What are healthcare organizations doing when employees change or leave jobs?
We’ve covered process when employees join a healthcare organisation, and processes during their on-going employment, but what about when they move roles or leave the organisation?
UK and US compliance requirements provide clear stipulations on what organisations must do when employees change job roles or leave.
Moving roles within the same organisation
We mentioned security training earlier in this report, but HIPAA also states that organisations must tailor training sessions to different job roles, so if an employee moves to a new position, they should be treated as a new employee and given immediate training.
We’ve also mentioned that HIPAA states that “access controls should enable authorised users to access the minimum necessary information needed to perform job functions."
So when employees move roles, healthcare companies should review rights for employees — something that nearly half of all US healthcare organisations are overlooking. Just 51% of US healthcare employees say their company reviews access or admin rights when they’ve changed roles within the organisation.
While reviewing access rights in the UK isn’t necessarily a compliance issue, it is certainly good practice. But UK organisations are even worse than their US counterparts. Just 29% of healthcare employees say their company reviews access or admin rights when they’ve moved roles.
Moving to a new organisation
NHS Scotland’s security policy highlights the importance of an employee-exit process: “When an employee terminates employment with the employing health board, all property must be returned.”
However, just 40% of UK healthcare employees overall say that their organisation switches off network access for ex-employees. The picture is only slightly better for the US at 68%, meaning that nearly a third of US healthcare organisations don’t address outgoing employees.
Asking those who have left a job in the same sector within the last 5 years, a worrying 37% in US and 27% in UK say they continued to have access to the previous employer’s network. Only 34% (US) and 39% (UK) said their user account underwent a formal de-registration process. Naturally, if organisations do not have unique user IDs as described in previous sections, it is very difficult to enforce a deregistration process of them. But if this basic requirement is met, a formal exit process should be simple, and is an extremely important measure in ensuring ex-employees (who are more likely to have motivation to take malicious action) don’t continue to have access to your sensitive data.