Insider Threats - Part 2

Episode 15: Know The Rules! Insider Threats – Part 2

In last week episode I introduced you to Insider Threats and the the different types when I left off discussing Do You Know Who Your Employees Are? (Continued from part 1)

Covered Entities (CEs) and Business Associates (BAs) should consider:

• Developing policies and procedures to mitigate the possibility of theft of electronic protected health information (ePHI), sabotage of systems or devices containing ePHI, and fraud involving ePHI. These policies and procedures should enforce separation of duties and least privileges, while also applying rules that control and manage access, configuration changes, and authentication to information systems and applications that create, receive, maintain, or transmit ePHI.

• Conducting screening processes on all potential workforce to determine if they are trustworthy and appropriate for the role for which they are being considered. Effective screening processes can be applied to allow for a range of implementations, from minimal to more stringent procedures based on the risk analysis performed by the entity and role of the potential employee. Examples of potential screening processes could include checks of the Health & Human Services (HHS) Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE) to check for healthcare fraud and related issues and criminal history checks to verify past criminal acts. When implementing a screening process, please be sure to review and comply with any applicable federal, state or local laws regarding the use of screening processes as part of the hiring process.

Following US CERT steps to protect ePHI from insider threats:

  1. Consider threats from insiders and BAs in comprehensive enterprise-wide risk analysis.
  2. Clearly document and consistently enforce policies and controls. Remember, if it’s not documented it didn’t happen!
  3. Incorporate insider threat awareness into periodic security training for all employees.
  4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
  5. Anticipate and manage negative issues in the work environment.
  6. Know your assets.
  7. Implement strict password and account management policies and practices.
  8. Enforce separation of duties and least privilege.
  9. Define explicit Business Associates Agreements (BAA) for any cloud services, especially access restrictions and monitoring capabilities.
  10. Institute stringent access controls and monitoring policies on privileged users.
  11. Institutionalize system change controls.
  12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
  13. Monitor and control remote access from all end points, including mobile devices.
  14. Develop a comprehensive employee termination procedure.
  15. Implement secure backup and recovery processes.
  16. Develop a formalized insider threat program.
  17. Establish a baseline of normal network device behavior.
  18. Be especially vigilant regarding social media.
  19. Close the doors to unauthorized data exfiltration.

Remember: Any change made to the equipment used to create, receive, maintain, or transmit, a practice’s PHI requires an update to the risk analysis.

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?




Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!