How to avoid vulnerabilities created by permissions.
Software permissions are a great way to ensure that only authorized employees have access to private information, especially documents that fall under HIPAA compliance.
Too often, permissions are set and then forgotten until new permissions need to be added. “Set and forget” permissions are a recipe for disaster, as we recently saw from a press release from the U.S. Department of Human & Health Services.
A Colorado hospital has agreed to pay $111,400 to the Office of Civil Rights for potential HIPAA Violations stemming from failing to terminate a former employee’s access. This “slip up” exposed 557 individuals’ electronic protected health information to the former employee1.
But this could have easily been avoided with a clear plan for when an employee leaves and as well as routine permission upkeep.
Employee Termination Plan
Whether on the best of terms or the worst, when an employee leaves, you must go through the process of terminating them from the company. This starts typically with HR and the returning of company property (always crucial for security). But your plan should always include a review of the employee’s digital access to revoke all access.
A formal plan is the best way to achieve this goal. A set of standards with a timeframe will help to guide an efficient process. Staying on top of removing permissions in a timely manner will go a long way to prevent potential liability exposure for failure to adequately safeguard sensitive information (such as protected health information under HIPAA).
Routine Permission Clean up
If your company has regular movement of employees, permissions can often change as job requirements change. In these moves, removing outdated permissions can sometimes slip through the cracks. Maintaining routine permission clean up helps to catch these outdated permissions.
Taking the time to review all your permissions, at least once a quarter, will go a long way to make sure you don’t accidentally expose sensitive material to the wrong individuals.
Scheduled routine maintenance and official plans and policies may seem like extra work, but with the potential monetary and reputational repercussions that breaches incur, it’s well worth it. Plus, ensuring private documents stay private is just the right thing to do.
1. U.S. Department of Health and Human Services. (2018, December 11). Colorado hospital failed to terminate former employee's access to electronic protected health information. Retrieved May 29, 2019, from https://www.hhs.gov/about/news/2018/12/11/colorado-hospital-failed-to-terminate-former-employees-access-to-electronic-protected-health-information.html