Mitigating Threats Posed By Terminated EmployeesExperts Say the Risks Are Too Often Overlooked
Federal regulators are reminding healthcare entities and business associates of the serious security and privacy risks that terminated employees can pose and offering advice for mitigating those risks.
Data breaches caused by current and former workforce members are a recurring issue, writes the Department of Health and Human Services' Office for Civil Rights in a monthly cybersecurity newsletter released on Thursday.
"Making sure that user accounts are terminated, so that former workforce members don't have access to data, is one important way identity and access management can help reduce risks posed by insider threats," OCR says.
"IAM can include many processes, but most commonly would include the processes by which appropriate access to data is granted, and eventually terminated, by creating and managing user accounts."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, notes that while insiders can pose a significant threat across all sectors, Verizon's 2017 Data Breach Investigations Report, released earlier this year, identified healthcare as the industry with the highest number of insider breaches (see Fighting Insider Threats: Long Term Battle).
"In part, this may be due to the fact that many healthcare workers are not the provider organization's employees," she says. "Teaching and research facilities, especially, include students and a variety of other trainees, as well as credentialed physicians who are not employees. And hospitals routinely use volunteers."
Academic medical centers have less control over these non-employee workforce members, she says, because they are not funneled through the usual human resources and payroll processes. "This is manifested through weaker termination processes - both for these non-employee workforce members and for external parties, such as BAs, who have been granted access," she says.
Meanwhile, failed termination and job change processes leave a user's access open to misuse by the former staff member or by a current worker who wants to hide inappropriate actions, Borten adds.
"The risks associated with failed termination and job change notification highlight the importance of performing routine user account review to identify overlooked terminations and job changes, as required by the HIPAA Security Rule. This is an essential safety net."
OCR's reminders about insider threats are valuable and timely, says privacy attorney Kirk Nahra at the law firm Wiley Rein LLP.
"This is potentially an enormous issue if it is not handled carefully," Nahra says. "Cutting off this access promptly is a critical element of an effective security plan. In addition, if a company knows that an employee will be leaving, they should institute additional controls and oversight to protect against malicious or problematic activity, whether involving patient data or other sensitive corporate data."
While current workers can be culprits in a variety of breaches - including accidentally clicking on phishing email or intentionally snooping on patient records - some incidents involving ex-staffers have turned into criminal cases.
For instance, in September, a former systems administrator, who was on the job at Centerville Clinics in Pennsylvania for only about three weeks in 2013, was sentenced to 27 months in federal prison after he was convicted in a case involving wire fraud and hacking computers (see Former Systems Administrator Gets Prison Time).
Court documents says the clinic groups' administrative credentials to its computer systems "and the web-based email server" were not changed after that systems administrator, Brendon Coughlin, left the employment of the group.
About two days after ending his job, "Coughlin created an undisclosed new administrative account giving him full access and control of [the clinics'] computer system, without the knowledge, consent or authorization of the healthcare entity's management officials," the indictment document in the criminal case says.
The clinics' system administrator's credentials "were not changed until mid-2015, well after the defendant left the employ of the healthcare entity," the indictment adds.
Organizations should adopt procedures for notifying managers as well as the IT department when employees - or staff of business associates - who have access to data and systems leave or their access privileges change, Borten says.
"Managers should be held accountable for failing to notify the organization of user terminations and job changes," she says.
In addition, OCR also advises that to prevent unauthorized access to protected health information by former workers, organizations should take a number of steps, including:
- Use logs to document whenever physical or electronic access is granted, privileges are increased or equipment is given to individuals. These logs can be used to document the termination of access and return of physical equipment.
- Have alerts in place to notify the proper department when an account has not been used for a specified number of days. These alerts may be helpful in identifying accounts that should be permanently terminated.
- Terminate electronic and physical access as soon as possible upon an employee's departure, including de-activating or deleting user accounts and disabling or changing user IDs and passwords.
- Have appropriate audit procedures in place, and review processes to confirm that procedures are actually being implemented, are effective, and that individuals are not accessing ePHI when they shouldn't or after they leave.
- Address physical access and remote access by implementing procedures to take back all devices and items permitting access to facilities, such as laptops, smartphones, removable media, ID badges and keys, as well as terminate access to remote applications, services and websites, such as accounts used to access third-party or cloud-based services.
- Change passwords of any administrative or privileged accounts, such as admin, root, and sa, that a former workforce member could access.
But even before a terminated employee leaves, entities should watch for warnings of potentially malicious behaviors, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
Herold says many warning signs potentially foreshadow the discovery of a breach by employees. Those include:
- A worker starts coming in uncharacteristically early, and/or stays uncharacteristically late to do work. The worker could be using this time to copy files and gather other information they may find valuable after they leave the business.
- A worker asks questions about how to access PHI and other personal information files and databases that they have never bothered to ask about before.
- An employee who used to not ask about, or even seem to care about, information security now starts asking many more questions about filenames for PHI records and how access controls are established.
- Logs show a worker is now trying to access files, databases and systems that they never were trying to access before.
- A staffer starts taking a lot more printed documents home for work purposes. Often they are printouts containing PHI or intellectual property.
Preventing breaches involving insiders is an ongoing struggle, Herold says.
That's because of "the many new types of technologies that enable remote access, and many more ways in which data can be monetized, which creates a very tempting opportunity to insiders who may be disgruntled, having financial difficulties, or any number of a wide range of other situations that would motivate them to commit breaches," she says.