OCR: 5 ways to fight internal health data breaches

health data charts
Healthcare organizations can protect themselves from internal healthcare data breaches. (Getty/nevarpp)

Healthcare organizations are a prime target for internal breaches caused by former employees, but there are several steps that groups can take to protect themselves from the threat. 

The Department of Health and Human Services Office for Civil Rights (OCR) issued a number of tactics (PDF) to prevent recently terminated staffers from accessing private healthcare data. 

"Data breaches caused by current and former workforce members are a recurring issue across many industries, including the healthcare industry," according to OCR. "Effective identity and access management policies and controls are essential to reduce the risks posed by these types of insider threats." 

RELATED: The healthcare data breach that took 14 years to uncover 

The steps the agency recommends include: 

  1. Have a standardized process for cutting off data access for departing employees. Creating a checklist that makes action items easy to follow may be a good strategy.
  2. Use logs to keep track of which staff members are granted access or have increased privileges, and what equipment they have been issued.
  3. End the ex-employee's physical and electronic access as soon as possible after they leave their job. Take back devices that were issued by the organization, and ensure they don't still have access on personal devices.
  4. Have an audit system in place to ensure procedures are being followed and regularly updated as needed.
  5. Change passwords for administrative or high-level accounts that the exiting employee had access to immediately after they leave. 

RELATED: We asked the experts—Is healthcare ready for a wide-scale attack like WannaCry? 

Though cyberattacks are commonly viewed as outside breaches, health IT executives said that employees actually pose the greater threat. Nearly half (46%) of respondents to a recent survey said that staff members' lack of awareness around security and an organizational culture that does not emphasize security are major concerns. 

"The human factor is the hardest part," Tallahassee Memorial Healthcare CIO Don Lindsey told FierceHealthcare recently. "You’re only good as good as your security awareness training program." 

In February, for example, the number of overall data breaches was down compared to January, but 60% of those breaches were related to insider threats, some of which healthcare organizations failed to recognize for as long as five years.