When your employees leave, does your data leave too?
One of the biggest challenges to the staffing crisis is often going undetected in senior living spaces – when someone on staff leaves a community, often so does data security.
Many tend to treat their digital assets quite differently than their physical counterparts. Ironically, digital assets tend to provide greater value to a business, comparatively.
Let me see if I can provide an example through analogy. I am going to make a couple of assumptions:
- Your organization knows and documents in fine detail and without error occupancy in your communities. Information exists and is thoroughly documented to identify who resides in each unit, the date they moved in, financial details, medical details, and much more.
- Your organization has limited or no insight into who has access, or to what level, to the organization’s information technology resources or data.
Arguably, the lifeblood of most organizations is the data. It has been said repeatedly, data is the “new oil” attempting to communicate the value of data to businesses. Let me ask you a question. Would you be able to operate your business tomorrow if your data was accidentally deleted and data backups did not exist? What if the organization is victim to a ransomware attack like the recent Kronos incident? Would the organization’s operations be resilient enough to continue to conduct business? What if a previous employee still had access to information technology resources and data years after leaving and decided to do something malicious?
Managing access to IT resources and data is often overlooked. It can be a tedious process to manage access while trying to juggle occupancy rate, staffing concerns, and other required daily activities.
Unfortunately, organizations globally experienced a massive impact with the Great Resignation where 4.5 million people left their jobs in the last year. This makes managing access to data infinitely more difficult and infinitely more essential that this activity occurs.
It is not unusual in normal operating climates for users to leave a company only for the company to find out access had not revoked months or years later, but in a wearisome environment embattled by a pandemic and employee churn at historic rates this risk becomes even greater.
A recent article purported 1 in 4 Former Employees Still Has Access to Files at Old Job, I would argue that number exponentially increased in the last 6 months with the Great Resignation and employees leaving in such large numbers. The following article asks the important question: When employees leave, is your data walking out the door?
When we think about previous employees still having access, we also must think about their password hygiene, other data breaches and data dumps that may include their credentials, and anyone else with whom they have sold, shared, or provided their credentials.
What do we do?
Small, iterative, consistent steps can help dramatically. It is more sustainable to spend a small amount of time each day on these steps instead of a large amount of time inconsistently. Begin by spending a few minutes a day focusing on the following:
Manage (Digital) Occupancy – Asset Management
Start at the beginning. We must know what we have so we know what to protect. In the same way we know our residents and details regarding their occupancy, we need to understand our technology assets and user access.
Engage stakeholders and create a list of all applications and accounts used in the organization. Ask each functional area leader to develop a list of applications they use. You may be surprised the list is larger than you expect!
Get as granular as possible. Try to define data types, especially, if sensitive data is stored in the application. If the application contains personally identifiable information (PII), protected health information (PHI), financial, credit card information, or other sensitive information it is important to know.
Maintain this list in a centralized document repository where each stakeholder has access. Create a policy to review and update the list regularly.
Occupancy (Application) Reviews
- Again, engage stakeholders and create a list of users with access to each application.
- Develop policies and procedures for on and off-boarding to provision and deprovision access.
- Review accounts regularly, annually at minimum, quarterly is recommended. This helps identify access that should have been revoked, as well as “permission creep.” When employees change roles, they often need additional access which is usually provided; however, access from their previous role may not have been removed.
Move-out (Exit) Interview
When employees leave, conduct exit interviews. This provides opportunity for them to express the reason for their departure, valuable feedback, and insights of their employment experience, obtain updated contact information, recover technology, and account access, and wish them well in future endeavors.
Admittedly, these activities are difficult and time consuming, but with rising costs of data breaches, burgeoning privacy laws, other compliance and regulatory requirements organizations can no longer afford to not conduct them.
Take a small step today in your organization to protect your business. If you have questions, reach out to us. Let us know how we can help. We will continue to provide resources and actionable tips to help transform the way America cares for seniors.
Chad Hudson, Chief Compliance Officer, is responsible for developing, implementing, supporting and monitoring SeniorVu’s compliance, privacy, security and various risk management programs. His focus is on developing policies that enable consistent, effective privacy practices to minimize risk and ensure the confidentiality of protected health information (PHI).
With more than 15 years of cybersecurity and data privacy experience, Chad is a CISSP (Certified Information Systems Security Professional). He’s also on the board of directors of InfraGard, a partnership between the FBI and members of the private sector for the protection of U.S. critical infrastructure.
Chad and his wife live in the Kansas City area and have four active sons ranging from 3 to 21. He has a long history of ministry, from being the Director of Student Ministry for almost ten years to recently become a Lay Pastor.