You never know just how far an ex-employee might go to compromise your system
Can former employees still access your organization’s PHI?
A 014 survey of employees by Osterman Research found that a whopping 89% of respondents retained access (in the form of a login and password) to at least one system of a former employer – such as Salesforce, PayPal, email, SharePoint or other sensitive programs and applications. And almost half of the respondents surveyed (49%) had actually logged in to one of these accessible accounts after leaving the organization. In addition, 68% of respondents used a personally managed file-sharing solution such as Dropbox, Google Drive or Box.
The report was commissioned by vendor Intermedia who is using it to promote their cloud storage application. Few details regarding the study methodology were published except that 379 online surveys were completed by individuals who used a computer for more than 50% of a typical workday in both their current and previous jobs. No details are provided about the industries involved. While one should always use care when reviewing a study created for marketing purposes, this report identifies trends and suggests best practices that healthcare organizations should consider.
Most health care organizations are diligent about disabling user IDs from Active Directory, Electronic Records, Revenue cycle systems and other major applications that store ePHI. However, secondary applications, such as PACs, lab, pharmacy, clearinghouse, appointment reminder and other systems may not be included in these processes. Finally, as this report shows, there may be departmental applications that IT administrators are not aware of and even further, individual employees may establish personal accounts with cloud storage system providers without any sort of approval or “blessing”.
Another Osterman study found that employees use an average of nearly 15 applications including corporate email, archiving and compliance solutions, mobility solutions, real-time communications, security, telephony, etc.
Most of us are familiar with the “Bring Your Own Device (BYOD)” reality. The Osterman report coins the term, “Bring Your Own Application (BYOA)”, and another term–“rogue application”. To enhance their productivity, employees are setting up their own free accounts on Dropbox, Google Drive, Box, Office 365 and other cloud services. Setting these accounts up may improve their productivity and may often be done with good intention. However, when this happens organizations lose control of their data.
The risks of these trends include:
- Violations of data breach statutes, including HIPAA as well as state statutes
- Violations of HIPAA and other statutes
- Loss of intellectual property
- Potential alteration of data
- Vulnerability to malicious ex-employees
Best practices to address this growing threat include:
- Conduct a comprehensive inventory of applications, especially including cloud applications. This might require employee surveys, network scanning or other discovery tools.
- Include a rigorous employee exit process, including asking about access to any and all cloud applications to which employee has access, including any that are not on the standard exit paperwork. Furthermore, obtain a signed statement that they will not access corporate data after they leave and if they come across sources of data they had forgotten, that they will immediately inform the organization about this data and delete it.
- Establish policies regarding appropriate use of IT resources, and explicitly address the need for approval prior to establishing any cloud application.
- Consider a SSO application to centralize control and access to both internal and cloud storage applications.
