While most HIPAA Security Rule violations involve electronic data breaches, healthcare providers and business associates could also face a violation for failing to physically secure computers and other equipment holding PHI.

By Fred Donovan HealthIT Security

While most HIPAA Security Rule violations involve electronic data breaches, healthcare providers and business associates could also face a violation for failing to physically secure computers and other equipment holding PHI.

The HIPAA Security rule requires the implementation of “physical safeguards for all workstations that access ePHI to restrict access to authorized users.”

OCR noted in its May 2018 cybersecurity newsletter that the rule defines a workstation as a “computing device, for example a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.” This definition includes tablets, smartphones, and other portable devices.

In fact, the HIPAA Security Rule’s physical safeguard standard has resulted in OCR settlement payments ranging from $250,000 to $3.9 million.

In 2012, Massachusetts Eye and Ear agreed to pay $1.5 million for a physical security violation; in 2014, QCA Health Plan agreed to pay $250,000; in 2016, Feinstein Institute for Medical Research agreed to pony up a hefty $3.9 million and the University of Mississippi agreed to pay $2.75 million.

OCR said that privacy screens can be used to prevent an unauthorized person from viewing computer screen, and cable, port, and device locks can be purchased at “low cost.” Equipment and media can be locked away in a storage area when not in use, and security cameras and guards could also be used to monitor equipment.

In addition, Microsoft Windows Group Policy configuration and third-party software can be employed to restrict access to USB ports and removable devices.

“Unrestricted access to USB ports and removable media devices can facilitate unauthorized copying of data to removable media as well as permit access to removable media which could be infected with malicious software,” the newsletter explained.

OCR recommended that healthcare organizations ask the following questions to develop a physical security strategy:

• Is there a current inventory of all electronic devices, including where such devices are located?

• Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?

• Should devices currently in public or vulnerable areas be relocated?

• What physical security controls are currently in use, and are they easy to use?

• What additional physical security controls could be reasonably put into place?

• Are policies in place and employees properly trained regarding physical security?

• Are signs posted reminding personnel and visitors about physical security policies or monitoring?

“While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked. Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program,” the OCR newsletter concluded.

The 2018 HIMSS Cybersecurity Survey found that 71.1 percent of 239 healthcare IT respondents include physical security in their security risk assessments. A full 81.3 percent of respondents include cybersecurity policies, procedures, and documentation in their risk assessments, 74.4 percent include network security, 73.5 percent include security awareness and training, and 69.3 percent include an inventory of assets in their risk assessments.

Around 83 percent of respondents said their organization adopted better security measures because of the risk assessment results, while 65 percent said they replaced or upgraded security solutions based on the results. Slightly more than half said that hardware, software, or devices that were end of-life or that have been deprecated were replaced.

The top two cybersecurity barriers were not having the right cybersecurity personnel on staff and a lack of financial resources, the survey found.

Healthcare organizations do not allocate enough of their IT budgets to cybersecurity; 21 percent said their organization allocated only 1 to 2 percent of the IT budget to cybersecurity while 21 percent devoted 3 to 6 percent of the budget.

“Risk assessments are done for a purpose—namely, managing risk (not just merely identifying and assessing risks, with nothing more),” the HIMSS report authors wrote. “New or improved security measures may be adopted, security solutions may be upgraded or replaced, and hardware, software, and devices may be replaced.”