There have been several instances reported recently in which a terminated employee has violated HIPAA by accessing patient information after they have been fired. This can cause major implications for healthcare organizations, especially if the disgruntled employee exfiltrates patient data to sell on the dark web. To protect your organization from employee data theft, tips to prevent a terminated employee from violating HIPAA are discussed.
-
Create and follow an employee offboarding process
-
Create and adhere to an IT asset management program
-
Track data access
-
Block data access points
-
Use unique login credentials for each employee
-
Conduct exit interviews with employees
-
Notify IT departments
Create and follow an employee offboarding process
To ensure that all data access is revoked in a timely manner, it is important to have a thorough offboarding process. This can be done by implementing a checklist that includes all systems and devices that have access to sensitive information. The checklist should also include who is responsible for revoking terminated employee data access.
Create and adhere to an IT asset management program
Keeping a device asset list, including which employees have access to what device and where the device is located, ensures that all devices are returned in the event that an employee leaves the company. This is particularly important in today’s remote work environment as most employees have multiple company devices at their home offices. Your device asset list should include ID cards, portable storage devices, laptops, computers, software licenses, accounts, and keys.
Additionally, with the use of cloud software, employees are able to access company data from any device as long as they have login credentials. To reduce the risk of human error, and ensure all access to cloud software is revoked, your organization should implement single sign-on tools. This way, when an employee’s login credentials are revoked, you only have to do so once, instead of manually revoking access from each individual software service.
Track data access
Tracking access to healthcare data is not only a requirement of HIPAA, it also enables you to quickly detect both insider and outsider breaches. A recent study determined that the most critical time to pay attention to is within the last 90 days of an employee’s employment, determining that 70% of employee data theft occurs within this time period. Areas in which it is most critical to monitor include USB file transfers, access logs for servers, printer logs, email attachments, web browsing activity, and bandwidth usage.
Block data access points
To prevent a terminated employee from violating HIPAA in their last days of employment, it is critical to block access to cloud data. There may be instances in which the employee requires access, however, their activity should be closely monitored.
Use unique login credentials for each employee
Using unique login credentials for access to sensitive data is also required by HIPAA. Additionally, disabling login credentials for terminated employees, or employees who have resigned, is made easier through the use of unique login credentials. Without the use of unique login credentials, if an employee steals sensitive information, it would be difficult to detect which employee did so.
Conduct exit interviews with employees
By conducting exit interviews, disgruntled employees can be identified. This gives you the opportunity to bolster security by taking a closer look at these employees’ data access patterns.
Notify IT departments
One of the most important, and most effective ways, to prevent terminated employee data theft is by notifying IT staff of the employee’s impending departure. This ensures that they have adequate time to terminate the employee’s data access before the employee leaves your organization.