. Local Administrator passwords should also be changed.
- Reconnect to the network
Once the system has been properly remediated, UAB Data Security, in conjunction with the HIPAA Security Office, will reconnect the machine to the network. This process can take up to 24 hours after the initial request.
If you receive a notice saying the machine was compromised, the best way to get reconnected is to reply to that email.
Data Custodians must:
- Designate appropriate individuals with system administration responsibilities, ensuring that their role in securing the system is defined in their job description, and that they are trained in administration and security of the system.
- Ensure adherence to UAB guidelines and procedures for protecting data as found in IT Security Practices.
- Ensure compliance with all stipulations of this and other UAB policies and other legal and regulatory requirements including those related to dissemination of data (UAB's Information Disclosure and Confidentiality Policy) and disposal of computer equipment and systems (UAB's Equipment Accounting standards, and "Guidelines for secure disposal of media containing sensitive information").
- Ensure that risk assessments are performed (including disaster recovery plans, backup and contingency plans) as required by HIPAA for all PHI. Risk assessment is recommended for all other sensitive or mission critical data.
- Ensure that documentation of data resources created, used, or stored within their area of control is maintained.
- Ensure that systems containing sensitive information are physically secured from unauthorized access.
- Ensure that the department/unit follows procedures to mitigate all identified compromises or identified data security threats.
- Ensure that actual or suspected data security breaches, especially when involving sensitive data, are reported to the Data Security Office immediately and that any recommended corrective action is implemented.
- Ensure that non-UAB entities or contracted third party vendors handle data in accordance with UAB policies and procedures.