Skip to main content

Former Employees Pose Serious Risk To Security

By December 18, 2017June 15th, 2022Cybersecurity

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded those who deal with PHI and PII of the dangers that terminated employees can pose to system security in their monthly cybersecurity newsletter. Their advice is as timely as it is excellent, and includes the following:

“Making sure that user accounts are terminated so that former workforce members don’t have access to data is one important way Identity and Access Management can help reduce risks posed by insider threats.

IAM can include many processes, but most commonly would include the processes by which appropriate access to data is granted, and eventually terminated, by creating and managing user accounts.”

Kate Borten, President of The Marblehead Group, agrees, citing Verizon’s 2017 Data Breach Investigations Report, which was released earlier this year and named health care as the industry with the highest number of insider breaches.

OCR has published an extensive list of recommendations, which include:

• The creation and maintenance of user access logs used to determine when a user’s access levels are increased, or new equipment is assigned. These logs can also be used to track and trace precisely who is accessing what data, when, and using what locations, creating an audit trail.
• Establishing processes designed to terminate an employee’s access as soon as employment ends. These processes should also refer back to the aforementioned access logs to ensure that all equipment has been returned.
• Changing all administrative passwords on termination of an employee with access to those accounts, so that they will be unable to access them post-employment.
• The creation of alerts that call attention to accounts that have not been utilized in some predefined number of days in order to identify accounts that may be ripe for purging from the system.
• And developing a robust auditing procedure designed to ensure that all IAM-related policies are being followed, and that the system is working as intended.

It’s an excellent piece, and if your firm is in any way involved with the handling of protected health information, you owe it to yourself to head to OCR’s website and read it in its entirety.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.