In February 2017, the Transformations Autism Treatment Center learned that one of its former behavioral analysts had breached its security. According to his indictment, Jeffrey Luke illegally accessed a TACT Google Drive account and stole protected health information from more than 300 current and former patients.
TACT’s cyber breach is especially concerning because Luke had already been terminated. Per protocol, TACT changed the passwords to all of its accounts following Luke’s termination. However, a month later, employees at TACT noticed that files within the organization’s Google Drive account had been moved. The Department of Justice traced the IP address that had been used to compromise the account back to Luke and was able to find patient records, templates and forms, and records from one of Luke’s other former employers on his computer.
This incident is also concerning because it’s just one of many examples of healthcare organizations leaving themselves and their data vulnerable after a termination. When an employee or other team member leaves, it is extremely important for covered entities and associates to completely terminate the former team member’s access to the organization’s network.
These three steps can help organizations ensure they’ve covered all their bases:
1. Create user-based roles or role-based access control.
Controlling access is the backbone of healthcare IT security, and making that access role-based is the most effective way to control it. That’s especially true for internet-based applications that can be accessed outside of the organization’s network. You can mandate each employee’s role and appropriate level of access, or you can create role groups for specific departments. This will make it easier to immediately remove and/or reassign access once an employee is terminated. Try to avoid using shared accounts whenever possible, but if you must, update all the logins after an employee leaves the company.
Most healthcare applications come equipped with role-based security measures, though they’re only effective with proper documentation. While integration can tie your systems together to streamline access, there is no automatic database to control that access across platforms. Strong documentation will help you keep track of when employees are given access; how much they are able to control; and when it’s time to upgrade, downgrade, or revoke that access.
2. Be honest and transparent about monitoring employees’ access.
Tightly securing healthcare data has become a greater challenge thanks to internet integration, off-site data access, and the increasing use of personal devices among team members. This means that clearly defining each employee’s role and the level of access that role warrants. It must be followed by honesty and transparency about how your organization will monitor and enforce role-based access to its systems.
When employees use personal devices, the need to protect their personal information is equally important. Therefore, have a clear policy regarding how much the IT department will monitor the device, how the organization will protect employees’ personal information, and what constitutes appropriate use of the device in question. For example, employees can’t use their personal devices to access data off the clock, and the consequences of doing so must be clear. You should also be able to wipe data files off an employee’s device remotely. Google’s G Suite is one work environment that offers this functionality.
3. Keep a tight inventory on company and personal devices.
Whether employees use personal devices or stick strictly to company-assigned laptops and smart devices, it’s important to keep track of them all. As part of your organization’s comprehensive off-boarding process, this will make it easier to collect all company-owned devices and wipe access and files from any personal ones. Be sure to reformat all equipment you retrieve to ensure it isn’t still vulnerable to a breach.
As TACT learned last year, the fact that former employees and team members no longer physically control a device or know a new password doesn’t mean they can’t access the network. Before deeming your network safe again, check off every device on the inventory that’s assigned to the terminated employee and update any roles the employee was assigned within the system. Even if you plan on disposing of the old device, ensure that it’s thoroughly wiped first.
Many data breaches can be avoided with proper access control and a comprehensive policy for off-boarding terminated employees. The TACT breach is notable for that reason, but it isn’t the only example. An ex-employee of John Muir Health was also charged for stealing information from more than 5,000 of Muir’s patients and delivering it to her new employer.
There’s a fine line between being cautious and becoming authoritarian. When dealing with PHI, it’s essential for organizations to toe that line as much as possible without crossing it. Technology will help control access to your organization according to team members’ roles. Transparency will keep everyone on the same page about accountability. And maintaining a tight inventory of authorized devices will make terminating access easier and more effective.