Safeguarding data in the healthcare industry has never been more crucial. As one of the top five most vulnerable sectors, healthcare organizations face increasing threats to the privacy and security of sensitive patient information. With cyberattacks on the rise and strict regulatory requirements in place, protecting this data has become not just a priority, but a critical necessity.
There are many causes of data breaches, and they can vary widely depending on the specific circumstances. Some of the most common reasons that contribute to the majority of data breaches can include human error, weak passwords or vulnerabilities across an IT system.
But, one of the most concerning and sometimes overlooked is insider threats. Employees, contractors, or other trusted individuals with access to sensitive data may intentionally or unintentionally misuse or abuse their privileges. And, as healthcare organizations rely more on electronic systems to manage patient information, the need for proper employee access management becomes a critical element of cybersecurity.
Onboarding and Offboarding
When hiring new employees, onboarding and offboarding IT processes and access can serve as the first and last lines of defense. Both processes are vital for maintaining a secure environment and preventing unauthorized access, data leaks, and potential breaches.
Healthcare organizations need structured, automated, and highly monitored processes to ensure that only authorized individuals have access to sensitive data at any given time, and those no longer in the system lose their access completely. Failure to do so opens the door to all kinds of potential issues.
We can look to other industries as examples of what can happen when people in an organization are given improper access. The most well-known example comes from the financial world – in which the Sarbanes-Oxley Act was created in 2002, as a response to corporate fraud and failures in access controls. The case involved a trader at a bank who had inappropriate access permissions, allowing him to trade far beyond his limits and highlighting the dangers of improper access control and oversight. In healthcare, similar risks exist when employees have unchecked access to sensitive patient data, potentially leading to data breaches, fraud, or unauthorized sharing of data.
Joiners, Movers and Leavers
Effective access management involves categorizing employees into three groups: joiners, movers, and leavers. Joiners are new hires, movers are employees transitioning within the organization, and leavers are individuals who are exiting a company.
The problem of joiners, movers, and leavers can be addressed if we break it down and understand the vulnerabilities at the onset.
- Joiners: The onboarding process is a critical phase in ensuring that new employees understand and comply with data security protocols from day one. During onboarding, employees are assigned roles and permissions that should align precisely with their job responsibilities. This includes setting up access to relevant electronic health records (EHR) systems, prescribing systems, patient management software, and other sensitive databases. By establishing clear policies during onboarding, healthcare organizations can prevent future security risks that often stem from improper access controls.It is critical for ensuring new hires are granted appropriate access. However, if not carefully managed, new employees may inadvertently be given access to more systems than they need, increasing the risk of data breaches.
- Movers: When employees transition into new roles within the organization, they often accumulate additional access privileges without having old, unnecessary permissions revoked. For instance, a nurse who starts in the cardiology department may be granted access to cardiovascular health records. Over time, they may move to oncology, where they are granted access to oncology patient records, but they still retain their original access to other departmental files. Without proper oversight, this accumulation of access across departments can lead to significant security risks and HIPAA violations. In extreme cases, an employee may end up with access to all departments’ data, regardless of whether it’s necessary for their role.In any organization, people don’t just come and go, but they also move throughout a company during their careers, collecting access to various systems and data without necessarily losing it when their responsibilities change. This phenomenon is particularly dangerous in healthcare, where sensitive patient data is at stake.
- Leavers: Offboarding employees is perhaps the most critical aspect of access control, as failing to revoke access after an employee has left the organization opens the door to unauthorized access. In some cases, former employees retain access to systems for years, posing an immense security risk. There have been incidents where deceased individuals still had active accounts in hospital systems, as their access was never terminated. Without a structured offboarding process, these accounts can become targets for cyberattacks or inadvertent leaks of sensitive data.A common scenario can involve shadow IT, where departments within the organization deploy their own systems and applications without IT’s knowledge. For example, a team may set up a collaboration tool for sharing medical research and data, but IT might not be aware of it. When an employee leaves, their access to the organization’s core system is revoked, but they may still retain access to these shadow systems, allowing them to continue accessing or even sharing confidential patient information long after they’ve departed.Third-party contractors add further complexity to access management in healthcare. Contractor onboarding and offboarding are often handled differently than full-time employees, with contractors’ access managed directly by the line of business rather than HR or IT. This leads to situations where contractors retain access long after their contracts expire. Additionally, access to systems could be granted without going through formal IT processes, making it difficult to track and revoke permissions.Offboarding employees must be a systematic and automated process. Organizations should have a “single sign-on” (SSO) system that immediately revokes access across all platforms when an employee leaves. Simply locking the front door by revoking login access isn’t enough. Access entitlements, or permissions that determine what an individual can do within a system, must also be removed. In many cases, a former employee’s identity still exists in the system, and they may retain privileges even if they can no longer log in through the main portal. This is particularly true in organizations that do not have a robust SSO solution.
Secure Access Requires Vigilance
Healthcare organizations must take a holistic approach to managing the joiners, movers, and leavers.
From day one, new hires must be granted the correct permissions and understand the importance of data security. As employees move through the organization, their access must be regularly audited and revoked as necessary. Lastly, when employees leave, access must be terminated across all systems, including shadow IT, to prevent unauthorized data access.
With increased cyberattacks and stringent regulatory requirements, healthcare providers cannot afford to overlook the importance of secure onboarding and offboarding processes. Only by managing access carefully at every stage of the employee lifecycle can organizations ensure their protection.
ABOUT THE AUTHOR
Jim Ducharme
Chief Technology Officer
Jim leads ClearDATA’s Engineering, Product Management, and IT teams. He has more than 25 years leading product organizations in the identity, integrated risk, and fraud management markets. Prior to joining ClearDATA, Jim served as Chief Operating Officer of Outseer, an RSA Company, where he served over 10 years in executive leadership roles. Prior to RSA in 2012, he served in executive leadership roles for Aveksa, CA and Netegrity. Ducharme frequently speaks at industry events and regularly contributes articles to trade publications.
Jim also holds several patents and a Bachelor of Science in Computer Science degree from the University of New Hampshire. He and his wife live in Maine in their dream log home, which was featured in Log and Timber Home Living magazine.