In a recent statement, the Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded covered entities (CEs) that HIPAA compliance requires physical security measures to be put into place to ensure the confidentiality, integrity, and availability of protected health information. OCR was concerned that many CEs overlook this requirement and only focus on the more widely known technical and cyber security measures needed.
Despite often being second place to technical controls, physical controls are often very simple and cheap forms of protection. Some physical security controls are entirely free, such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away in a secure location when they are not in use.
This type of security measure is deceptively simple, so much so that it is often overlooked. However, it has proven to be one of the most effective ways of preventing theft and ensuring the confidentiality of PHI. It can be extremely detrimental to the organisation if they have inadequate physical security, even if their technical measures are strong.
In their statement, OCR draws attention to a 2015 HIPAA breach settlement with Lahey Hospital and Medical Center. An unencrypted laptop computer was stolen from the teaching hospital associated with Tufts Medical School. This resulted in 599 patients’ ePHI being accessed by unauthorised individuals.
The laptop in question had been connected to a computerized tomography (CT) scanner. In spite of containing sensitive patient information, it was revealed that the laptop was stored in an unlocked treatment room located on the inner corridor of the radiology department. Due to these inadequate security measures, both technical and physical, it was easy for those wishing to access the data to do so. Lahey Hospital settled the case of breach of HIPAA Rules for $850,000.
Another case of inadequate physical security resulting in a fine for the CE was seen in 2014. QCA Health Plan agreed to settle potential HIPAA violations with OCR for $250,000. QCA Health plan failed to implement physical safeguards for all their laptops, and therefore ePHI could be accessed by unauthorized users. In that case, the unencrypted laptop computer that was stolen from the vehicle of an employee, and the data easily stolen.
The fines for HIPAA violations due to inadequate physical security measures can reach seven-figure sums. In 2012, Massachusetts Eye and Ear Infirmary (MEEI) settled a HIPAA violation case with OCR for $1.5 million. This was another case of an unencrypted laptop computer being stolen from an unsecured location that resulted in the impermissible disclosure of ePHI.
Similarly, in July 2016, University of Mississippi Medical Center settled a case with OCR for $2,750,000. An unencrypted laptop computer containing the ePHI of an estimated 10,000 patients was stolen from its Medical Intensive Care unit after being left in an unlocked office.
According to HIPAA Rules, covered entities and their business associates are required to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.” Workstations include desktop computers, laptops, and other computing devices such as USBs, smartphones, and tablets.
CEs and their business associates are recommended to perform risk analyses on their working environment to determine the best physical security controls to implement. Some common physical security controls used to secure electronic devices and ePHI include:
- Positioning desks to ensure screens cannot be easily viewed by anyone other than the user of a workstation
- Cable locks to prevent electronic devices containing ePHI from being removed without authorization
- The use of security cameras to deter theft of electronic devices and physical PHI
- Use of signage to remind employees about the need to use physical security controls
- Use of port and device locks to prevent CD/DVD drives and USB connections from being used on workstations to copy ePHI and install unauthorized software.
In their statement, OCR explained: “While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked. Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.”