With all the headlines on cyber breaches and the cyber criminals trying to break into your digital environment, you may overlook a common and very real threat. Accenture’s recent security report said 69% of the people surveyed had experienced an insider attempt or success at data theft or corruption. Many of the other cyber reports show the same types of stats. It is reasonable to anticipate someone inside your organization may be planning or is actively stealing your company’s proprietary information or sensitive data. Don’t think this only applies to large corporations that don’t keep tabs on their employees. The majority of the respondents to the survey were small to medium sized companies. Large corporations usually have more comprehensive hiring processes that include background checks to prevent the hiring of criminals, even petty theft type criminals. Thus it’s important to really know your employees and perform background checks on all of them, including the office manager. You might consider credit checks which show whether a person is in financial trouble and is possibly looking for extra money to pay their overbearing debts.
There are several things you can do to reduce your insider exposure.
- Make sure management, the doctors/owners, understand the importance and value of developing and implementing a complete security strategy that includes physical security, personnel screening and cyber security. This will greatly enhance your HIPAA compliance and your insurability.
- Budget to improve your security capabilities and staff training. It costs money to protect your assets.
- Take the time and make the extra effort to hire honest, trustworthy people as they will have access to very valuable data. Perform background checks on every employee that can access PHI and ePHI.
- Hire the right technical support. If you contract for IT services, make sure the MSP has a complete plan for your computer systems security, both physical and electronic that includes backups which are tested to confirm they work on a regular basis.
- Make sure your technology is in place with proper processes to protect your ePHI as it can address both external and internal threats. Such capabilities are proper password management, unique usernames, file integrity monitoring system, and regular review of your EHR system reports.
- Eliminate portable media from your practice such as thumb or flash drives, compact external disk drives, and CD ROMs. Do not allow personal smart phones or music players to be connected to a networked workstation as they are portable media devices as well and can store large amounts of data.
- Require Business Associates to show proof of a Risk Assessment and that they have proper security and cyber-security in place, it’s a HIPAA requirement and smart business.
It’s a rapidly changing digital world and there are plenty of threats outside the door trying to break it down. Take steps to keep the threats out and not give them a seat inside your practice or business.
Stats are from Accenture’s & HFS Research’s Report, you can read the report at Theft and Malware Infections Among Biggest Threat to Digital Business in 2016