With the development of so many cyber threats involving healthcare providers and business associates recently, many organizations are hyper-focused on controls set out by the HIPAA Security rule regarding cybersecurity. This has led to many organizations that fall under HIPAA to let efforts toward physical security fall by the wayside or become too relaxed about the guidelines. Physical security is a vital aspect of your security initiatives and should not be underemphasized or overlooked.
In May, the Office for Civil Rights (OCR) released a newsletter that highlighted a renewed focus on physical security, specifically workstation security which includes, per HIPAA security rule, as “a computing device, for example a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.” OCR notes that this definition includes any portable devices such as tablets, smartphones, or any other portable electronic device.
OCR offers many suggestions to easily implement security controls that an organization can incorporate at minimal cost. But the most valuable takeaway is a reminder to implement a comprehensive strategy in order to be fully compliant with the HIPAA Security Rule.
To effectively deploy a physical security strategy, OCR includes some vital questions to include in your assessment:
- Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
- Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
- Should devices currently in public or vulnerable areas be relocated?
- What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
- What additional physical security controls could be reasonably put into place?
- Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
- Are signs posted reminding personnel and visitors about physical security policies or monitoring?
A complete risk assessment includes managing risk, which extends beyond the persistent efforts to maintain a safe environment that is resistant to cyber threats and vulnerabilities. Physical security is an essential aspect of security, explicitly stated in the HIPAA Security rule, it is required that the implementation of “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
Strict adherence to the rule is required, including physical security implementations. There have been many incidents involving non-compliance to this aspect of the rule, resulting in fees for covered entities from $250,000 to $3.9 million, reported by OCR. With so many simple solutions that can be incorporated into your physical security strategy, healthcare organizations and business associates can’t afford to ignore physical security.
Minimize your security risks and improve your compliance posture with Digital Forge. Contact us at (877) 369-1831 or visit our website to engage with a qualified expert today.
You Might Find These Articles Interesting: