Below are details from the August 2016 OCR memo: Do You Know Who Your Employees Are? It is a memo reminding us we do need to pay attention to our staff more than we think sometimes. Insider threats are a real issue not one that happens to other people.
Although all insider threats aren’t malicious or intentional, the effect of these threats can be damaging to CE’s and BA’s and have a negative impact on the confidentiality, integrity, and availability of its ePHI.
According to a survey recently conducted by Accenture and HfS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption. Further, it was reported by a Covered Entity that one of their employees had unauthorized access to 5,400 patient’s ePHI for almost 4 years.
There are 19 US CERT steps to protect ePHI from insider threats:
- Consider threats from insiders and business associates in enterprise-wide risk assessments.
- Clearly document and consistently enforce policies and controls.
- Incorporate insider threat awareness into periodic security training for all employees.
- Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
- Anticipate and manage negative issues in the work environment.
- Know your assets.
- Implement strict password and account management policies and practices.
- Enforce separation of duties and least privilege.
- Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
- Institute stringent access controls and monitoring policies on privileged users.
- Institutionalize system change controls.
- Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
- Monitor and control remote access from all end points, including mobile devices.
- Develop a comprehensive employee termination procedure.
- Implement secure backup and recovery processes.
- Develop a formalized insider threat program.
- Establish a baseline of normal network device behavior.
- Be especially vigilant regarding social media.
- Close the doors to unauthorized data exfiltration.