In February 2017, the Transformations Autism Treatment Center learned that one of its former behavioral analysts had breached its security. According to his indictment, Jeffrey Luke illegally accessed a TACT Google Drive account and stole protected health information from more than 300 current and former patients.

TACT’s cyber breach is especially concerning because Luke had already been terminated. Per protocol, TACT changed the passwords to all of its accounts following Luke’s termination. However, a month later, employees at TACT noticed that files within the organization’s Google Drive account had been moved. The Department of Justice traced the IP address that had been used to compromise the account back to Luke and was able to find patient records, templates and forms, and records from one of Luke’s other former employers on his computer.

This incident is also concerning because it’s just one of many examples of healthcare organizations leaving themselves and their data vulnerable after a termination. When an employee or other team member leaves, it is extremely important for covered entities and associates to completely terminate the former team member’s access to the organization’s network.

These three steps can help organizations ensure they’ve covered all their bases:

1. Create user-based roles or role-based access control.

Controlling access is the backbone of healthcare IT security, and making that access role-based is the most effective way to control it. That’s especially true for internet-based applications that can be accessed outside of the organization’s network. You can mandate each employee’s role and appropriate level of access, or you can create role groups for specific departments. This will make it easier to immediately remove and/or reassign access once an employee is terminated. Try to avoid using shared accounts whenever possible, but if you must, update all the logins after an employee leaves the company.

Most healthcare applications come equipped with role-based security measures, though they’re only effective with proper documentation. While integration can tie your systems together to streamline access, there is no automatic database to control that access across platforms. Strong documentation will help you keep track of when employees are given access; how much they are able to control; and when it’s time to upgrade, downgrade, or revoke that access.

2. Be honest and transparent about monitoring employees’ access.

Tightly securing healthcare data has become a greater challenge thanks to internet integration, off-site data access, and the increasing use of personal devices among team members. This means that clearly defining each employee’s role and the level of access that role warrants. It must be followed by honesty and transparency about how your organization will monitor and enforce role-based access to its systems.

When employees use personal devices, the need to protect their personal information is equally important. Therefore, have a clear policy regarding how much the IT department will monitor the device, how the organization will protect employees’ personal information, and what constitutes appropriate use of the device in question. For example, employees can’t use their personal devices to access data off the clock, and the consequences of doing so must be clear. You should also be able to wipe data files off an employee’s device remotely. Google’s G Suite is one work environment that offers this functionality.

3. Keep a tight inventory on company and personal devices.

Whether employees use personal devices or stick strictly to company-assigned laptops and smart devices, it’s important to keep track of them all. As part of your organization’s comprehensive off-boarding process, this will make it easier to collect all company-owned devices and wipe access and files from any personal ones. Be sure to reformat all equipment you retrieve to ensure it isn’t still vulnerable to a breach.

As TACT learned last year, the fact that former employees and team members no longer physically control a device or know a new password doesn’t mean they can’t access the network. Before deeming your network safe again, check off every device on the inventory that’s assigned to the terminated employee and update any roles the employee was assigned within the system. Even if you plan on disposing of the old device, ensure that it’s thoroughly wiped first.

Many data breaches can be avoided with proper access control and a comprehensive policy for off-boarding terminated employees. The TACT breach is notable for that reason, but it isn’t the only example. An ex-employee of John Muir Health was also charged for stealing information from more than 5,000 of Muir’s patients and delivering it to her new employer.

There’s a fine line between being cautious and becoming authoritarian. When dealing with PHI, it’s essential for organizations to toe that line as much as possible without crossing it. Technology will help control access to your organization according to team members’ roles. Transparency will keep everyone on the same page about accountability. And maintaining a tight inventory of authorized devices will make terminating access easier and more effective.

The post 3 Steps to Stop Unauthorized PHI Access by Terminated Team Members appeared first on ReadWrite.

The trend of bringing your own device (BYOD) to work in healthcare is based on efficiency. Being able to communicate on devices they’re familiar with can help doctors, nurses, and care teams respond faster, which translates into better experiences for patients.

In fact, it’s widespread enough that calling BYOD a trend might not be accurate anymore. Just last year, a Spok survey found that 71 percent of healthcare organizations allow staff members to bring and use their own devices at work. In addition, 63 percent of doctors and 41 percent of nurses say they use their personal devices even without permission.

With or without approval, BYOD is growing, so there should be strict regulations and policies guiding it. People are only human, and humans are prone to make mistakes. While you can’t always avoid these mistakes, you can remove the ways in which they could affect your organization’s overall security.

Regulating BYOD Policies

It’s unrealistic to expect everyone within your organization to stop using their own devices. It’s just as unrealistic to foot the cost of buying and managing devices for every single employee (especially if your organization is larger). However, the productivity and efficiency gains that come with a mobile workforce are undeniable.

For many employees, simply being mobile can increase productivity by up to 34 percent, according to a Samsung-sponsored Frost & Sullivan survey. In another study, well-implemented BYOD policies have accounted for average company savings of up to $350 per employee per year.

Despite these advantages, protecting data has always been a cornerstone of healthcare privacy and security regulations. That task is almost infinitely more challenging when everyone uses their own devices. In multiple attempts to meet that challenge, 34 different state legislatures have passed a total of 63 bills designed to rein in the risks of mobilized healthcare.

A majority of the bills help define what telemedicine and telehealth entail, as well as standards to decide when either is appropriate. For example, in Arkansas, legislation now dictates that children in school can only receive telehealth services from their primary care physicians or from directly authorized clinicians.

Such legislation may or may not prove beneficial to healthcare security in the long run, but it highlights an important point: The issue isn’t really about whether you should allow BYOD; it’s about how you can make personal devices as secure as your organization’s network. The answer starts with these three tips:

1. Group employees into roles, and then define their access.

First, set rules around how much access employees need according to their defined roles. You can more easily manage access using role-based guidelines rather than defining access for each individual employee. This also helps eliminate instances in which employees inadvertently create vulnerabilities and increase their organization’s risk of an internal breach.

For example, well-intentioned gestures such as sharing passwords with co-workers so they can access health records could be controlled by restricting access according to roles. In a University of Phoenix College of Health Professions survey, 59 percent of nurses and 60 percent of administrators point to role-based access as one of the most effective ways to protect patient data.

2. Don’t allow devices that can’t be properly secured.

Along with insider breaches, hacking and IT incidents made up 37 percent of all healthcare data breaches in 2017. Most of these didn’t occur because of employee error; they occurred because of a failure to properly secure every device within the network. Therefore, the next step is to secure an employee’s device by ensuring it’s encrypted and locked.

A security PIN might be adequate, but biometric access such as fingerprint, face, or iris scanners can provide a much higher level of security. It’s harder to mimic biometrics than it is to guess a PIN, so any localized data will be better protected if the device is lost or stolen. This will require limiting devices to models that can support higher security measures.

3. Keep data off devices by using agentless software.

Most modern smartphones and personal devices come with a variety of biometric locks to safeguard the data they store. Yet you can guarantee that certain data is safe if a device is stolen by keeping data off the device in the first place. Agentless software allows a device to access programs and files without having to store them locally.

No matter what device accesses the data, it remains secure in the cloud or, in rare cases, within the organization’s server. IT security administrators can control access from within the organization, including restricting access for compromised devices. Organizations can rest easier knowing their data is safe, and employees don’t have to install intrusive software onto their devices.

4. If an app needs an agent, containerize it.

Some applications and programs need to be installed to be used, making an agentless approach impossible. For such applications, containerization is often the next best strategy. Containerization allows a device’s operating system to virtually isolate work-related apps from personal ones.

The contained apps cannot communicate with any other files or libraries on the operating system, so they can’t read any of the employee’s personal data. Likewise, employees can only use the device to access contained apps while within the organization’s network. Outside of work, containerization keeps the work-related data safely inaccessible.

5. Force encryption in every application that allows it.

So far, you’ve taken steps to ensure an employee’s personal device is as secure as it can be. However, human behavior and choices create variables where there should be none when it comes to securing your organization’s network. Use software and applications that allow you to automatically implement certain security measures so users don’t have to remember or guess.

For example, emails sent from within the organization can be forcibly encrypted whether or not the employee chooses encryption. Certain apps can demand biometric or PIN access even if the employee didn’t sign out properly after using it the last time. Wherever possible, make encryption and security automatic to eliminate the variables of human error.

6. Keep staff members updated by pushing reminders to their devices.

It might go without saying, but any good BYOD policy must be updated constantly to keep up with ever-advancing technology. Sound policies are essential, but few people remember the employee handbooks they’re asked to read on their first day. Likewise, BYOD policies will be easily forgotten without routine reminders.

You can also keep security fresh in employees’ minds by pushing updates and reminders through text and email. Routinely evaluate employees’ devices to ensure security measures are still functioning properly. Also, implement a process to make it easier for employees to add and remove new devices to avoid any security hiccups whenever they upgrade.

BYOD policies can seem like a huge challenge, but there are a plethora of tech options available that can help your organization regulate yours. Instead of leaving security up to device owners and opening up more holes into your network, limit the risk of a breach by letting technology secure your data as much as possible.

The post BYOD Is More than a Trend: Here’s How to Encourage It While Still Keeping Your Network Safe appeared first on ReadWrite.