Former Employee Risk
The Department of Health and Human Services' Office for Civil Rights (OCR) has issued an important reminder about the security risks posed by former employees. In its latest cybersecurity newsletter, OCR emphasizes the dangers that ex-employees can present to systems containing Protected Health Information (PHI) and Personally Identifiable Information (PII). Their guidance is both timely and essential.
One of the key recommendations focuses on Identity and Access Management (IAM):
“Ensuring that user accounts are promptly terminated when workforce members leave is a crucial step in reducing insider threats. IAM involves a variety of processes, but at its core, it ensures proper access control by managing user accounts from creation to deactivation.”
Kate Borten, President of The Marblehead Group, supports this stance, referencing Verizon’s 2017 Data Breach Investigations Report, which identified the healthcare industry as having the highest number of insider-related breaches.
OCR’s Recommended Security Measures
To mitigate risks, OCR suggests implementing the following security practices:
- Maintain User Access Logs – These logs help track when access permissions change, when new equipment is assigned, and who is accessing sensitive data. They also create a valuable audit trail.
- Immediate Access Termination – Establish clear procedures to revoke an employee’s access as soon as they leave the organization, ensuring that all assigned equipment is returned.
- Password Changes – Reset all administrative passwords for accounts the former employee had access to, preventing post-employment access.
- Dormant Account Alerts – Implement alerts for accounts that remain inactive for a set period, identifying potential security risks and accounts that should be removed.
- Regular IAM Audits – Conduct routine audits to verify compliance with access management policies and ensure security measures are functioning effectively.
Organizations handling PHI and PII should take these recommendations seriously. For a more in-depth look, visiting OCR’s website and reviewing their full guidance is strongly advised.
Employees: The Biggest Security Vulnerability
A recent report by nCipher has confirmed a long-suspected reality for business owners—employees are often the weakest link in cybersecurity. However, the report also reveals some unsettling statistics that highlight just how severe this issue has become.
Disturbing Findings
-
employee insider threat
71% of C-Suite executives in the UK admitted they would cover up a data breach if it meant avoiding fines. This number drops slightly to 57% among managers and directors, but it remains alarmingly high.
- 25% of office employees indicated they would sell corporate data for as little as $1,000.
- 10% would consider selling company information for as little as $250.
- 5% said they would give it away for free.
These figures are not just shocking—they are a wake-up call.
Dan Turner, CEO of Deep Secure, responded to the findings with a stark warning:
"The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting they would sell their company’s or clients’ most sensitive data, the business risk is both undeniable and massive. In the age of GDPR and growing customer intolerance for data breaches, companies must invest in security measures that prevent confidential information from leaving their networks."
Strengthening Security Against Insider Threats
Given these troubling statistics, businesses must adopt proactive security strategies to protect their sensitive information. This includes:
- Comprehensive Employee Training – Educating staff on data security best practices and ethical responsibilities.
- Strict Access Controls – Limiting access to sensitive information based on necessity rather than convenience.
- Continuous Monitoring – Using security software to detect unusual data access patterns or unauthorized attempts to exfiltrate information.
- Ethical Reinforcement & Culture Building – Fostering a work culture where integrity and cybersecurity awareness are paramount.
The reality is clear: insider threats—whether from disgruntled former employees or current staff members—pose a significant risk to businesses. Strengthening internal controls and staying vigilant is no longer optional; it’s a necessity.
Integrated Technology Systems can assist your company by making sure proper procedures are in place for dealing with former employees and training current employees. Give us a call today or complete the form to the right for your peace of mind.
Integrated Technology Systems
6 East 45th Street, Suite 400
New York, NY 10017
212-750-5420
https://www.itsnyc.com
