Best Practices 07-27-2016

Improper Employee Access Compromises Healthcare Organizations

Katie Macdonald

Healthcare organizations are a hub for huge volumes of data, personal information, and hacking potential. It is hardly a question why new research by Solutionary found that healthcare organizations are 114 times more likely to be hit by ransomware infections than financial firms or educational institutions, considering the multitude of valuable records that can be stolen and put up for ransom.

However, while hackers are growing more sophisticated, data breaches can occur even more commonly from the inside of an organization due to improperly accessed EHR data, mismailings, and even break-ins from negligent or untrained employees. Employee access policies left unenforced or poorly prioritized by the organization can cause damage to both data and patients.

Weak Access Policies

Each employee should only have access to the systems, data, and applications their position requires and, most importantly, that access should be revoked as soon as the employee no longer needs it. Minimizing what employees have access to is a critical part of health data security, and not having proper policies in place to restrict employees appropriately can have negative results.

For example, ProMedia, a healthcare organization in Ohio, had a breach after several employees inappropriately accessed the private medical records for patients they were not directly treating. The organization has since said that it implemented a more proactive auditing program with software monitoring tools that track staff activity on the EHR system.

Further, if an employee has improper access to folders of sensitive patient data, he could accidentally cache a copy on his personal workstation, which would give a hacker yet another vector by which to access any sensitive data. Weak access policies also give those employees who are tempted to steal your data an easy way to do it, including any disgruntled employees who are terminated and whose access to sensitive information is not cut off in a timely fashion.

Poorly Trained Employees Make Restricted Employee Access Essential

A Ponemon Institute study showed 55% of companies surveyed have already experienced a security incident due to a careless employee. What’s even more alarming, however, is concern around the issue of employee-caused security incidents is not necessarily making companies any more effective at addressing it. In fact, only 46% of the surveyed companies make training mandatory for all employees.

Combined with non-restricted access to vital documents, untrained employees spell disaster for a healthcare organization. Suddenly, an unwitting employing attaches a private document to an email or unintentionally deletes the document from the company server. The University of New Mexico Hospital recently stated that 33 invoice documents were mistakenly mailed to 18 addresses sometime between December 22, 2015, and April 2, 2016. This resulted in the exposure of healthcare data for 2,827 patients.

Best Ways to Strengthen Employee Access Policies

A healthcare organization’s best defense against security breaches and data loss because of improper employee access is to create a culture of security that is enforced by clear guidelines.

  • Don’t let employees have access to data using their personal devices
  • Ensure employees only have access to the minimum amount of files, systems, or data necessary to do their job
  • Make folders inaccessible by default until the employee requests permission from the system administrators
  • Monitor for unusual activity and track employee activity

Although constant awareness of the newest and boldest forms of malware hitting the healthcare market is crucial, the more immediate and easily managed risks can be within the organization itself. Proper employee access policies in addition to solid employee education and enforced security procedures can create an excellent starter strategy to prevent a healthcare data disaster.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS