In its monthly Cybersecurity Newsletter at the end of May, the Office of Civil Rights (OCR) of the United States Department of Health and Human Services pointedly reminds us of the need to be conscious of some fundamental physical safeguards for cybersecurity. The HIPAA Security Rule has a provision devoted to physical security, but as the OCR newsletter points out, “physical security is an important component of the HIPAA Security Rule that is often overlooked.” One aspect of security that is lurking in plain sight is the workstation.
The Security Rule addresses physical security in 45 C.F.R § 164.310, which focuses on two key areas: 1) controls on physical access to the facility or area where systems which process Protected Health Information (PHI) operate; and 2) protecting the individual system components like workstations.
The May OCR newsletter highlights some important issues relating to the workstations that handle PHI. To put this in context, let’s start with some basic concepts:
- The “Workstation” concept, under the Security Rule, includes not only each electronic computing device that stores or processes PHI, but also nearby electronic media.
- The Security Rule has Standards that establish criteria with which an organization must comply, as well as Implementation Specifications with more detailed guidance.
- The Security Rule denotes some implementation specifications as “Required,” and others that are “Addressable.” The required points are mandatory, but “Addressable” does not mean “ignorable.” An organization still must assess Addressable implementation specifications, weigh the costs of implementation, and must then also document the conclusion reached in the assessment on whether to implement.
- The Risk Analysis: Among the Required administrative safeguards in the HIPAA Security Rule is a risk analysis, in which the organization assesses the risks to its PHI – specifically, how the confidentiality or integrity of PHI might be compromised, and how its availability to the organization might be imperiled.
The Security Rule requires organizations to adopt policies specifying the functions to be performed at a Workstation, and addressing the design or configuration of any area where a Workstation will be in use. It is important to remember that the risk analysis and the resulting policies should consider circumstances where the Workstation is in use out of the office, for instance when an individual is working on a portable device like a laptop at home or on the road. The Workstation policy must account for all likely use scenarios.
The Security Rule also identifies physical safeguards for Workstations, including device and media controls to restrict the use and movement of portable electronic media; and the May Newsletter highlights several key steps that each organization should address:
- Completing an inventory of all electronic devices that contain or process PHI;
- Reviewing the location of all such devices and assessing the risks of unauthorized viewing or theft at all the locations where they will be in use; and
- Analyzing the current physical controls that are in place for each device and determining whether additional security measures are warranted.
The HIPAA Security Rule recognizes, in 45 C.F.R § 164.306, that as part of its risk analysis, each organization has the leeway to gauge its security risks and weigh the costs of implementing particular protections against the risks it has identified to assess whether particular measures make sense. OCR reiterates this in its May Newsletter: “What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process.”
However, OCR’s May newsletter also pointedly emphasizes that many safeguards for workstations “are available at little or no cost.” It specifically mentions privacy screens to prevent inappropriate peripheral viewing, and cable locks on devices to prevent theft, as two items that can be purchased for $20 to $40; and also notes that devices restricting access to computer ports and drives are also inexpensive. So with this message from the May newsletter, OCR clearly is nudging each organization affected by HIPAA to take another careful look at its Workstation policies and the measures that can be taken to protect the PHI that is stored and processed on this ubiquitous component in every IT system.