Part of the problem is we leave the door open, so to speak. While we are spending time and effort to keep people from the outside out, we are leaving the door open for people on the inside to take what they want.
Think about this…
An employee with access to ePHI decides they want to work over night or on the weekend. That is pretty admirable, in itself. However, that employee decides to send the data via Gmail or another cloud/web based tool to make it available on his/her home computer. Now you have a serious problem. As most of you probably know, the cloud has a habit of being hacked and compromised by targeted attacks.
Now imagine an employee who wants to intentionally steal information! They have abundant options to smuggle information out. In addition to cloud/web apps, they can use USB drives, smart phones with cameras, etc.
While you can’t possibly stop everything, there are simple things that can be done to ensure that your data is safe, from both external threats and internal threats. There is generally zero reason for employees to have access to Gmail, Yahoo, Facebook, Pastebin, etc. from within your organization. And outside of a very few exceptions, there should be no ability to use USB drives. The great thing is that all these channels can be blocked fairly easily and with little cost.
Employees will complain about losing access to popular social websites, but it will be much easier to explain these constraints to your employees than to explain a breach to the government, your patients, and the Board.
Ask your IT service provider if they’ve taken steps to minimize information “leakage” by internal system users. If they aren’t sure or have questions about what you mean, contact Third Rock to schedule a risk assessment.
info@ThirdRock.com | 512-310-0020