Termination procedures are a fundamental part of an information security program, no matter how small the organization. Inadequate policies have resulted in publicized breachs in healthcare.
You should at least have a small checklist that a supervisor or physician follows when an individual leaves. The checklist should address the following points:
- Revoke the individual’s computer access (including all user IDs and passwords)
- Obtain keys/card-keys
- Obtain badge
- Obtain any software or work documents (including those at home) belonging to the organization, if any, and a signed statement declaring that all materials have been returned
- Obtain any equipment (computer equipment, pagers, PDAs, cell phones, etc.) that belong to the organization
- Change shared passwords
- Change combination locks when combination is known to the individual
Be sure to mark a checklist or to record the information in some form. Include the date and the name of the person completing the checklist and file this documentation.