Tips for Effective Identity and Access Management to Prevent Insider Data Breaches


The HIPAA Security Rule requires the effective management of information access. Employees who are granted access to protected health information must have proper authorization. But what happens when employees leave their work? The organization needs to make sure that PHI access privileges are terminated immediately. If procedures to terminate access to PHI are not implemented, a data breach could easily happen. There are many cases that happen every year related to the failure of organizations to terminate PHI access promptly. Former employees remotely login to the organization’s systems even if they are no longer authorized.

HIPAA-covered entities and business associates need to implement effective identity and access management policies and controls. Terminated employees who can continue to access data systems could copy PHI and take it to a new employer or use it for malicious activities. There are many examples of both types of data breaches on the Department of Health and Human Services’ Office for Civil Rights breach portal.

OCR’s November cybersecurity newsletter highlighted the risk of insider threats resulting from failure to implement effective identity and access management policies. What are some tips for effective identity and access management to prevent these insider data breaches? Read on.

Every time an employee quits his job, the organization must terminate his access to PHI immediately. This can be done quickly by deleting his user account. If the employee has access to other accounts, these must be secured as well. Change the passwords of these administrative or privileged accounts.

Aside from terminating access to electronic protected health information, covered entities and business associates must terminate physical access to health records and facilities. Make sure that the employee returns keys, keycards and ID cards. Change security codes and remove him from access lists. If a laptop, mobile phone or any electronic device was issued to the employee, be sure to get them back. If a BOYD policy allowed employees to use their own device to access or store ePHI, don’t forget to purge personal devices. Logs are important when employees access PHI or systems, borrow an equipment or gets privileges. The logs will help you make sure that all accounts are secure and equipment is retrieved.

Having a standard procedure to follow whenever an employee quits should be in place.   Create a checklist so you can be sure you don’t miss anything. Identity and access management policies must be followed 100% of the time to be effective. Conducting audits help to confirm that the policies are being followed. Check user logs to see if former employees are still accessing systems and data after their termination.