Health Care and Life Sciences

    Topic, Physical Security in healthcare facilities. Please find a couple of examples where hospitals/offices were at risk due to lack of adequate physical security measures and discuss what should other facilities learn from those events–for example, abducted babies, staff attacked, shootings, etc. Add links so others can get the details before commenting on your posts.

    CLICK HERE TO GET THIS PAPER WRITTEN

    What is the Security Series? What is the Security Series?

    The security series of papers will provide guidance from the Centers for
    Medicare & Medicaid Services (CMS) on the rule titled “Security Standards
    for the Protection of Electronic Protected Health Information,” found at 45
    CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known
    as the Security Rule, was adopted to implement provisions of the Health
    Insurance Portability and Accountability Act of 1996 (HIPAA). The series
    will contain seven papers, each focused on a specific topic related to the
    Security Rule. The papers, which cover the topics listed to the left, are
    designed to give HIPAA covered entities
    insight into the Security Rule, and
    assistance with implementation of the
    security standards. This series aims to
    explain specific requirements, the thought
    process behind those requirements, and
    possible ways to address the provisions.
    The security series of papers will provide guidance from the Centers for
    Medicare & Medicaid Services (CMS) on the rule titled “Security Standards
    for the Protection of Electronic Protected Health Information,” found at 45
    CFR Part 160 and Part 164, Subparts A and C. This rule, commonly known
    as the Security Rule, was adopted to implement provisions of the Health
    Insurance Portability and Accountability Act of 1996 (HIPAA). The series
    will contain seven papers, each focused on a specific topic related to the
    Security Rule. The papers, which cover the topics listed to the left, are
    designed to give HIPAA covered entities
    insight into the Security Rule, and
    assistance with implementation of the
    security standards. This series aims to
    explain specific requirements, the thought
    process behind those requirements, and
    possible ways to address the provisions.

     

    CMS recommends that covered entities read the first paper in this series,
    “Security 101 for Covered Entities” before reading the other papers. The first
    paper clarifies important Security Rule concepts that will help covered
    entities as they plan for implementation. This third paper in the series is
    devoted to the standards for Physical Safeguards and their implementation
    specifications and assumes the reader has a basic understanding of the
    CMS recommends that covered entities read the first paper in this series,
    “Security 101 for Covered Entities” before reading the other papers. The first
    paper clarifies important Security Rule concepts that will help covered
    entities as they plan for implementation. This third paper in the series is
    devoted to the standards for Physical Safeguards and their implementation
    specifications and assumes the reader has a basic understanding of the

    Security Rule. Security Rule.

     

    Background
    An important step in protecting
    electronic protected health information
    (EPHI) is to implement reasonable aappropriate physical safeguards for information systems and related
    equipment and facilities. The Physical Safeguards standards in the Security
    Rule were developed to accomplish this purpose. As with all the standards inthis rule, compliance with the PhysicaBackground
    An important step in protecting
    electronic protected health information
    (EPHI) is to implement reasonable aappropriate physical safeguards for information systems and related
    equipment and facilities. The Physical Safeguards standards in the Security
    Rule were developed to accomplish this purpose. As with all the standards inthis rule, compliance with the Physica

    3 Security Standards: Physical Safeguards
    Compliance Deadlines

    No later than April 20, 2005
    for all covered entities except
    small health plans which have
    until no later than April 20,
    2006.

    Security

    Topics

    NOTE: To download the first paper in
    this series, “Security 101 for Covered
    Entities,” visit the CMS website at:
    www.cms.hhs.gov/SecurityStandard/
    under the “Regulation” page. age.

    HIPA

     

     

     

     
    NOTE: A matrix of all of the
    Security Rule Standards and
    Implementation Specifications
    is includepaper.

    D

    0(a)(1)

     

    STANDARD
    § 164.310(a)(1)

     

    evaluation of the security controls already in place, an accurate and
    thorough risk analysis, and a series of documented solutions derived from a
    number of factors unique to each covered entity.

     

    The objectives of this paper are to:

     

    .. Review each Physical Safeguard standard and
    implementation specification listed in the Security Rule.

     

     

    .. Discuss physical vulnerabilities and provide examples of
    physical controls that may be implemented in a covered
    entity’s environment.

     

     

    .. Provide sample questions that covered entities may want
    to consider when implementing the Physical Safeguards.

     

     

     

    What are physical safeguards?
    The Security Rule defines physical safeguards as “physical measures,
    policies, and procedures to protect a covered entity’s electronic information
    systems and related buildings and equipment, from natural and
    environmental hazards, and unauthorized intrusion.” The standards are
    another line of defense (adding to the Security Rule’s administrative and
    chnical safeguards) for protecting EPHI.

    te
    When evaluating and implementing
    these standards, a covered entity must
    consider all physical access to EPHI.
    This may extend outside of an actual
    office, and could include workforce
    members’ homes or other physical
    cations where they access EPHI.

    lo

     

     
    acility Access Controls

    F
    The first standard under the Physical Safeguards section is Facility Access
    ontrol. It requires covered entities to:

    C
    “Implement policies and procedures to limit physical access to its electronic
    housed,

    information systems and the facility or facilities in which they are
    properly authorized access is allowed.”

    Security Standards: Physical Safeguards

    NOTE: Facility access controlsimplementation specifications are
    addressable. This means that
    access controls during
    tion refe
    activation of contingency

    NOTE: For a more detaileddiscussion of “addressable”
    and “required” implementatispecifications, see the first
    paper in this series, “Secur
    A facility is def

    b

     

    Sample questions for covered entities to consider:
    .. Are policies and procedures developed and implemented
    that address allowing authorized and limiting unauthorizedphysical access to electronic information system

     
    facility or facilities in which they are housed?
    .. Do the policies and procedures identify individuals (workforce members, busines

     
    associates, contractors, etc.) with authorized access by title and/or job function?
    .. Do the policies and procedures specify the methods used to control physical access
    such as door locks, electronic access contro

     

     
    T

    ccess Controls standard has four implementation spe
    1. Contingency Operations (Addressable)
    2. Facility Security Plan (Addressable)

     
    Maintenance Records (Addressable)
    1. CONTINGENCY OPERATIONS (A) – § 164.310(a)(2)(i)
    The Contingency Operations implementation spsecurity measures entities establish in the eventplans and

    re

    active.
    Where this implementation specification

    re

    significantly from entity entity, the covered entity must:
    “Establish (and implement as needed) procedures that allow facility

    plan and emergency mode operations plan in the event of an emergency.”
    C

    d
    NOTE: Facility security
    maintain physical secur

    re
    Facility access controls during contingency operations will vary significantly
    from entity to entity. For example, a large covered entity may need to post guardsat entrances to the facility or have escorts for individuals authorized to access the
    facility for data restoration purposes. For smaller op

    to

     

     

    Sample questions for covered entities to consider:
    .. Are procedures developed to allow facility access wh

     

    .. Can the procedures be appropriately implemented, as needed, by t
    workforce members responsible for the data restoration process?
    .. Do the procedures identify personnel that

     
    perform data restoration?

     

    2. FACILITY SECURITY PLAN (A) – § 164.

    T

    covered entity to protect the facility or facilities.
    W

    rd for a covered entity, the covered entity must:
    “Implem

    physical access controlstheft.”
    Facility security plans must document the usephysical access controls. These controls must
    ensure that only authorized individuals have
    access to facilities and equipment that contain
    EPHI. In general, physical access controls allow individuals with legitimate
    business needs to obtain access to the facility and deny access

    le

    th

     
    NOTE: The facility securiplan should be ane facility
    To establish the facility security plan, covered entities should review riskdata on persons or workforce members that need access to facilities and

    e
    Some common controls to prevent unauthorized physical

    th
    .. Locked doors, sig

     
    cameras, alarms
    Property co

     
    ..

    equipment
    Personnel controls such as identif

     
    ..

    and/or escorts for large offices

     

     

    .. Private security service or patrol f
    In addition, all staff or employees must know
    their roles in facility security. Covered entitiemust review the plan periodically, esp

    w

    environment or information systems.
    Sample questions for covered entities to consider:
    .. Are policie

     
    and theft?
    .. Do the policies and procedures iden

     
    controls to consider bullets above?
    3. ACCESS CONTROL AND VALIDATION PROCEDURES (A)
    – § 164.310(a)(2)(iii)
    The Facility Access Controls standard also includes the Access Control and
    Validation Procedures

    ation is a reasonable and appropriate safeguard for a covered entity, t
    entity must:
    “Implement procedures to control and validate a person’s access
    NOTE: The SecurityRule requires that a
    covered entity docuthe rationale for all
    The purpose of this implementation specification is to specifically align a
    person’s access to information with his or her role or function in the organization.
    These functional or role-based access control and validation procedures should be
    closely aligned with the facility security plan. These procedures are the means by
    which a covered entity will actually determine the workforce members or personsthat should ha

    o
    The controls implemented will depend on the coveredentity’s environmental characteristics. For example,
    it is common practice to question a person’s identity
    by asking for proof of identity, such as a picturebefore allowing access to a facility. In a large
    organization, because of the number of visitors and employees, this practice may
    be required for every visit. In a small doctor’s office, once someone’s identity has
    been verified it may not be necessary to check idsecurity decisions.

    b

     

     

    Sample questions for covered entities to consider:
    .. Are procedures developed and implemented to control and validate a personaccess to facilities based on their role or function, including visitor co

    CLICK HERE TO GET THIS PAPER WRITTEN
    .. Do the procedures identify the methods for controlling and validating anemployee’s access to facilities, such as the u

     
    badges, or entry devices such as key cards?
    .. Do the procedures also identify visitor controls, such as requiring them

     
    in, wear visitor badges and be escorted by an authorized person?
    .. Do the procedures identify

     
    in order to reduce errors?

     

     

    ..

     

     

    4. MAINTENANCE RECORDS (A) – § 164.310(a)(2)(iv)
    Covered entities may make many types of facility security

    m
    NOTE: Documentation of
    maintenance records may
    vary from a simple logbook tose.
    The Maintenance Records implementation specification requires that coveentities document such repairs and changes. Where this implementation
    specification is a reas

    c

    “Implement policies and procedures to document repairs and
    modifications to the physical components of a facility which a
    In a small office, documentation may simply be a logbook that notes the date,
    reason for repair or modification and who authorized it. In a large organization,
    various repairs and modifications of physical security comp

    d

    a comprehensive database.
    In some covered entities the most frequent
    physical security changes may be re-keying dolocks or changing the combination on a door,
    when someone from the workforce has been
    terminated. Some facilities may use door locks that rely on a card or badge
    reader. Documentation on the repair, additi

    a

     

     

    Sample questions for covered entities to consider:
    .. Are policies and procedures developed and implemented that specify how to
    document repairs and modifica

     

    .. Do the policies and proce

     
    require documentation?
    .. Do the policies and procedures specify special circumstances when repairs or
    modifications to physical security components are required, such as, when
    certain workforce members (e.g., Applic

     

     
    § 164.310(b) Workstation Use
    The next standard in the Physical Safeguards is Workstation Use. A workstation is defined in
    the rule as “an electronic computing device, for example, a laptop or desktop computer, or any
    ther device tha

    oenvironment.”
    NOTE: The Workstation Uand Workstation Sestandards have no
    implementation specifications,
    but like all stan

    NOTE: At a minimum, asafeguards required for
    office workstations
    also be applied to

    implemented.
    The Workstation Use standard requires covered entities to
    specify the proper functions to be performed by eleccomputing devices. Inappropriate use of computer
    workstations can expose a covered entity to risks, such avirus attacks, compromise of information systems,
    breaches of confidentiality. This standard has no
    implementation specifications, but like all standards must be
    implemen

    a

     

    F

    “Implement policies and procedures that specify the proper functions to be
    performed, the manner in which those functions are to be performed, and thphysical attributes of the surroundings of a specific workstation or clas
    Many covered entities may have existing policies and procedures that address appropriate
    business use of workstations. In these cases, it may be possible for them to update exisdocumentation to address security issues. Covered entities must assess their physical
    surroundings to ensure that any risks associat

    a
    The Workstation Use standard also applies to covewith workforce members that work off site using
    workstations that can access EPHI. This includes emplowho work from home, in satellite offices, or in another
    facility. Workstation policies and procedures must specify
    the proper functions to b

    w
    Some common practices that may already be in place include logging off before leaving aworkstation

     

     

    Sample questions for covered entities to consider:
    .. Are policies and procedures developed and implemented that specify the proper
    functions to be performed, the manner in which those functions are to be performedand the physical attributes of the sur

     

    .. Do th

     
    n
    NOTE: For more
    information about Risk
    Analysis, see papethis series, “Bas
    .. Do the policies and procedures specify wh

     

    .. Do the policies and procedures specify the use of additional security measures to
    protect workstations with EPHI, such as using privacy s

     
    protected screen savers or logging off the workstation?
    .. Do the policies and procedures address workstation use for users that access EPHI from

     

     

    Workstation Security
    ike Workstation Use, Workstation Security is a standard with no im

    LThe W

    n Security standard requires that covered entities:
    “Implement physical safeguards for all workstations that access electronic

    protected health information, to restrict access to authorized users.”
    While the Workstation Use standard addresses the policies and procedures for how workstations
    ould be used and protected, the Workstation Security standard

    sh

    to be physically protected from unauthorized users.
    Covered entities may implement a variety of strategies to restrict access to workstations with
    PHI. One way may be to completely restrict physical acces

    E

    a secure room where only authorized personnel work.
    As with all standards and implementation specifications, what is
    reasonable and appropriate for one covered entity may not apply
    to another. The risk analysis s

    n-making process.
    Sample questions for covered entities to consider:

     
    ..

    access to authorized users?

     

     

    desktop computers, personal digital assistants (PDAs)?

     

     

    .. Are current physical safeguards used to protect workstations with EPHI effectiv

     

     
    STANDARD

    § 164.310(d)(1)

    .. Are the physical safeguards used to protect workstations that access EPHI
    documented in the Workstation Use policies and procedures?

     

     

     

     

    Device and Media Controls

     

    The Device and Media Controls standard requires covered entities to:

     

    “Implement policies and procedures that govern the receipt and removal of hardware
    and electronic media that contain electronic protected health information, into and out of
    a facility, and the movement of these items within the facility.”

     

    As referenced here, the term “electronic media” means, “electronic storage media including
    memory devices in computers (hard drives) and any removable/transportable digital memory
    medium, such as magnetic tape or disk, optical disk, or digital memory card…” This standard
    covers the proper handling of electronic media including receipt, removal, backup, storage,
    reuse, disposal and accountability.

     

     

    Sample questions for covered entities to consider:

    .. Are policies and procedures developed and implemented that govern the receipt and
    removal of hardware and electronic media that contain EPHI, into and out of a
    facility, and the movement of these items within the facility?

     

     

    .. Do the policies and procedures identify the types of hardware and electronic media
    that must be tracked?

     

     

    .. Have all types of hardware and electronic media that must be tracked been identified,

     

     
    The Device and Media

    a

    1. Disposal (Required)
    2. Media Re-Use (Required)
    3. Accountability (Addressable)

     

     

    . DISPOSAL (R) – § 164.310(d)(2)(i)

    1T

    sp

    “Implement policies and procedures to address the final disposition of
    electronic protected health inf
    When covered entities dispose of any electronic media that contains EPHI thshould make sure it is unusable and/or inaccessible. One way to dispose of
    electronic media is by degaussing. Degaussing is a method whereby a strong
    magnetic field is applied to magnetic media to fully erase the data. If a covered
    entity does not have access to degaussing equipment, another way to dispose ofthe electronic m

    in

    CLICK HERE TO GET THIS PAPER WRITTEN

     

    Sample questions for covered entities to consider:
    .. Are policies and procedures developed and implemented that address dis

     

    .. Do the policies and procedures specify the process for making

     
    the hardware or electronic media, unusable and inaccessible?
    .. Do the policies and procedures specify the use of a technology, such assoftware or a specialized piece of hardware, to make EPHI, and/or the

     
    hardware or electronic media, unusable and inaccessible?

     

     

    ..

     

     

    2. MEDIA RE-USE (R) – § 164.310(d)(2)(ii)
    Instead of disposing of elec

    ered entities must:
    “Implement p

    for re-use.”
    In addition to appropriate disposal, covered entities must appropriately reuseelectronic media, whether for internal or external use. Internal re-use may include
    re-deployment of PCs or sharing floppy disks. External re-use may include
    donation of electronic media to charity organizations

    th

    to

     
    Covered enti

    p

     

    Sample questions for covered entities to consider:
    .. Are procedures developed and im

     

    .. Do the procedures specify situations when all EPHI must be permanently
    deleted or situations when th

     

     

    he following two implementation specifications

    T

    a

     
    3. ACCOUNTABILITY (A) – § 164.310(d)(2)(iii)
    here this implementation specification is a reasonable

    Wsa

    rd for a covered entity, the covered entity must:
    “Maintain a record of the movements of h

    and any person responsible therefore.”
    Since this is an addressable specification, each covered entity must determine if
    and how it should be implemented for their organization. If a covered entity’s
    ardware and media containing EPHI are moved from one lo

    h

    record should be maintained as documentation of the move.
    Portable workstations and media present a special accountability challenge.
    Portable technology is getting smaller, less expensive, and has an increased
    capacity to store large quantities of data. As a result, it is becoming more
    revalent in the he

    p

    and challenging.
    ome questions covered entities may want to addre

    S

    a

     
    Sample questions for covered entities to consider:
    Is a process implemented for maintaining a record of the movements of, and

     
    ..

    person(s) responsible for, hardware and electronic media containing EPHI?
    .. Have all types of

     

    .. If there are multiple devices of the same type, is there a way to identify
    individual devices and log or rec

     

     

     

    4. DATA BACKUP AND STORAGE (A) – § 164.310(d)(2)(iv)
    Where this implementation specification is a reasonable

    sa

    “Create a retrievable, exact copy of electronic protected healt

    in
    This specification protects the availability of EPHI and is similar to the Data
    Backup Plan implementation specification for the contingency plan standard of
    the Administrative Safeguards, which requires covered entities to implement
    procedures to create and maintain retrievable exact copies of EPHI. Thereforeboth implementation specifications may be included in the same policies and
    procedures. A covered entity may choose to backup a hard drive before moving
    to prevent loss of EPHI when the existing data backup plan does not provide for
    local hard drive backups. Another option may be to limit where computer users
    store their files. For example, larger organizations may implement policies that
    require users to save all information on the network, thus eliminating the need fora hard drive back up prior to the move. Either of these options, and others, may
    be considered reasonabe

     

     

    Sample questions for covered entities to consider:
    .. Is a process implemented for creating a retriev

     
    needed, before movement of equipment?
    .. Does the process identify situations when creating a retrievable, exact copEPHI is required and situations when

     
    equipment?

     
    co
    In Summary
    The Security Rule’s Physical Safeguards are the physical measures, policies and procedures toprotect electronic information systems, buildings and equipment. Successfully implemented,
    these standards and implementation specifications should help protect covered entities’ EPH

    fr
    N
    Visit the CMS website often at www.cms.hhs.gov under “Regulations and G

    la
    Visit the Office for Civil Rights website, http://www.hhs.gov/oc

     

    Resources
    The remaining papers in this series will address other specific topics related to the Security RuThe next paper in this series covers the Security Rule’s Technical Safeguards. The Technical
    Safeguards are the techno

    a
    Covered entities should periodically check the CMS website at www.cms.hhs.gov under
    “Regulations and Guidance” for additional information and resources as they work through the
    security implementation process. There are many other sources of information available onInternet. While CMS does not endorse guidance provided by other organizations, coventities may also want to check with other local and national professio

    o

     

     

     

     

     

     

     

    Security Standards Matrix

    ADMINISTRATIVE SAFEGUARDS

    Standards

    Sections

    Implementation Specifications

    (R)= Required, (A)=Addressable

    Security
    Management
    Process

    164.308(a)(1)

    Risk Analysis

    (R)

    Risk Management

    (R)

    Sanction Policy

    (R)

    Information System
    Activity Review

    (R)

    Assigned Security
    Responsibility

    164.308(a)(2)

     

    Workforce
    Security

    164.308(a)(3)

    Authorization and/or
    Supervision

    (A)

    Workforce Clearance
    Procedures

    (A)

    Termination Procedures

    (A)

    Information
    Access
    Management

    164.308(a)(4)

    Isolating Health Care
    Clearinghouse
    Functions

    (R)

    Access Authorization

    (A)

    Access Establishment
    and Modification

    (A)

    Security
    Awareness and
    Training

    164.308(a)(5)

    Security Reminders

    (A)

    Protection from
    Malicious Software

    (A)

    Log-in Monitoring

    (A)

    Password Management

    (A)

    Security
    Incident
    Procedures

    164.308(a)(6)

    Response and
    Reporting

    (R)

    Contingency
    Plan

    164.308(a)(7)

    Data Backup Plan

    (R)

    Disaster Recovery Plan

    (R)

    Emergency Mode
    Operation Plan

    (R)

    Testing and Revision
    Procedure

    (A)

    Applications and Data
    Criticality Analysis

    (A)

    Evaluation

    164.308(a)(8)

     

    Business Associate
    Contracts and Other
    Arrangements

    164.308(b)(1)

    Written Contract or
    Other Arrangement

    (R)

     

     

     

     

     

    PHYSICAL SAFEGUARDS

    Standards

    Sections

    Implementation Specifications

    (R)= Required, (A)=Addressable

    Facility Access
    Controls

     

    164.310(a)(1)

    Contingency Operations

    (A)

    Facility Security Plan

    (A)

    Access Control and
    Validation Procedures

    (A)

    Maintenance Records

    (A)

    Workstation
    Use

    164.310(b)

     

    Workstation
    Security

    164.310(c)

     

    Device and
    Media Controls

    164.310(d)(1)

    Disposal

    (R)

    Media Re-use

    (R)

    Accountability

    (A)

    Data Backup and
    Storage

    (A)

    TECHNICAL SAFEGUARDS

    Standards

    Sections

    Implementation Specifications

    (R)= Required, (A)=Addressable

    Access Control

    164.312(a)(1)

    Unique User
    Identification

    (R)

     

    Emergency Access
    Procedure

    (R)

    Automatic Logoff

    (A)

    Encryption and
    Decryption

    (A)

    Audit Controls

    164.312(b)

     

    Integrity

    164.312(c)(1)

    Mechanism to Authenticate
    Electronic Protected Health
    Information

    (A)

    Person or Entity
    Authentication

    164.312(d)

     

    Transmission
    Security

    164.312(e)(1)

    Integrity Controls

    (A)

    Encryption

    (A)

    ORGANIZATIONAL REQUIREMENTS

    Standards

    Sections

    Implementation Specifications

    (R)= Required, (A)=Addressable

    Business associate
    contracts or other
    arrangements

    164.314(a)(1)

    Business Associate
    Contracts

    (R)

     

    Other Arrangements

    (R)

    Requirements for
    Group Health Plans

    164.314(b)(1)

    Implementation
    Specifications

    (R)

    POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS

    Standards

    Sections

    Implementation Specifications

    (R)= Required, (A)=Addressable

     
    Policies and
    Procedures

    164.316(a)

     

    Documentation

    164.316(b)(1)

    Time Limit

    (R)

     

    Availability

    (R)

     

    Updates

    (R)

    CLICK HERE TO GET THIS PAPER WRITTEN

     

                                                                                                                                      Order Now