Onboarding and termination checklistsOnboarding and termination checklists are often treated as a paperwork hassle.  However, we have seen many times where taking the time to attend to those hassles could have saved time, money and closed open security holes that are very dangerous.  HIPAA requires us to perform some sort of consistent plans for onboarding and termination just like any of the multitude of other formal cybersecurity programs for specific reasons.  During the onboarding and termination process is where many mistakes are made that lead to security incidents and even reportable breaches.  Today we discuss why they are important and the kinds of things you should consider having in yours.

HIPAA For MSPs by J. David Sims Onboarding & Termination Checklists
00:00:00 00:00:00

This news story made me think about covering this topic:  Former Systems Administrator Gets Prison Time

A former systems administrator who was on the job at a Pennsylvania clinic group for only about three weeks has been sentenced to 27 months in federal prison after he was convicted in a case involving wire fraud and hacking computers.

The former employee used clinic credentials to delete computer settings and data – including patient information – as well as to make fraudulent technology purchases, prosecutors say.

The Department of Justice says Brandon Coughlin, a 29-year-old resident of Texas, “intentionally hacked and damaged” 13 servers operated by Pennsylvania-based Centerville Clinics Inc. and engaged in a scheme to defraud the clinics group by using the organization’s purchase card to order merchandise from Staples.

Hired on Jan 16, 2013, as an in-house administrator. Was asked to resign Feb 4, 2013, when the previous employer (Home Depot) apparently pressed charges for fraud against this guy.

No one changed any passwords once he left. Those didn’t get changed until MID-2015! But he logged in just TWO days after leaving and created his own admin user profile.

From then until Sept 18, 2013, this guy wreaked havoc on the systems including emails, patient data, security controls, you name it. There is a long list of things he got away with doing.

The DOJ says Coughlin caused a financial loss of approximately $60,000 for the clinics and also caused the organization “to cease its medical treatment of patients until its system was restored.”

In a statement provided to Information Security Media Group, Centerville Clinics says it hired an outside firm to analyze the impact of Brandon Coughlin’s unauthorized access to its systems. “We reviewed the facts under the four-part breach analysis under HIPAA and concluded that since there was no evidence that the electronic medical record database or any protected health information contained in the database was viewed, and it was mathematically impossible for the database to have been downloaded during the brief period of unauthorized access, there was a low probability that the PHI has been compromised, and that no HIPAA breach occurred,” the statement notes

Subsequent to this incident, Centerville Clinics says it has taken a number of steps to prevent a recurrence of unauthorized access to its PHI, including, among others:
– Disabled remote access to servers from any account with administrative privileges;
– Implemented a new policy to change administrative passwords – both locally and on the domain – every six months;
– Ensured all servers are up to date on Windows security updates;
– Started finding and deleting any inactive user accounts.

The review about how all of confidentiality, integrity, and availability isn’t considered here is a whole different discussion.  Today we are discussing just how this was allowed to happen – the complete lack of onboarding and termination checklists.

This guy was an admin who left. No one made sure he was completely removed from all system access. It is definitely hard to do that when you have an admin leave but earlier this year we had a resolution agreement where employees who had been gone for years were still accessing systems on a regular basis.

Onboarding requirements

Just like everything else when it comes to onboarding and termination checklists if this isn’t documented it didn’t happen.  It is important to complete the forms each time to maintain consistency and proper documentation.

Vetting employees should be more than just a formality.  Calls to previous employers, background checks, and credit checks are all pretty common today.  Do your best to weed out potential problems before they get in the door. Then, document clearly that information just like any other HR activity.

Some groups include a probationary period for a reason.  To mitigate damage should something come out right after a new hire comes onboard.  That probationary period should limit their access to your valuable information until you are sure they have successfully passed your training programs and shown they are ready for the responsibilities that come with access.

Another area you policies should cover is who is allowed to create and manage the access levels.  There should be a reason someone gets additional access ability and that should come with approvals from someone in charge.  The newer the employee the less leeway they should have in these areas.  Someone in charge must take responsibility for what can happen if things go wrong after they have authority to do things like our example admin.  Even in the cases where someone does need elevated privileges to access things because of their job description, you should have a plan for how to manage them during that probationary period to keep an eye on how they are using their power.

Many times, we hear grumbling about the requirements for having a checklist for apps that should be on the computers in your organization.  Again, this is part of the onboarding and termination checklists because it prevents problems that happen due to human error.  One misunderstanding could add access to accounting controls to the wrong computer system OR leave them in place when the computer moves to another employee.

When evaluating your plans for bringing staff onboard, consider carefully what access you plan to allow for things like security system codes, office keys, and company credit cards and charge accounts.  That also goes for login information to company accounts with your vendors.

If your office issues company laptops, phones, tablets, etc. there should be documentation of what devices they were given, what was one them, and controls they agree to follow in using those devices.  This is important in both the onboarding and termination checklists because you have to be sure they have returned the exact devices you gave them in the first place.  Offer a free computer to any office and you have a great way to get access to their network.  The same thing can go for switching out company devices are loading things on them that don’t belong there in the first place.

Mobile devices bring a special flavor of problems.  Spend some time reviewing our episodes on mobile device management and the Rodeo Drive incident.  You must have a way to track and manage those devices if you are supplying them to your staff.

Termination requirements

Once termination happens you must be prepared to activate your procedures immediately.  It doesn’t take long for someone to abuse their access in a malicious way once they are terminated.  If you allow it to take days or weeks to complete the checklists they will not be effective in protecting you at all.  In fact, at that point, they may even become nothing but a paperwork hassle because they will be useless.

Make sure you match your onboarding and termination checklists against each other.  If you provide keys, codes, security access, etc. in onboarding then you must account for those same items in terminations.  Don’t forget to include things that are added after a probationary period either.  It takes years for most employees before they need termination paperwork done.  You must account for everything they have been given access to as well as taken possession of over their tenure at your organization.

If this person had access to passwords that are shared then all of them must be changed immediately.  Please don’t use some system that everyone knows how to figure out the next password.  Because…..  security.

Onboarding and termination checklists audits

Random audits of documentation and effectiveness of controls you design into these onboarding and termination checklists should be part of the master plan.  If you don’t check then that hassle about paperwork creeps in. Even worse, if you don’t check they may not be following any of the protections at all.

Don’t forget vendors

One more note – this kind of checklist should be followed when you add or remove vendor access too!  If your vendors have access to systems and applications that means they need to be removed from systems and applications when you no longer work with them.  They are no different than your employees when it comes to these things.