Last week Anthem began informing 18,000 customers of a breach. It stemmed from a vendor’s employee who emailed Anthem members’ data to a personal email account. The employee was fired and is being investigated by authorities. It raises an important point that insider threats pose a significant risk to Protected Health Information (“PHI”). Here are a few keys to mitigating this risk,
Screen New Hires: One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place. You may consider completing a background check on all new hires and even periodic checks on current staff members. While not an exact science, it may help to identify potential bad actors before they cause any damage;
Perform Regular Access Audits: Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and
Train Staff on Sanctions: Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.
Also, keep in mind what we discussed last week with the risk of terminated users. Reasonable procedures can mitigate the risk and prevent a costly and damaging breach from the inside.