Ramp Up HIPAA Security with Staff Training & Informed Checks and Balances

Posted on 11 Feb, 2019 |comments_icon 0|By Elizabeth Debeasi

A trained workforce is your best defense against unintentional — and intentional — PHI exposure.

Ransomware takedowns populate news headlines, but many health IT breaches result from staff activities. Whether an employee accidentally discloses protected health information (PHI) or deliberately sets out to harm your health IT, the onus of providing and maintain the security of your systems falls on your organization.

Considering the devastating toll of unauthorized PHI disclosure, it’s imperative to cover all your bases and protect yourself and your patients against an inside attack.

Keep Internal Threats on Your Radar

External security threats, namely cybercrime, are an everyday reality. In fact, given the current level of criminal cyber activity, the chances are high that your system is attempting to fend off a penetration of your network as you read this. But external threats aren’t your only concern. You must also safeguard against internal, or insider, threats.

Insider threats, as defined by the United States Computer Emergency Readiness Team (US-CERT), include:

  1. Malicious: A malicious insider threat involves employees, business associates (BAs), and/or vendors who work specifically to corrode, corrupt, or hack your system.
  2. Unintentional: An unintentional insider threat involves vendors, BAs, and/or staff with access to your IT resources who can accidentally expose your systems or protected health information.

Tip: Beware of falling prey to a false sense of security — the belief that your staff is both ethical and well-versed in current HIPAA compliance protocols. To combat the lull of this presumption, it’s wise to take a proactive approach to insider threats with an informed appreciation of their likelihood.

Perform Employee Background Checks

Industry experts advise medical practices to implement background checks on all new employees, given that they will routinely handle sensitive information such as private medical data, payment information, and insurance identification numbers.

In addition to performing background checks, your office should educate staff about how to recognize insider threats.

Remain Vigilant for These Unintended Risks

Human error causes far too many HIPAA issues and lost PHI. US-CERT research breaks down these unintentional errors into four main categories:

  • Accidental disclosure: An example of accidental disclosure might entail an email sent to the wrong patient or when an employee posts inappropriate content on social media.
  • Social engineering: Phishing attacks often catch staff unaware. An employee clicks on an attachment, thereby unleashing chaos on your system through the infestation of hidden malware.
  • Physical issues: In this scenario, failure to properly disposed of physical records causes PHI to land in nefarious hands.
  • Mobile devices: Unencrypted lost or stolen mobile devices like cell phones, laptops, or tablets with patient information on them continue to wreak havoc on the healthcare industry and are a perennial cause of breaches.

Eradicate inadvertent hazards like these with a combination of risk assessment and management that include security protocols like encryption and multi-factor passwords, logging and monitoring of devices, and comprehensive staff education from the top down. Workforce training should focus on the sharing of information, the securing of authorized devices, and the use of third-party apps.

Spot & Stop Malicious Insider Threats

Do you know the signs that suggest an insider threat could be imminent? You can prevent malicious threats by recognizing key indicators. US-CERT guidance suggests that you watch for the following employee or BA behaviors:

  • Remotely accesses systems during off times or vacation
  • Works unusual hours when no one else is in the office
  • Copies classified materials
  • Shows “notable enthusiasm for overtime, weekend or unusual work schedules”
  • Seems overly curious about business activities not related to his or her job

The HHS Office for Civil Rights (OCR) Cybersecurity Newsletter offers great advice on insider threats and what to do after an employee is terminated. Pocket these tips to set up your procedures:

  1. Keep policies updated. In your HIPAA compliance plan, outline clearly who is allowed to access PHI — and who isn’t. This also means updating protocols after an employee leaves or is terminated.
  2. Monitor, inventory, and log. Your IT staff must keep abreast of your practice’s devices, networks, and systems — including how many times access has been blocked because of too many password attempts. Documentation allows management to see outlier behavior that may lead to threats down the line.
  3. Address physical access. Keep a log of who has a key to the office and access to hardware, and make sure the locks are changed when an employee is terminated. “Take back all devices and items permitting access to facilities (like laptops, smartphones, removable media, ID badges, keys),” reminds OCR.
  4. Outline remote access. Implement remote access procedures like remote purging and wiping to combat insider threats, loss, and hacks. Don’t forget to “terminate access to remote applications, services, and websites such as accounts used to access third-party or cloud-based services” after an employee leaves, OCR advises.
  5. Implement multi-factor authentication. Strong passwords protect your practice — it’s just that simple. Remember to change those often, never reuse the same password, and to update immediately when staff turnover.

Tip: Direct all employees to keep their eyes open for suspicious behavior that may pose a security threat. Understand that your staff may feel nervous about reporting breaches or telling management about their hunches. Make sure that you encourage your staff to communicate their concerns.

Contributing Editor: Kristin Webb-Hollering

Learn More

Stay on top of evolving regulations, new technologies, and security threats with current, to-the-point guidance in your monthly subscription to Health Information Compliance Alert. In every issue, our experts tackle challenging security scenarios across the spectrum of health IT to keep you in the know, help you train your staff, and equip you to implement protocols to preserve the integrity of your practice.

Master HIPAA compliance with the industry’s best-selling handbook — the HIPAA Handbook 2019.  Our nationally-recognized HIPAA compliance experts lay out best practices and walk you step-by-step through the dos and don’ts of compliance. We also address new target areas and introduce you to tools to nail down risk assessments, tighten up your EHR privacy and security, reassess your risk analysis plan, prep for audits, and more.


Elizabeth Debeasi
Marketing Writer/ Editor

Elizabeth works on an array of projects at TCI, researching and writing about modern reimbursement challenges. Since joining TCI in 2017, she has also covered the nuts and bolts of cybersecurity, compliance with federal laws, and how to tap into the advantages of Telehealth services.

More from this author

View More

Leave a Reply

Newsletter Signup