This week, the OCR warned covered entities and business associates of “one of largest threats to organizations”: insider threats. The OCR cited to a survey recently conducted by Accenture and HfS Research which found that “69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption.”
The OCR cited to the US CERT definition of “insider threat,” defined as a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data; and has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information or information systems.
The OCR recommends that covered entities and business associates develop policies and procedures to reduce the likelihood of insider threats, conduct appropriate pre-employment screening, and follow US CERT steps to protect protected health information from insider threats. In addition to establishing a formalized insider threat program, these steps include but are not limited to conducting enterprise-wide risk assessments, incorporating insider threat awareness into periodic training for all employees, anticipating and managing problems in employees’ work environment, and developing comprehensive employee termination procedures.
For more information, click here to read Do You Know Who Your Employees Are?, Office for Civil Rights (August 2016).