Physical Security of Electronic Devices
Reprinted with Permission from the Medical Association of the State of Alabama
In the age of electronic medical records and ransomware attacks, recent focus with regard to HIPAA compliance seems to be on electronic security. How are your electronic medical records stored? Do you require two-factor authentication to access your electronic system remotely? What firewalls and malware detection systems do you have in place to prevent a cyber-attack?
However, in the May 2018 OCR Cyber Security Newsletter, the Office of Civil Rights ("OCR") reminded providers that, in the midst of electronic security, appropriate physical security controls are also an important component. The HIPAA Security Rule requires that all "workstations" (including laptops, desktops, tablets, smart phones, and portable electronic devices) accessing PHI must have physical safeguards in place to restrict access to authorized users.
According to OCR, the following methods may be helpful in achieving compliance with this requirement: privacy computer screens, cable locks, port and device locks (preventing access to USB ports or removable devices), positioning work screens in a manner in which they cannot be viewed, locking rooms that store electronic equipment, security cameras and security guards. Of course, which methods are appropriate for each provider will vary based on the provider's risk analysis and risk management process.
Download the full article, "Physical Security of Electronic Devices" written by Kelli Carpenter Fleming.