No one likes to think about it, but malicious attacks by an insider and other insider threats are the cause of a significant number of healthcare data breaches. They can be from a disgruntled employee, a recently terminated member of the staff, or even someone who is being bribed to provide patient information. While they may be some of the hardest attacks to guard against, they are preventable. Here are a few steps to keep in mind,
Screen New Hires: One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place. You may consider completing a background check on all new hires and even periodic checks on current staff members. While not an exact science, it may help to identify potential bad actors before they cause any damage;
Terminate Employees Immediately: Often when employees leave any organization there can be hard feelings which potentially leads to irrational decisions. To help guard against this, you should terminate all access to PHI immediately upon the employee leaving the organization. Any delay in terminating access can leave you susceptible to the whims of a disgruntled former employee;
Perform Regular Access Audits: Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and
Train Staff on Sanctions: Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.
Admittedly, guarding against insider threats is a challenge, but it is possible. If you implement reasonable protections then you can prevent or stop nefarious actions by your staff.