Topic, Physical Security in healthcare facilities. Please find a couple of examples where hospitals/offices were at risk due to lack of adequate physical security measures and discuss what should other facilities learn from those events–for example, abducted babies, staff attacked, shootings, etc. Add links so others can get the details before commenting on your posts.
CLICK HERE TO GET THIS PAPER WRITTEN
What is the Security Series? What is the Security Series?
The security series of papers will provide guidance from the Centers for
Medicare & Medicaid Services (CMS) on the rule titled “Security Standards
for the Protection of Electronic Protected Health Information,†found at 45
CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known
as the Security Rule, was adopted to implement provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). The series
will contain seven papers, each focused on a specific topic related to the
Security Rule. The papers, which cover the topics listed to the left, are
designed to give HIPAA covered entities
insight into the Security Rule, and
assistance with implementation of the
security standards. This series aims to
explain specific requirements, the thought
process behind those requirements, and
possible ways to address the provisions.
The security series of papers will provide guidance from the Centers for
Medicare & Medicaid Services (CMS) on the rule titled “Security Standards
for the Protection of Electronic Protected Health Information,†found at 45
CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known
as the Security Rule, was adopted to implement provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). The series
will contain seven papers, each focused on a specific topic related to the
Security Rule. The papers, which cover the topics listed to the left, are
designed to give HIPAA covered entities
insight into the Security Rule, and
assistance with implementation of the
security standards. This series aims to
explain specific requirements, the thought
process behind those requirements, and
possible ways to address the provisions.
CMS recommends that covered entities read the first paper in this series,
“Security 101 for Covered Entities†before reading the other papers. The first
paper clarifies important Security Rule concepts that will help covered
entities as they plan for implementation. This third paper in the series is
devoted to the standards for Physical Safeguards and their implementation
specifications and assumes the reader has a basic understanding of the
CMS recommends that covered entities read the first paper in this series,
“Security 101 for Covered Entities†before reading the other papers. The first
paper clarifies important Security Rule concepts that will help covered
entities as they plan for implementation. This third paper in the series is
devoted to the standards for Physical Safeguards and their implementation
specifications and assumes the reader has a basic understanding of the
Security Rule. Security Rule.
Background
An important step in protecting
electronic protected health information
(EPHI) is to implement reasonable aappropriate physical safeguards for information systems and related
equipment and facilities. The Physical Safeguards standards in the Security
Rule were developed to accomplish this purpose. As with all the standards inthis rule, compliance with the PhysicaBackground
An important step in protecting
electronic protected health information
(EPHI) is to implement reasonable aappropriate physical safeguards for information systems and related
equipment and facilities. The Physical Safeguards standards in the Security
Rule were developed to accomplish this purpose. As with all the standards inthis rule, compliance with the Physica
3 Security Standards: Physical Safeguards
Compliance Deadlines
No later than April 20, 2005
for all covered entities except
small health plans which have
until no later than April 20,
2006.
Security
Topics
NOTE: To download the first paper in
this series, “Security 101 for Covered
Entities,†visit the CMS website at:
www.cms.hhs.gov/SecurityStandard/
under the “Regulation†page. age.
HIPA
NOTE: A matrix of all of the
Security Rule Standards and
Implementation Specifications
is includepaper.
D
0(a)(1)
STANDARD
§ 164.310(a)(1)
evaluation of the security controls already in place, an accurate and
thorough risk analysis, and a series of documented solutions derived from a
number of factors unique to each covered entity.
The objectives of this paper are to:
.. Review each Physical Safeguard standard and
implementation specification listed in the Security Rule.
.. Discuss physical vulnerabilities and provide examples of
physical controls that may be implemented in a covered
entity’s environment.
.. Provide sample questions that covered entities may want
to consider when implementing the Physical Safeguards.
What are physical safeguards?
The Security Rule defines physical safeguards as “physical measures,
policies, and procedures to protect a covered entity’s electronic information
systems and related buildings and equipment, from natural and
environmental hazards, and unauthorized intrusion.†The standards are
another line of defense (adding to the Security Rule’s administrative and
chnical safeguards) for protecting EPHI.
te
When evaluating and implementing
these standards, a covered entity must
consider all physical access to EPHI.
This may extend outside of an actual
office, and could include workforce
members’ homes or other physical
cations where they access EPHI.
lo
acility Access Controls
F
The first standard under the Physical Safeguards section is Facility Access
ontrol. It requires covered entities to:
C
“Implement policies and procedures to limit physical access to its electronic
housed,
information systems and the facility or facilities in which they are
properly authorized access is allowed.â€
Security Standards: Physical Safeguards
NOTE: Facility access controlsimplementation specifications are
addressable. This means that
access controls during
tion refe
activation of contingency
NOTE: For a more detaileddiscussion of “addressableâ€
and “required†implementatispecifications, see the first
paper in this series, “Secur
A facility is def
b
Sample questions for covered entities to consider:
.. Are policies and procedures developed and implemented
that address allowing authorized and limiting unauthorizedphysical access to electronic information system
facility or facilities in which they are housed?
.. Do the policies and procedures identify individuals (workforce members, busines
associates, contractors, etc.) with authorized access by title and/or job function?
.. Do the policies and procedures specify the methods used to control physical access
such as door locks, electronic access contro
T
ccess Controls standard has four implementation spe
1. Contingency Operations (Addressable)
2. Facility Security Plan (Addressable)
Maintenance Records (Addressable)
1. CONTINGENCY OPERATIONS (A) – § 164.310(a)(2)(i)
The Contingency Operations implementation spsecurity measures entities establish in the eventplans and
re
active.
Where this implementation specification
re
significantly from entity entity, the covered entity must:
“Establish (and implement as needed) procedures that allow facility
plan and emergency mode operations plan in the event of an emergency.â€
C
d
NOTE: Facility security
maintain physical secur
re
Facility access controls during contingency operations will vary significantly
from entity to entity. For example, a large covered entity may need to post guardsat entrances to the facility or have escorts for individuals authorized to access the
facility for data restoration purposes. For smaller op
to
Sample questions for covered entities to consider:
.. Are procedures developed to allow facility access wh
.. Can the procedures be appropriately implemented, as needed, by t
workforce members responsible for the data restoration process?
.. Do the procedures identify personnel that
perform data restoration?
2. FACILITY SECURITY PLAN (A) – § 164.
T
covered entity to protect the facility or facilities.
W
rd for a covered entity, the covered entity must:
“Implem
physical access controlstheft.â€
Facility security plans must document the usephysical access controls. These controls must
ensure that only authorized individuals have
access to facilities and equipment that contain
EPHI. In general, physical access controls allow individuals with legitimate
business needs to obtain access to the facility and deny access
le
th
NOTE: The facility securiplan should be ane facility
To establish the facility security plan, covered entities should review riskdata on persons or workforce members that need access to facilities and
e
Some common controls to prevent unauthorized physical
th
.. Locked doors, sig
cameras, alarms
Property co
..
equipment
Personnel controls such as identif
..
and/or escorts for large offices
.. Private security service or patrol f
In addition, all staff or employees must know
their roles in facility security. Covered entitiemust review the plan periodically, esp
w
environment or information systems.
Sample questions for covered entities to consider:
.. Are policie
and theft?
.. Do the policies and procedures iden
controls to consider bullets above?
3. ACCESS CONTROL AND VALIDATION PROCEDURES (A)
– § 164.310(a)(2)(iii)
The Facility Access Controls standard also includes the Access Control and
Validation Procedures
ation is a reasonable and appropriate safeguard for a covered entity, t
entity must:
“Implement procedures to control and validate a person’s access
NOTE: The SecurityRule requires that a
covered entity docuthe rationale for all
The purpose of this implementation specification is to specifically align a
person’s access to information with his or her role or function in the organization.
These functional or role-based access control and validation procedures should be
closely aligned with the facility security plan. These procedures are the means by
which a covered entity will actually determine the workforce members or personsthat should ha
o
The controls implemented will depend on the coveredentity’s environmental characteristics. For example,
it is common practice to question a person’s identity
by asking for proof of identity, such as a picturebefore allowing access to a facility. In a large
organization, because of the number of visitors and employees, this practice may
be required for every visit. In a small doctor’s office, once someone’s identity has
been verified it may not be necessary to check idsecurity decisions.
b
Sample questions for covered entities to consider:
.. Are procedures developed and implemented to control and validate a personaccess to facilities based on their role or function, including visitor co
CLICK HERE TO GET THIS PAPER WRITTEN
.. Do the procedures identify the methods for controlling and validating anemployee’s access to facilities, such as the u
badges, or entry devices such as key cards?
.. Do the procedures also identify visitor controls, such as requiring them
in, wear visitor badges and be escorted by an authorized person?
.. Do the procedures identify
in order to reduce errors?
..
4. MAINTENANCE RECORDS (A) – § 164.310(a)(2)(iv)
Covered entities may make many types of facility security
m
NOTE: Documentation of
maintenance records may
vary from a simple logbook tose.
The Maintenance Records implementation specification requires that coveentities document such repairs and changes. Where this implementation
specification is a reas
c
“Implement policies and procedures to document repairs and
modifications to the physical components of a facility which a
In a small office, documentation may simply be a logbook that notes the date,
reason for repair or modification and who authorized it. In a large organization,
various repairs and modifications of physical security comp
d
a comprehensive database.
In some covered entities the most frequent
physical security changes may be re-keying dolocks or changing the combination on a door,
when someone from the workforce has been
terminated. Some facilities may use door locks that rely on a card or badge
reader. Documentation on the repair, additi
a
Sample questions for covered entities to consider:
.. Are policies and procedures developed and implemented that specify how to
document repairs and modifica
.. Do the policies and proce
require documentation?
.. Do the policies and procedures specify special circumstances when repairs or
modifications to physical security components are required, such as, when
certain workforce members (e.g., Applic
§ 164.310(b) Workstation Use
The next standard in the Physical Safeguards is Workstation Use. A workstation is defined in
the rule as “an electronic computing device, for example, a laptop or desktop computer, or any
ther device tha
oenvironment.â€
NOTE: The Workstation Uand Workstation Sestandards have no
implementation specifications,
but like all stan
NOTE: At a minimum, asafeguards required for
office workstations
also be applied to
implemented.
The Workstation Use standard requires covered entities to
specify the proper functions to be performed by eleccomputing devices. Inappropriate use of computer
workstations can expose a covered entity to risks, such avirus attacks, compromise of information systems,
breaches of confidentiality. This standard has no
implementation specifications, but like all standards must be
implemen
a
F
“Implement policies and procedures that specify the proper functions to be
performed, the manner in which those functions are to be performed, and thphysical attributes of the surroundings of a specific workstation or clas
Many covered entities may have existing policies and procedures that address appropriate
business use of workstations. In these cases, it may be possible for them to update exisdocumentation to address security issues. Covered entities must assess their physical
surroundings to ensure that any risks associat
a
The Workstation Use standard also applies to covewith workforce members that work off site using
workstations that can access EPHI. This includes emplowho work from home, in satellite offices, or in another
facility. Workstation policies and procedures must specify
the proper functions to b
w
Some common practices that may already be in place include logging off before leaving aworkstation
Sample questions for covered entities to consider:
.. Are policies and procedures developed and implemented that specify the proper
functions to be performed, the manner in which those functions are to be performedand the physical attributes of the sur
.. Do th
n
NOTE: For more
information about Risk
Analysis, see papethis series, “Bas
.. Do the policies and procedures specify wh
.. Do the policies and procedures specify the use of additional security measures to
protect workstations with EPHI, such as using privacy s
protected screen savers or logging off the workstation?
.. Do the policies and procedures address workstation use for users that access EPHI from
Workstation Security
ike Workstation Use, Workstation Security is a standard with no im
LThe W
n Security standard requires that covered entities:
“Implement physical safeguards for all workstations that access electronic
protected health information, to restrict access to authorized users.â€
While the Workstation Use standard addresses the policies and procedures for how workstations
ould be used and protected, the Workstation Security standard
sh
to be physically protected from unauthorized users.
Covered entities may implement a variety of strategies to restrict access to workstations with
PHI. One way may be to completely restrict physical acces
E
a secure room where only authorized personnel work.
As with all standards and implementation specifications, what is
reasonable and appropriate for one covered entity may not apply
to another. The risk analysis s
n-making process.
Sample questions for covered entities to consider:
..
access to authorized users?
desktop computers, personal digital assistants (PDAs)?
.. Are current physical safeguards used to protect workstations with EPHI effectiv
STANDARD
§ 164.310(d)(1)
.. Are the physical safeguards used to protect workstations that access EPHI
documented in the Workstation Use policies and procedures?
Device and Media Controls
The Device and Media Controls standard requires covered entities to:
“Implement policies and procedures that govern the receipt and removal of hardware
and electronic media that contain electronic protected health information, into and out of
a facility, and the movement of these items within the facility.â€
As referenced here, the term “electronic media†means, “electronic storage media including
memory devices in computers (hard drives) and any removable/transportable digital memory
medium, such as magnetic tape or disk, optical disk, or digital memory card…†This standard
covers the proper handling of electronic media including receipt, removal, backup, storage,
reuse, disposal and accountability.
Sample questions for covered entities to consider:
.. Are policies and procedures developed and implemented that govern the receipt and
removal of hardware and electronic media that contain EPHI, into and out of a
facility, and the movement of these items within the facility?
.. Do the policies and procedures identify the types of hardware and electronic media
that must be tracked?
.. Have all types of hardware and electronic media that must be tracked been identified,
The Device and Media
a
1. Disposal (Required)
2. Media Re-Use (Required)
3. Accountability (Addressable)
. DISPOSAL (R) – § 164.310(d)(2)(i)
1T
sp
“Implement policies and procedures to address the final disposition of
electronic protected health inf
When covered entities dispose of any electronic media that contains EPHI thshould make sure it is unusable and/or inaccessible. One way to dispose of
electronic media is by degaussing. Degaussing is a method whereby a strong
magnetic field is applied to magnetic media to fully erase the data. If a covered
entity does not have access to degaussing equipment, another way to dispose ofthe electronic m
in
CLICK HERE TO GET THIS PAPER WRITTEN
Sample questions for covered entities to consider:
.. Are policies and procedures developed and implemented that address dis
.. Do the policies and procedures specify the process for making
the hardware or electronic media, unusable and inaccessible?
.. Do the policies and procedures specify the use of a technology, such assoftware or a specialized piece of hardware, to make EPHI, and/or the
hardware or electronic media, unusable and inaccessible?
..
2. MEDIA RE-USE (R) – § 164.310(d)(2)(ii)
Instead of disposing of elec
ered entities must:
“Implement p
for re-use.â€
In addition to appropriate disposal, covered entities must appropriately reuseelectronic media, whether for internal or external use. Internal re-use may include
re-deployment of PCs or sharing floppy disks. External re-use may include
donation of electronic media to charity organizations
th
to
Covered enti
p
Sample questions for covered entities to consider:
.. Are procedures developed and im
.. Do the procedures specify situations when all EPHI must be permanently
deleted or situations when th
he following two implementation specifications
T
a
3. ACCOUNTABILITY (A) – § 164.310(d)(2)(iii)
here this implementation specification is a reasonable
Wsa
rd for a covered entity, the covered entity must:
“Maintain a record of the movements of h
and any person responsible therefore.â€
Since this is an addressable specification, each covered entity must determine if
and how it should be implemented for their organization. If a covered entity’s
ardware and media containing EPHI are moved from one lo
h
record should be maintained as documentation of the move.
Portable workstations and media present a special accountability challenge.
Portable technology is getting smaller, less expensive, and has an increased
capacity to store large quantities of data. As a result, it is becoming more
revalent in the he
p
and challenging.
ome questions covered entities may want to addre
S
a
Sample questions for covered entities to consider:
Is a process implemented for maintaining a record of the movements of, and
..
person(s) responsible for, hardware and electronic media containing EPHI?
.. Have all types of
.. If there are multiple devices of the same type, is there a way to identify
individual devices and log or rec
4. DATA BACKUP AND STORAGE (A) – § 164.310(d)(2)(iv)
Where this implementation specification is a reasonable
sa
“Create a retrievable, exact copy of electronic protected healt
in
This specification protects the availability of EPHI and is similar to the Data
Backup Plan implementation specification for the contingency plan standard of
the Administrative Safeguards, which requires covered entities to implement
procedures to create and maintain retrievable exact copies of EPHI. Thereforeboth implementation specifications may be included in the same policies and
procedures. A covered entity may choose to backup a hard drive before moving
to prevent loss of EPHI when the existing data backup plan does not provide for
local hard drive backups. Another option may be to limit where computer users
store their files. For example, larger organizations may implement policies that
require users to save all information on the network, thus eliminating the need fora hard drive back up prior to the move. Either of these options, and others, may
be considered reasonabe
Sample questions for covered entities to consider:
.. Is a process implemented for creating a retriev
needed, before movement of equipment?
.. Does the process identify situations when creating a retrievable, exact copEPHI is required and situations when
equipment?
co
In Summary
The Security Rule’s Physical Safeguards are the physical measures, policies and procedures toprotect electronic information systems, buildings and equipment. Successfully implemented,
these standards and implementation specifications should help protect covered entities’ EPH
fr
N
Visit the CMS website often at www.cms.hhs.gov under “Regulations and G
la
Visit the Office for Civil Rights website, http://www.hhs.gov/oc
Resources
The remaining papers in this series will address other specific topics related to the Security RuThe next paper in this series covers the Security Rule’s Technical Safeguards. The Technical
Safeguards are the techno
a
Covered entities should periodically check the CMS website at www.cms.hhs.gov under
“Regulations and Guidance†for additional information and resources as they work through the
security implementation process. There are many other sources of information available onInternet. While CMS does not endorse guidance provided by other organizations, coventities may also want to check with other local and national professio
o
Security Standards Matrix
ADMINISTRATIVE SAFEGUARDS
Standards
Sections
Implementation Specifications
(R)= Required, (A)=Addressable
Security
Management
Process
164.308(a)(1)
Risk Analysis
(R)
Risk Management
(R)
Sanction Policy
(R)
Information System
Activity Review
(R)
Assigned Security
Responsibility
164.308(a)(2)
Workforce
Security
164.308(a)(3)
Authorization and/or
Supervision
(A)
Workforce Clearance
Procedures
(A)
Termination Procedures
(A)
Information
Access
Management
164.308(a)(4)
Isolating Health Care
Clearinghouse
Functions
(R)
Access Authorization
(A)
Access Establishment
and Modification
(A)
Security
Awareness and
Training
164.308(a)(5)
Security Reminders
(A)
Protection from
Malicious Software
(A)
Log-in Monitoring
(A)
Password Management
(A)
Security
Incident
Procedures
164.308(a)(6)
Response and
Reporting
(R)
Contingency
Plan
164.308(a)(7)
Data Backup Plan
(R)
Disaster Recovery Plan
(R)
Emergency Mode
Operation Plan
(R)
Testing and Revision
Procedure
(A)
Applications and Data
Criticality Analysis
(A)
Evaluation
164.308(a)(8)
Business Associate
Contracts and Other
Arrangements
164.308(b)(1)
Written Contract or
Other Arrangement
(R)
PHYSICAL SAFEGUARDS
Standards
Sections
Implementation Specifications
(R)= Required, (A)=Addressable
Facility Access
Controls
164.310(a)(1)
Contingency Operations
(A)
Facility Security Plan
(A)
Access Control and
Validation Procedures
(A)
Maintenance Records
(A)
Workstation
Use
164.310(b)
Workstation
Security
164.310(c)
Device and
Media Controls
164.310(d)(1)
Disposal
(R)
Media Re-use
(R)
Accountability
(A)
Data Backup and
Storage
(A)
TECHNICAL SAFEGUARDS
Standards
Sections
Implementation Specifications
(R)= Required, (A)=Addressable
Access Control
164.312(a)(1)
Unique User
Identification
(R)
Emergency Access
Procedure
(R)
Automatic Logoff
(A)
Encryption and
Decryption
(A)
Audit Controls
164.312(b)
Integrity
164.312(c)(1)
Mechanism to Authenticate
Electronic Protected Health
Information
(A)
Person or Entity
Authentication
164.312(d)
Transmission
Security
164.312(e)(1)
Integrity Controls
(A)
Encryption
(A)
ORGANIZATIONAL REQUIREMENTS
Standards
Sections
Implementation Specifications
(R)= Required, (A)=Addressable
Business associate
contracts or other
arrangements
164.314(a)(1)
Business Associate
Contracts
(R)
Other Arrangements
(R)
Requirements for
Group Health Plans
164.314(b)(1)
Implementation
Specifications
(R)
POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS
Standards
Sections
Implementation Specifications
(R)= Required, (A)=Addressable
Policies and
Procedures
164.316(a)
Documentation
164.316(b)(1)
Time Limit
(R)
Availability
(R)
Updates
(R)
CLICK HERE TO GET THIS PAPER WRITTEN