[BreachExchange] HIPAA Security Rule Requires Physical Security of Equipment

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 1 14:59:46 EDT 2018


https://healthitsecurity.com/news/hipaa-security-rule-
requires-physical-security-of-equipment


While most HIPAA Security Rule violations involve electronic data breaches,
healthcare providers and business associates could also face a violation
for failing to physically secure computers and other equipment holding PHI.

The HIPAA Security rule requires the implementation of “physical safeguards
for all workstations that access ePHI to restrict access to authorized
users.”

OCR noted in its May 2018 cybersecurity newsletter that the rule defines a
workstation as a “computing device, for example a laptop or desktop
computer, or any other device that performs similar functions and
electronic media stored in its immediate environment.” This definition
includes tablets, smartphones, and other portable devices.

In fact, the HIPAA Security Rule’s physical safeguard standard has resulted
in OCR settlement payments ranging from $250,000 to $3.9 million.

In 2012, Massachusetts Eye and Ear agreed to pay $1.5 million for a
physical security violation; in 2014, QCA Health Plan agreed to pay
$250,000; in 2016, Feinstein Institute for Medical Research agreed to pony
up a hefty $3.9 million and the University of Mississippi agreed to pay
$2.75 million.

OCR said that privacy screens can be used to prevent an unauthorized person
from viewing computer screen, and cable, port, and device locks can be
purchased at “low cost.” Equipment and media can be locked away in a
storage area when not in sue, and security cameras and guards could also be
used to monitor equipment.

In addition, Microsoft Windows Group Policy configuration and third-party
software can be employed to restrict access to USB ports and removable
devices.

“Unrestricted access to USB ports and removable media devices can
facilitate unauthorized copying of data to removable media as well as
permit access to removable media which could be infected with malicious
software,” the newsletter explained.

OCR recommended that healthcare organizations ask the following questions
to develop a physical security strategy:

• Is there a current inventory of all electronic devices, including where
such devices are located?

• Are any devices located in public areas or other areas that are more
vulnerable to theft, unauthorized use, or unauthorized viewing?

• Should devices currently in public or vulnerable areas be relocated?

• What physical security controls are currently in use, and are they easy
to use?

• What additional physical security controls could be reasonably put into
place?

• Are policies in place and employees properly trained regarding physical
security?

• Are signs posted reminding personnel and visitors about physical security
policies or monitoring?

“While the latest security solutions to combat new threats and
vulnerabilities get much deserved attention, appropriate physical security
controls are often overlooked. Yet physical security controls remain
essential and often cost-effective components of an organization’s overall
information security program,” the OCR newsletter concluded.

The 2018 HIMSS Cybersecurity Survey found that 71.1 percent of 239
healthcare IT respondents include physical security in their security risk
assessments. A full 81.3 percent of respondents include cybersecurity
policies, procedures, and documentation in their risk assessments, 74.4
percent include network security, 73.5 percent include security awareness
and training, and 69.3 percent include an inventory of assets in their risk
assessments.

Around 83 percent of respondents said their organization adopted better
security measures because of the risk assessment results, while 65 percent
said they replaced or upgraded security solutions based on the results.
Slightly more than half said that hardware, software, or devices that were
end of-life or that have been deprecated were replaced.

The top two cybersecurity barriers were not having the right cybersecurity
personnel on staff and a lack of financial resources, the survey found.

Healthcare organizations do not allocate enough of their IT budgets to
cybersecurity; 21 percent said their organization allocated only 1 to 2
percent of the IT budget to cybersecurity while 21 percent devoted 3 to 6
percent of the budget.

“Risk assessments are done for a purpose—namely, managing risk (not just
merely identifying and assessing risks, with nothing more),” the HIMSS
report authors wrote. “New or improved security measures may be adopted,
security solutions may be upgraded or replaced, and hardware, software, and
devices may be replaced.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180601/04dd9c8b/attachment.html>


More information about the BreachExchange mailing list