Thales Blog

HIPAA HITECH Breaches: Most Employees Don’t “Need To Know”

May 12, 2012

Recent breaches of major healthcare providers Utah Department of Health, Emory, and South Carolina Department of Health and Human Services highlight the challenges of protecting data from external threats as well as from insiders. In two of the examples, either mistakes or oversights resulted in the loss of data, while in one instance an employee intentionally emailed 280,000 records to his personal email address. In all of the cases, the loss was preventable by simple controls. While companies continue to focus on external threats to data, insider threats continue to plague the industry, particularly in the realm of HIPAA HITECH.

The foundations of access control are the principles of need to know and least privilege. Employees should only have access to data if they have a demonstrated need. When a demonstrated need is identified, then employees should be provided with only the access necessary to perform their jobs. Finally, it is imperative that access to data is monitored. This is similar to that the way a company has multiple people review major payments to a vendor. While companies trust their employees, they should also verify that policies and processes are being followed. In each of the cases listed strong encryption with appropriate access controls would have prevented the loss of data and the subsequent fallout.