OCR warned HIPAA-regulated organizations in its August 2024 cybersecurity newsletter that physical security measures, like facility access controls, are crucial for HIPAA Security Rule compliance and shouldn’t be thought of as check-the-box items. Physical security measures are crucial because they protect against data breaches and interfere with medical care.
The HIPAA Security Rule creates a set of standards for protecting electronic versions of protected health information (ePHI) and operationalizes the safeguards of the HIPAA Privacy Rule. Ensuring the security, integrity, and availability of electronic health information (ePHI), recognizing and preventing reasonably anticipated risks, securing against reasonably anticipated uses and disclosures of ePHI, and ensuring workforce compliance are all part of complying with the HIPAA Security Rule.
In the past few years, cybercriminal groups and nation-state actors have posed the greatest threat to electronic patient health information (ePHI). Their aim is to gain access to healthcare networks in order to steal ePHI and prevent access to crucial IT systems. A large number of data breaches involve a lack of physical precautions, even though hacking and other IT mishaps account for the majority of massive data breaches. Just 7% of security decision-makers were concerned that the loss or theft of these devices would result in a security breach, according to the 2023 State of Data Security Report from Forrester Research. These devices include desktop computers, servers, laptops, backup devices, and flash drives, and account for 17% of data breaches.
OCR received more than 50 reports from HIPAA-regulated entities between January 1, 2020, and December 31, 2023, detailing data breaches involving 500 or more individuals that resulted from lost or stolen devices that contained electronic patient health information (ePHI). The ePHI of over one million people was compromised in the breaches. Even though these breaches occur far less frequently than hacking incidents, they are among the most easily prevented by encrypting data on electronic devices and implementing physical security measures in place.
Electronic equipment kept on the premises was a common feature of theft events reported to OCR. Theft of desktops and other portable electronics that hold electronic patient health information (ePHI) may impact patient treatment in addition to violating patient privacy. Clinicians may not be able to access patients’ electronic health information (ePHI) if devices holding patient records are stolen, and the loss of equipment used to provide diagnostic or treatment services may have an effect on the provision of care. In addition to taking devices—like those needed for cooling, charging, or network connectivity thieves have also been known to cause harm to vital IT infrastructure, which can further affect the provision of healthcare.
According to OCR’s explanation in the newsletter, ePHI is not completely secure if the proper physical security measures are not taken. In order to address violations of the HIPAA Security rule that led to five data breaches in 2012 involving the loss or theft of devices from FMC facilities and employee vehicles, OCR announced in 2018 that a $3.5 million settlement had been reached with Fresenius Medical Care North America (FMC). In three of the cases, the stolen electronic equipment came from FMC facility break-ins. In addition to failing to perform a risk analysis, OCR also discovered that there was no mechanism in place for encrypting data, policies and procedures were not followed regarding the receipt and removal of devices from its facilities, there were no policies in place to address security incidents, and policies and facilities were not implemented to protect its facilities and the equipment kept there.
The HIPAA Security Rule’s Facility Access Control standard is the main topic of this cybersecurity newsletter. It requires that regulated organizations set up policies and procedures that limit physical access to electronic information systems and the facilities or facilities that house them, while also making sure that access that is legitimately authorized is permitted. Although it is only one component, implementing physical security measures to stop or discourage illegal entry to locations where ePHI can be accessed is essential for compliance with this Security Rule standard.
This standard specifies the following four implementation methods maintenance records, access and control validation processes, facility security plans, and contingency operations. Since these specifications can be addressed, it is necessary to conduct an evaluation to ascertain whether they are reasonable and acceptable. If they are, then the recommended actions should be carried out. If they’re not appropriate and acceptable, the cause for that needs to be stated in writing, and substitutes that offer an equivalent level of security should be put in place.
OCR cautions against thinking of these steps as box-checking elements on a HIPAA compliance checklist and provides guidance for regulated organizations on complying with the Facility Access Control standard. OCR also discusses each implementation specification. “An entity’s overall cybersecurity plan and HIPAA compliance program should be considered holistically with facility security,” OCR stated. “Facility security is a vital part of a regulated entity’s overall security plan to protect PHI.”
Article Link: https://www.hipaajournal.com/
