In February 2017, the Transformations Autism Treatment Center discovered an ex-employee had breached its security. Jeffrey Luke, a former behavioral analyst, illegally accessed a TACT Google Drive account, stealing protected health information from over 300 current and former patients, as revealed in his indictment.
It is concerning that despite his termination, Luke was able to access TACT’s Google Drive account. TACT had changed all its passwords following his termination, but a month later, files were found to have been moved within the organization’s Google Drive account. The Department of Justice traced the unauthorized access back to Luke, who had patient records and documents from another former employer on his computer.
This incident is just one of many examples of healthcare organizations leaving themselves and their data vulnerable after a termination. When an employee or team member leaves, it is crucial for covered entities and associates to completely revoke the former team member’s access to the organization’s network.
These are three steps organizations can take to ensure they have covered all their bases:
1. Establish user-based roles or role-based access control.
Controlling access is the foundation of healthcare IT security, and implementing role-based access is the most effective way to govern it, especially for internet-based applications accessible outside the organization’s network. Each employee’s role and appropriate access level can be stipulated, or role groups for specific departments can be created, making it easier to revoke or reassign access immediately after their termination. Shared accounts should be avoided, but if used, all logins should be updated after an employee’s departure.
While most healthcare applications have role-based security measures, proper documentation is essential for them to be effective. Integration can link systems for streamlined access, but there is no automatic database to control access across platforms. Strong documentation will help keep track of access issuance, levels of control, and when access needs to be updated, downgraded, or revoked.
2. Provide transparent monitoring of employees’ access.
Securing healthcare data has become more challenging with internet integration, off-site data access, and increased use of personal devices by team members. Clearly defining each employee’s role and the associated access level must be followed by honest and transparent communication about how the organization will monitor and enforce role-based access to its systems.
A clear policy regarding the IT department’s monitoring of personal devices, protection of employees’ personal information, and acceptable device usage should be in place, especially when employees use personal devices. For example, employees should not access data using personal devices outside working hours, and the consequences of doing so should be clear. Additionally, the ability to remotely wipe data from an employee’s device is important, and services like Google’s G Suite offer this functionality.
3. Maintain strict inventory of company and personal devices.
Whether employees use personal devices or company-assigned equipment, it is crucial to keep track of all devices. As part of the comprehensive off-boarding process, collecting all company-owned devices and wiping access and files from personal ones becomes easier. Thoroughly wiping retrieved equipment to prevent potential breaches is important.
As TACT learned, former employees may still be able to access the network even after their physical control of a device has ended or their password has been changed. Before considering the network safe again, every device assigned to the terminated employee should be accounted for, and the employee’s roles within the system should be updated. Even if the old device is to be disposed of, it should be thoroughly wiped first.
Many data breaches can be avoided with proper access control and a comprehensive policy for off-boarding terminated employees. The TACT breach is just one example, with another case involving an ex-employee of John Muir Health being charged with stealing information from over 5,000 patients and delivering it to her new employer.
When handling PHI, it is essential for organizations to balance caution with transparency. Utilizing technology to regulate access based on team members’ roles, being open about monitoring practices, and maintaining strict device inventory will make terminating access easier and more effective, ultimately enhancing security.
