- Implementing effective identity and access management (IAM) policies and controls is essential for healthcare organizations that are looking to reduce the potential of insider data breach risk, according to the OCR November 2017 Cybersecurity Newsletter.
IAM typically includes the processes used to grant appropriate access to data by creating and managing user accounts, OCR explained. Terminating those accounts at the proper time – such as when an employee quits – is critical to ensure that those users do not still have access to sensitive data.
“When an employee or other workforce member leaves, it is extremely important that covered entities and business associates prevent unauthorized access to protected health information (PHI) by ensuring that the former workforce member’s access to PHI is effectively terminated,” OCR advised. “Also make sure that mobile devices like laptops and smartphones are returned, and if the use of ePHI on personally-owned phones or other devices is permitted, that those devices are cleared or purged of ePHI.”
Inactive user accounts, which are not being used but are not necessarily fully terminated or disabled, could also create security issues, OCR added. Having effective termination procedures will reduce the likelihood that an inactive user account can be used for malicious purposes.
Physical security measures should also be part of termination procedures, the agency continued. Changing combination locks and security codes, removing users from access lists, and ensuring the return of keys, tokens, keycards, ID badges, and other physical items can all help secure ePHI access.
Healthcare organizations should also terminate remote access capabilities and terminate access to remote applications, services, and websites, OCR stated. This can include access to accounts utilized for third-party or cloud-based services.
Technical safeguards must also be considered with implementing IAM policies and controls. For example, the passwords of any administrative or privileged accounts (like admin, root, sa) should be changed when an employee no longer works for a company.
“Have standard procedures of all action items to be completed when an individual leaves – these action items could be incorporated into a checklist,” the newsletter read. “These should include notification to the IT department or a specific security individual of when an individual should no longer have access to ePHI, when his duties change, he quits, or is fired.”
Audit logs can also be beneficial, OCR said.
“Appropriate audit and review processes confirm that procedures are actually being implemented, are effective, and that individuals are not accessing ePHI when they shouldn’t or after they leave,” the agency stated.
Logs can also document whenever access is granted (both physical and electronic) to employees, when individual privileges increase, and when equipment is given to individuals. From there, “logs can be used to document the termination of access and return of physical equipment,” OCR added.
Insider data breach risk is typically a common concern at organizations, with entities saying they want to ensure they can properly monitor who is able to access sensitive information.
A Bomgar report from 2017 revealed that approximately two-thirds of security professionals believe that a breach originating from an insider – either malicious or unintentional – is their organization’s greatest security threat.
Ninety percent of the 600 surveyed IT professionals said that they trust employees with privileged access most of the time, with 41 percent saying they completely trust those same insiders.
“With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organizations control, manage, and monitor privileged access to their networks to mitigate that risk,” Bomgar CEO Matt Dircks said in a statement. “The findings of this report tell us that many companies can’t adequately manage the risk related to privileged access.”
“Insider breaches, whether malicious or unintentional, have the potential to go undetected for weeks, months, or even years – causing devastating damage to a company.”