How Good Is Your Terminated User Checklist?
Having a former employee access electronic Protected Health Information (ePHI) is a data breach. In today’s computing environment terminating employee access can mean a lot more than just denying logins to your network and your Electronic Health Record (EHR) system. It can also be a challenge because more than your employees can access your systems. How good is your terminated user checklist?
What about users who don’t work for you? Hospitals and surgery centers often have a wide range of users including employees, doctors, students, contractors, medical practices, vendors, other hospitals, nursing homes, and more. Practices often provide access to outsourced IT specialists, EHR vendors, and device manufacturers. How often do you verify with other organizations if terminated users still have access to your system, and how they secure your logins and passwords within their own systems? Remember that the Target data breach was caused when a heating and cooling vendor’s access was compromised.
Unique User Identification
Using shared logons and passwords is not allowed by HIPAA, but frequently occurs in many medical organizations and their business associates. It creates a huge risk of violations and data breaches because passwords are often not changed because it would cause some inconvenience. Terminated users still have access.
If you comply with HIPAA’s requirement for Unique User Identification § 164.312(a)(2)(i), then every employee will have their own login and password, which can be disabled in seconds without inconveniencing anyone. Even with Unique User Identification in place there are special situations that may warrant a forced password change across your network.
A terminated user with IT knowledge can be a danger. Many IT specialists end up knowing other people’s passwords. During a recent compliance assessment we discovered that the outsourced IT support specialist kept a list of every user’s passwords “in case he had to log in as the user,” and that the passwords were set to never expire. They also know the passwords to the Administrator and service accounts that have full-access to everything on the network. They know the passwords to get into network firewalls and wireless controllers. They may have even created phantom or ‘test’ users giving themselves access in case their own credentials are terminated.
There is no reason for an IT specialist to know everyone’s passwords. Even in the rare situation where the specialist would log in as a user, a temporary password can be created and then the account set to force a password change on the next login.
Network Access
Terminated user access to your network may not prevent a former employee from getting to everything, but it will block them from the sensitive records on your servers and workstations. Periodically change the login to your wireless network. The short-term inconvenience is better than having a terminated user—and who knows who else—accessing your wireless resources. Print reports of your users and their last logins to identify names that should have their access disabled.
EHR System
In many medical practices and hospitals, the IT department sets users up with network access and e‑mail but someone else gives new users privileges to the EHR system. When the user leaves your organization terminating their access within the EHR system is a no-brainer, because everything they can access is protected by law. Remember to block the terminated user from any old EHR systems you still have online for access to old records. Old data is just as protected as what is in your current system, but is often forgotten.
Medical Devices
Many health care providers have devices that require users to log in to operate the device and access the data they hold. These devices include imaging systems like ultrasounds, X-ray, MRI, CT scanners, special cameras, lab devices, and are often separate from the network and EHR access. These likely have remote access capabilities required by the vendor so they can access the system for troubleshooting and updates. It may be possible for a former employee to remotely link to your network and access the device or its data files. They might be sitting outside your building within range of your wireless network, or across the world.
Cloud’ services
‘Cloud’ services are accessible through the Internet. These can include hosted EHR systems, drug databases, labs, specialty practices, transcription services, billing and collections, answering services, data backup, file sharing services, banking, credit cards, video feeds to specialists—any website that requires you to login with a password.
How good is your list of remote services so you can prevent a terminated user’s access? Your HIPAA Security Officer should require a centralized list of cloud services and those that have access. Periodically the lists of users for cloud services should be reviewed to ensure that only authorized personnel can access them.
Partners & Vendors
Vendors, partners, and contractors like technology companies, contract transcriptionists, device suppliers, independent billing coders, collections agencies, consultants, accountants, emergency services, rehab facilities, nursing homes, and others may have legitimate reasons to access your network. How do you control the people they give access to, and how do you know when one of them has a terminated user?
Medical practices may have access to hospital networks, labs, specialists, vendor ordering systems, and other outside organizations. How often do you remember to terminate former employees from accessing these systems?
Information System Activity Review
One of the first requirements in the HIPAA Security Rule is that you must conduct periodic Information System Activity Reviews. You must audit who is accessing your systems, devices, and services to determine if anyone not authorized has accessed protected data. Going through logs is time-consuming and you may not even know where to start. Ask department heads and managers to verify each system, device, and remote service each of their employees should access. Then print out the user lists and work with your managers and staff to identify any terminated users still on the list, or logins that may have been shared with a terminated user.
Delete unauthorized users and investigate any unauthorized access to protected data. Report breaches if you find access to ePHI by terminated users. Create terminated user checklists to validate that former employees or others with access are properly disabled. Work with your HR department and department managers to give you quick notification when someone leaves or no longer requires access to your protected data.
Terminating user access has to happen quickly and it can be challenging. You need to get a handle on terminated users to prevent expensive and embarrassing data breaches. Don’t make yourself a Target.
originally written for 4MedApproved