Who has access to your computer systems?
Very often we have companies that provide us with computer hardware and software support can access our computer systems. The question is how secure are our trusted partners? Here is a case study from the Department of Health and Human Services Website:
On June 26, 2016, a journalist from “www.databreaches.net” notified AOC that “a database of patient records” suspected to belong to Athens Orthopedic Clinic was posted online for sale. On June 28, 2016, a hacker group known as “The Dark Overlord” contacted AOC by email and demanded money in return for a complete copy of the database it stole without sale or further disclosure.
It was determined, through computer forensic analysis, that the Dark Overlord had obtained a vendor’s credentials to Athens Orthopedic Clinic’s system and used them to gain access on June 14, 2016. While Athens Orthopedic Clinic terminated the compromised credentials on June 27, 2016, the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016.
It was determined that 208,557 individuals were affected by this breach. Due to the breadth of system applications affected, a variety of protected health information (PHI) was exposed including patient demographic information (name, date of birth, social security number, etc.), clinical information (reason for visit, “social history,” medications, test results, medical procedures, etc.), and financial/billing information (health insurance information, payment history).
So the question you need to ask is “Who has access to my systems?” Let’s take a short inventory of who might have access:
·Your Software Vendors
·If you have a router from your internet provider – then your internet provider
In this case the relationship with the vendor was terminated on June 14, but the vendor’s access was not terminated until almost 1 month later. How long does it take you to deactivate an account of an employee once they no longer work for you? How long does it take your vendors to deactivate the accounts of their employees once they no longer work for the vendor?
As part of your HIPAA Security Policies and Procedures you need to deactivate all access to your computer systems, cloud systems, and your physical premises immediately after termination of a relationship with an employee, or vendor. You need to take away keys, deactivate key codes, deactivate all computer accounts immediately. All of this needs to be logged in your HIPAA Security Manual.
In addition, you want to be sure that all vendors who may have access to your systems have a similar policy in place and that you have a Business Associate Agreement with each of those vendors.
Just one of the aspects of the TLD Systems HIPAA Security Program is helping you to deactivate access for terminated relationships and helping you to keep all of your Business Associate Agreements up to date. Now is a good time to log onto your TLD Systems portal, review the status of all employees and make sure you have properly terminated all employees and have all of your Business Associate Agreements in place. If you do not have an up to date HIPAA Security Program, please reach out to TLD Systems today to get in place for your practice before you are hit with a $1.5 million settlement like Athens Orthopedic Clinic.
For more details visit the HHS website