3 Steps to Stop PHI Access Not Authorized by Licensed Team Members


In February 2017, the Transformations autism treatment center learned that one of its former behavioral analysts had violated its security. According to his indictment, Jeffrey Luke illegally accessed a Google Drive TACT account and stole protected health information from more than 300 patients, past and present.

The cyber-violation of TACT is of particular concern because Luke had already been terminated. By protocol, TACT changed the passwords for all of its accounts after Luke's termination. However, a month later, TACT employees found that files from the company's Google Drive account had been moved. The Department of Justice found the IP address used to modify the account and was able to retrieve patient records, templates, forms and records from one of Luke's former employers on his computer.

This incident is also of concern because it is one of many examples of health care organizations leaving themselves, as well as their data, after a cessation. When an employee or other member of the team leaves the position, it is extremely important that the covered entities and their associates: completely terminate the access of the former team member to the organization's network.

These three steps can help organizations ensure that they have covered all their bases:

1. Create user-based roles or role-based access control.

Access control is the keystone of healthcare IT security, and this role-based access is the most effective way to control it. This is especially true for Internet applications that are accessible outside the corporate network. You can mandate each employee's role and appropriate access level, or create role groups for specific services. This will facilitate the immediate withdrawal and / or reallocation of access when an employee is fired. Try to avoid using shared accounts as much as possible, but if you must, update all connections after an employee leaves the company.

Most healthcare applications are equipped with role-based security measures, although they are effective only if they are well documented. Although integration can link your systems to streamline access, there is no automatic database to control this access across all platforms. Strong documentation will help you keep track of when employees have access; how much they are able to control; and when it is time to upgrade, demote, or revoke that access.

2. Be honest and transparent in monitoring employee access.

Securely securing health data has become a bigger challenge thanks to Internet integration, off-site data access, and the growing use of personal devices by members of the Internet. ;team. This means clearly defining the role of each employee and the level of access that this role warrants. Then you need to be honest and transparent about how your organization will monitor and impose role-based access to its systems.

When employees use personal devices, the need to protect their personal information is just as important. Therefore, clearly define the degree of monitoring of the device by the IT department, how the company will protect employees' personal information, and what constitutes appropriate use of the device in question. For example, employees can not use their personal devices to access their data at any time, and the consequences must be clear. You should also be able to erase a remote employee's device data files. Google's G Suite is one of the work environments that offer this feature.

3. Keep a tight inventory on the business and personal devices.

Whether employees use personal devices or stick strictly to laptops and smart devices assigned by the company, it's important to follow them all. As part of your organization's complete de-embarkation process, it will make it easier to collect all company-owned devices and remove access and files from all personal devices. Be sure to reformat all the material you collect to make sure it is still not vulnerable to a flaw.

As TACT learned last year, the fact that former employees and team members no longer physically control a device or do not know a new password does not mean that they can not access the device. network. Before considering that your network is secure again, check all the devices in the inventory assigned to the licensed employee and update all the roles assigned to the employee in the system. Even if you plan to get rid of the old device, make sure it is well wiped first.

Many data breaches can be prevented through proper access control and a comprehensive policy for dismissed employees outside of the boarding. The violation of TACT is remarkable for this reason, but it is not the only example. A former employee of John Muir Health was also charged with stealing information from more than 5,000 Muir patients and passing it on to her new employer.

The dividing line between prudence and authoritarianism is tenuous. When it comes to private health insurance, it is essential that organizations respect this line as much as possible without crossing it. Technology will help control access to your organization based on the roles of team members. Transparency will keep everyone on the same page with respect to accountability. And maintaining a limited inventory of authorized devices will make termination of access easier and more efficient.

Hoala Greevy

Founder and CEO of Paubox

Hoala Greevy is the founder and CEO of Paubox, HIPAA's leading email provider. Paubox end-to-end email encryption works on any device without the need for additional applications, plug-ins or connections.