Regulator: Don’t Neglect Physical Security of ‘Workstations’
OCR Alert Offers Insights on Keeping Patient Records Secure
A May 30 cybersecurity alert issued by the Department of Health and Human Services’ Office for Civil Rights urges HIPAA covered entities and BAs to pay closer attention to providing good physical security for “workstations,” which include a wide variety of devices.
Keith Fricke, tw-Security Partner and principal consultant, says he often sees a lack of attention given to physical security by healthcare providers and their vendors.
“A common theme is that many CEs are not taking any measures to validate the security practices of a BA beyond having a signed agreement in place,” he says. “Regarding paper/film, CEs should confirm if the BA with whom they have an arrangement for the storage, transport or disposal of paper-based PHI has subcontracted those services,” he says. “Stories exist where a paper-based breach occurred and the CE discovers that the BA relationship is several layers deep because the initial BA subcontracted to another vendor, who in turn, subcontracted again.”
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that a key challenge in physically securing PHI is keeping track of where all PHI is located.
“Very few organizations have a good inventory of PHI, which can lead to potential breaches, such as long-forgotten laptops getting lost or stolen.”
—Adam Greene, Davis Wright Tremaine