In May 2018, the U.S. Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) issued its Cybersecurity Newsletter, “Workstation Security: Don’t Forget About Physical Security.” It noted that physical security is an important component of the HIPAA Security Rule that is often overlooked. What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process.
The Security Rule requires the “[implementation of] physical safeguards for all workstations that access ePHI to restrict access to authorized users.” Although this Security Rule standard specifically references “workstations,” the term is defined as “a computing device, for example a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.” This definition includes portable electronic devices, which could include tablets, smart phones, and similar portable electronic devices. The article noted that physical security can often be implemented for little or no cost.
A physical security checklist might include the following items:
- Is there a current inventory of all electronic devices, such as, for example, computers, portable devices, and electronic media, including where such devices are located?
- Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
- Should devices currently in public or vulnerable areas be relocated?
- What physical security controls are currently in use, such as, for example, cable locks, privacy screens, secured rooms, cameras, guards, and alarm systems, and are they easy to use?
- What additional physical security controls could reasonably be put into place?
- Are policies in place and employees properly trained regarding physical security?
- Are signs posted reminding personnel and visitors about physical security policies or monitoring?
See the entire article at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf.
EMR Legal HIPAA consulting and Veterans Press HIPAA compliance products have always stressed physical security as a cost-effective security measure. If an unauthorized person cannot physically access a workstation (considering the expansive definition, above), he cannot insert a jump drive into a port and download PHI even if he has managed to secure a password.
FYI, in case you are keeping track, this blog item is the third in the HIPAA potpourri series that Jon announced a couple of weeks ago in this blog. Stay tuned, same time, same station, next week, for the next item in the potpourri. As always, thanks for reading Jon’s blog, including this one about the new DHHS reminder to address physical security, particularly workstation security, and remember to contact us if you need HIPAA compliance help. If you need help with drafting/updating/implementing your policies, you can find the help you need in the book by Jonathan P. Tomes, The Complete HIPAA Policies and Procedures Guide, with its accompanying CD of sample policies that you can easily make your own, available at http://www.veteranspress.com/product/hipaa-policies-and-procedures. Jon is still out of the loop for a few more weeks, but you can reach Alice at iammccart@gmail.com.