The November cybersecurity newsletter from the HHS Office for Civil Rights discussed how healthcare organizations can tighten termination procedures to curb insider threats.
"Data breaches caused by current and former workforce members are a recurring issue across many industries, including the healthcare industry," the newsletter reads. "When an employee or other workforce member leaves, it is extremely important that covered entities and business associates prevent unauthorized access to protected health information."
Here are eight steps OCR recommended in the newsletter to help providers prevent unauthorized access to PHI by former employees.
1. Develop a checklist of standard procedures to complete when an employee leaves, for example, notifying the IT department or security personnel of their departure.
2. Terminate electronic and physical access to PHI as soon as possible.
3. De-activate or delete user accounts of former employees, including disabling or changing their user IDs and passwords.
4. Implementing procedures to curtail physical and remote access to PHI, such as taking back devices, changing security codes and clearing PHI from personal devices.
5. Document whenever physical or electronic access is granted and whenever equipment given to an employee. These logs can be used to document the termination of access and return of physical equipment.
6. Have alerts in place to notify the proper department when an account has not been used for a specified number of days, which may be helpful in identifying accounts that should be terminated.
7. Change the passwords of administrative or privileged accounts that a former employee had access to.
8. Ensure appropriate audits are in place to confirm standard procedures are being implemented and are effective.
To access the OCR newsletter, click here.