I was talking to a forensic expert at Discovery Computers and Forensics and he was telling me about a huge breach of a hospital in North Carolina. Of course I asked “how the the hacker get in?” He told me that they origin came from an old user account that had never been disabled. The staff is not disabling users.
When I perform security risk assessments, the first thing I look at are disabling users. Although it does not seem important, IT IS. Many times, a practice will terminate someone, or they will leave, and they never tell their IT department that the person left. They also forget to disable their account in the EMR, which is even more dangerous than just the domain. Pay no attention to who the person is, hackers exploit those accounts, not the person who left or is terminated. A lot of times people think “Joe would never do anything to harm us”. Well, it’s not Joe. It’s someone logging in a Joe because that account is left wide open and the password has not been changed in a very long time.
Disabling Users
Disabling users is a very simple process. If you have administrator access to your domain, you can do it yourself. If not, contact your IT department and your EMR vendor to make sure that when someone leaves your practice, their username is disabled. The best way to remember this is to have a checklist, and designate someone who is responsible. The checklist should include the name of the employee, when they left, reason for leaving, date their account was disabled, who voicemails and emails were transferred to etc. Keep a log. You need to do this for HIPAA so refer to your employee termination policy and procedure. If you do not have one, it is easy to make one, or call Tier3MD and will will provide you with the policy and a checklist free of charge.
If you get a minute, call your IT department and have them go over your active users, and let them know who no longer works for you. Be safe!
Tier3MD is one of the nations leading IT support groups for medical practices.
