HHS Office of Civil Rights (OCR) Warns: Don’t Forget About Physical Security

In their most recent newsletter, OCR reminds all that HIPAA rules require that you protect patient information with technological, administrative and physical safeguards. OCR states: “While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked. Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.” They further comment that failing to have adequate physical security for workstations can have serious consequences with fine settlements ranging from $200,000 to almost $4 million.

A workstation is defined as a stationary or mobile computing device, including desktops, laptops, tablets, smart phones and stored electronic media. One recent OSHA citation was for a laptop used with a portable tomography devise that was stolen from an unlocked room.

Questions to consider for a physical security strategy:

• Do you have a policy in place for physical security of devices?
• Do you have a current inventory of all electronic devices including their location?
• Are any devices located in public areas or areas that are vulnerable to theft, unauthorized use, or unauthorized viewing?
• What physical security controls are currently in use? Check all that apply: cable locks, privacy screens, secured rooms, cameras, guards, and alarm systems.
• Are employees properly trained to use these controls? Are they easy to use?
• How are your mobile devices physically protected when not on-site?
• Is it possible to relocate devices currently in public or vulnerable areas?
• If the answer is no, then what additional physical security controls could be reasonably put into place?
• Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
• Are signs posted reminding personnel and visitors about physical security policies or monitoring?

Suggestions for low or no cost controls:

• Use privacy screens or position workstation to prevent someone from viewing your computer screen.
• Install cable locks to deter removal of devices.
• Install port and device locks to physically restrict access to USB ports or CD/DVD drives.
• Technical controls including Microsoft Windows Group Policy configuration and third party software can also be effective at restricting access to USB ports and removable media devices. Unrestricted access to USB ports and removable media devices can make it easy for someone to copy data as well as permit access to infect your data with malicious software.
• Position workstation screens away from areas from which they could be viewed.
• Lock up portable electronic equipment and media when not in use.
• Use security cameras and/or guards and post signs.

A good Risk Analysis should include looking at your physical safeguards as well as the technical and administrative safeguards. Always look for ways you can improve the safety of your protected information.