The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded those who deal with PHI and PII of the dangers that terminated employees can pose to system security in their monthly cybersecurity newsletter. Their advice is as timely as it is excellent, and includes the following:
“Making sure that user accounts are terminated so that former workforce members don’t have access to data is one important way Identity and Access Management can help reduce risks posed by insider threats.
IAM can include many processes, but most commonly would include the processes by which appropriate access to data is granted, and eventually terminated, by creating and managing user accounts.”
Kate Borten, President of The Marblehead Group, agrees, citing Verizon’s 2017 Data Breach Investigations Report, which was released earlier this year and named health care as the industry with the highest number of insider breaches.
OCR has published an extensive list of recommendations, which include:
• The creation and maintenance of user access logs used to determine when a user’s access levels are increased, or new equipment is assigned. These logs can also be used to track and trace precisely who is accessing what data, when, and using what locations, creating an audit trail.
• Establishing processes designed to terminate an employee’s access as soon as employment ends. These processes should also refer back to the aforementioned access logs to ensure that all equipment has been returned.
• Changing all administrative passwords on termination of an employee with access to those accounts, so that they will be unable to access them post-employment.
• The creation of alerts that call attention to accounts that have not been utilized in some predefined number of days in order to identify accounts that may be ripe for purging from the system.
• And developing a robust auditing procedure designed to ensure that all IAM-related policies are being followed, and that the system is working as intended.
It’s an excellent piece, and if your firm is in any way involved with the handling of protected health information, you owe it to yourself to head to OCR’s website and read it in its entirety.