The Office for Civil Rights (OCR) is urging healthcare organizations to create effective identity and access management (IAM) policies to prevent data breaches by former employees.
An IAM policy can help prevent healthcare security threats by making sure that users only have access to appropriate data, and terminating that access when they leave the company.
To combat insider threats, OCR emphasized the need for healthcare organizations to terminate user accounts after an employee leaves to prevent unauthorized access to protected health information (PHI). Any laptops or smartphones should be returned, and PHI should be wiped from any personal devices. OCR also recommended procedures to terminate a former employee’s physical access to PHI, such as changing security codes or combination locks and removing users from access lists.
OCR also recommends using logs to document when access is granted to a user or when privileges are elevated. This documentation can be used when it is time to terminate a former employee’s access after they leave the company. The IT department or a designated security employee should be alerted when an employee quits or is fired so that person’s access to be can be terminated. Audit procedures should also be put in place to confirm that IAM policies are being implemented.
In 2016, insider healthcare security threats accounted for 71% of attacks, and inadvertent actors caused nearly half of those. While that trend appears to be reversing slightly in 2017, healthcare security threats from internal sources accounted for 32.1% of data breaches in November, according to Protenus. Hacking comprised 28.6% of breaches, and stolen or lost records accounted for 25.0% of data breaches.
Altogether, there were 28 data breach incidents in November, down slightly from a consistent trend of at least one breach a day since the beginning of the year. Nine of those attacks were due to insider healthcare security threats; seven involved insider error and two involved insider-wrongdoing. Eight of the attacks were due to hacking — although data was only available for five — and four were due to loss or theft.