Employees & ePHI: Who has access to your healthcare data?

The risk is real. With all of the attention on external threats to ePHI, like ransomware and cyberattacks, healthcare organizations and their digital health vendors may be distracted from threat of insider risk. Yet according to a recent HHS OCR newsletter “insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider driven.”

Most threats aren’t malicious. An employee may click on a phishing email or mistakenly share their login with someone who shouldn’t have access. Both potentially expose ePHI but as always, we at Apgar & Associates point to training coupled with good spam filtering as the best mitigation in these situations.

Where you have a serious security risk is with those employees who intentionally harm your information security. Those “e-crimes” include intentionally installing malware, worms or malicious code, or outright device theft.  And then there is the curiosity crime – looking up family members, VIPs and the like for personal reasons rather than for work that falls within their job duties.

Training won’t stop bad people from doing bad things. Instead, don’t hesitate to do a thorough screening of employees who could potentially have access to or cause risk to ePHI. For those who will have access, be sure that their access is appropriate to their “need to know.”

To go full bore on ePHI protection from insiders, the US-CERT (U.S. Computer Emergency Readiness Team) has a long list of steps to help protect your organization’s ePHI, but the top 3? It’s like they read our minds!

  1. Get your security risk analysis done and the risk management plan implemented (getting a risk analysis doesn’t automatically fix the risks). As US-CERT says “consider threats from insiders and business associates.”
  2. Document and be consistent about enforcing your “policies and controls” or as we say, policies, procedures and access.
  3. Train your entire workforce. All employees need to know the rules to be effective at protecting ePHI. US-CERT recommends that you “incorporate insider threat awareness into periodic security training.”

You can download the Common Sense Guide to Mitigating Insider Threats, 4th Edition, from US-CERT here.  Remember, people are your biggest risk!

Apgar and Associates  helps you with questions and concerns about your privacy and security compliance program, including updates and training, at 877-376-1981. Ask about our compliance consulting subscription program for qualifying organizations.