With all the attention given to cybercriminals’ love of medical data, it can be just a little too easy to forget that healthcare data faces physical risks too. The estimated value of a medical record sits at an average of $355 (according to the Ponemon Institute), so there’s no room to get comfortable.
At the same time, stolen devices and improper disposal have been topping the charts of healthcare data threats in recent years (read up on some of these news-making physical breaches if you want to learn more.) Together, all this means that physical security should be a top concern for any healthcare facility.
None of this though is a surprise to anyone keeping up with HIPAA regulations.
HIPAA regulations go into quite a bit of detail in covering physical safeguard standards, which is why we’re going to hit some of the HIPAA Security Standard highlights that we think are going to carry the most weight in the modern hospital and medical record security environment.
What Are Physical Safeguards?
First, let’s get the technical definition out of the way. According to the Security Rule, physical safeguards are:
“physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
From a pure security perspective, that means your access control system should be properly protecting the EPHI on all devices according to HIPAA standards.
The very first standard (164.310(a)(1)) actually specifies that physical access to electronic information systems along with the facilities in which they’re housed should be limited by implemented policies and procedures. At the same time, properly authorized access must be allowed to those who need it.
That final requirement is critical since it means that covered entities may need to implement access control systems that identify individuals (e.g., business associates, members of the workforce, contractors, etc.) and grant them authorized access by title and possibly job function.
These physical access controls are not optional. They’re a critical component of any Facility Security Plan that must be documented as well as ensure that only the properly authorized individuals (those with “legitimate business needs”) are allowed access to the facilities and equipment that house EPHI. Facilities are also responsible for ensuring that procedures are in place to prevent both the tampering and potential theft of EPHI and any related equipment.
Facilities who haven’t spent time evaluating and investing in this base level of security protection will likely need to take a step back to understand just how their physical environment facilitates (or jeopardizes) HIPAA compliance.
In the second part of this series, we’re going to take a look at security requirements for individual workstations and how physical access should be restricted and secured.