Data breached? Culprit could be a former employee
■ A practical look at information technology issues and usage
So your data are encrypted, and you have access controls on your computer systems to prevent outside attacks from hackers. But you're still not totally protected from unauthorized outside access.
Your former employees may be able to get back into your system.
Many practices and hospitals focus on how to prevent current employees from snooping or stealing information, but they forget about people who have left the organization and still could do damage.
"You wouldn't let [departing employees] leave with the keys to the clinic. You shouldn't let them leave with the keys to the data," said Andrew Sroka, president and CEO of Fischer International, a data security technology vendor.
Yet many employers do. And not just in the health care field, either.
A survey by Courion, an identity and access management solutions company, found that 93% of organizations think terminated employees pose no security threat, and 53% are unaware of those employees' access rights to systems.
Todd Chambers, chief marketing officer for Courion, said former employees cause many security breaches because organizations do not understand their risks.
Griffin Hospital in Derby, Conn., announced in March that it experienced an apparent data breach allegedly caused when a previously-affiliated radiologist gained access to the hospital's picture archiving and communication system.
The hospital said the apparent breach came to its attention when it was contacted by several patients who claimed the radiologist called them to offer services at a competing hospital. Access to the hospital's PACS had been revoked when the radiologist's affiliation with the hospital ended, but the doctor allegedly used the log-in credentials of current Griffin employees to access the records of nearly 1,000 patients.
Richard Blumenthal, the Connecticut attorney general, is investigating the breach. William Powanda, vice president of Griffin Hospital, said in an e-mail to American Medical News that the question of how the former employee gained access to those credentials likely will be a focus of that investigation.
Barring the door
Most people know that the proper thing to do when someone leaves a job is to block that person's access to electronic systems. But many don't realize that the employee may still be able to get in later.
Employers "tend to be more focused on locking the perimeter ... but forgetting the fact that they've left a whole boatload of people inside the house already," Chambers said.
Fischer International's Sroka said password management for current employees is just as important as blocking a former employee's access. For example, shared passwords can be used by former employees after their individual access has been terminated.
Sroka compared sharing passwords with employees holding secure doors open for someone who claims to have forgotten a key. No one thinks of the implications until they inadvertently allow the wrong person in the door. There should be a zero tolerance for these types of practices, including sharing passwords, he said.
This is more difficult to enforce at small practices, where there is overlap in job responsibilities and people cover for others when they are out, Sroka said. But negating the risk is possible. The most important step is making sure employees understand what could go wrong, he said.
Other steps include having a regular schedule for changing passwords; making sure passwords are complex enough that they can't be guessed easily; and enforcing the physical security of passwords. Some practices actually post passwords on a computer monitor, Sroka said.
Monitoring data called key
Chambers said that beyond the policy level, monitoring systems also must be in place. Organizations need to watch for procedures that could raise red flags, such as an employee logging in and accessing multiple files late at night.
Monitoring can be automated or outsourced to a third party. Outsourcing can have advantages, he said, because many times organizations put too much trust in their own information technology staffs.
Organizations also should monitor "data on the move" by keeping tabs on what data are transferred to mobile devices or sent to external machines or e-mails.
"There have to be systems in place to monitor this stuff, knowing you can't protect it 100%," Chambers said. "But try to make sure you catch it as soon as you can and mitigate the damage that can be done."
A survey by Ipswitch File Transfer, a network monitoring software vendor, found that 25% of respondents admitted to sending proprietary files to personal e-mail accounts with the intent of using that information at their next jobs.
Chambers said that number is conservative because of the recession and the insecure feeling many workers have about their jobs.
Frank Kenney, vice president of global strategy at Ipswitch, also said he believes the number is low and likely to grow because of the increased use of mobile devices on which people store work data for convenience or as a backup.
If technology is difficult for employees to operate, more data may end up outside the practice. If in-house systems are not easily accessible, more people will use their own devices on the job, creating more outlets for information to be lost, stolen or taken by a departing employee.
"It's a risk that companies need to manage in a better way," he said. "They have to educate and enforce policy, and the policy must have teeth."
Passage of the Health Information Technology for Economic and Clinical Health Act in 2009 put more teeth into HIPAA laws.
Not only can health care organizations now be on the hook for fines up to $1.5 million if data are breached, but they also must notify every affected patient, the Dept. of Health and Human Services and, in some cases, the media.
The law also gives state attorneys general the power to enforce HIPAA laws.