Corporate Compliance

Tip: Use nontechnical controls to assess individuals who may pose a risk

Compliance Monitor, January 11, 2012

Editor’s note: Insiders with malicious intent can cause a lot of damage to healthcare organizations. By taking a look at the crimes insiders commit, healthcare organizations can learn how to help prevent these threats. This is the first in a series of tips from the HCPro, Inc. newsletter Briefings on HIPAA to help fight threats from the inside.

Organizations need to use a mix of technical and nontechnical controls to handle insider threats, said Randall F. Trzeciak, technical team lead of the Insider Threat Research Group, which is part of the federally funded Software Engineering Institute CERT® program at Carnegie Mellon University in Pittsburgh.

The same technical controls-multifactor authorization, dual controls, and separation of duties-that help stop threats from outside your organization can stop insiders.

However, you can't solve the problem of inside threats with technical controls alone, said Trzeciak, who spoke at the Fifth HIPAA Summit West in September 2011 in San Francisco. You should have those controls in place, but keep in mind that insiders are trusted individuals. Insiders in your IT department know where your controls are and know ways around them, he said.

Read the rest of this blog post on implementing nontechnical controls on HCPro, Inc.’s HIPAA Update blog.

Most Popular