Regulator: Don't Neglect Physical Security of 'Workstations'OCR Alert Offers Insights on Keeping Patient Records Secure
Are too many healthcare organizations and their business associates skimping on physical security measures for safeguarding patient records? Federal regulators seem to think so.
See Also: Threat Intelligence - Hype or Hope?
A May 30 cybersecurity alert issued by the Department of Health and Human Services' Office for Civil Rights urges HIPAA covered entities and BAs to pay closer attention to providing good physical security for "workstations," which include a wide variety of devices.
In its monthly newsletter alert for May, OCR notes that while the HIPAA Security Rule specifically references "workstations," the term is defined in the HIPAA rule as "a computing device, for example a laptop or desktop computer, or any other device that performs similar functions - and electronic media - stored in its immediate environment. Portable electronic devices ... included in this definition ... could include tablets, smart phones and similar portable electronic devices."
Physical security is an important component of the HIPAA Security Rule that is often overlooked, OCR writes. "What constitutes appropriate physical security controls will depend on each organization and its risk analysis and risk management process."
As of May 31, OCR's HIPAA Breach Report Tool website - commonly known as the "wall of shame" - lists 632 major health data breaches involving theft of electronic computing devices that have impacted more than 20.3 million individuals since 2009.
That represents about 27 percent of the 2,322 breaches on the tally, and about 8 percent of the nearly 253 million individuals impacted by those incidents.
"Companies focus a lot of attention on protection from hackers and the like, but other security risks are still really important," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"Physical security covers a lot of topics. Obviously, things like locking doors is always important in general," he says. "A lot of the other issues depend on the business activities. As workplaces evolve, some of these issues become even more important. Shared office spaces require special protections for sensitive information. Working from home creates a variety of new risks. The mobility of information - on mobile devices, laptops, thumb drives and the like - requires significant attention."
Paper PHI Problems
While the May alert from OCR spotlights electronic gear that falls under the definition of a "workstation," many organizations also appear to have trouble physically securing paper and film that contains protected health information.
In addition to the major breaches involving theft of electronic devices, the wall of shame lists 304 breaches involving theft of paper/film and "other" material affecting nearly 5.6 million individuals since 2009.
Some of the breaches listed on the wall of shame also involve unsecure, improper disposal of PHI. Examples of those breaches include the disposal of paper/film records that had not been shredded and were later stolen from dumpsters.
Keith Fricke, principle consultant at tw-Security, says he often sees a lack of attention given to physical security by healthcare providers and their vendors.
"A common theme is that many CEs are not taking any measures to validate the security practices of a BA beyond having a signed agreement in place," he says. "Regarding paper/film, CEs should confirm if the BA with whom they have an arrangement for the storage, transport or disposal of paper-based PHI has subcontracted those services," he says. "Stories exist where a paper-based breach occurred and the CE discovers that the BA relationship is several layers deep because the initial BA subcontracted to another vendor, who in turn, subcontracted again."
Breaches involving thefts and potentially lax physical security have attracted the ire of federal regulators.
"Failure to take reasonable steps regarding physical security may have serious consequences," OCR notes in its alert. Investigations by OCR that have included, among others, "potential violations of the security rule's workstation security standard have resulted in settlement payments by covered entities ranging from $250,000 to $3.9 million," OCR says.
Those enforcement actions include an $850,000 HIPAA settlement in 2015 with Lahey Hospital and Medical Center in Burlington, Mass., stemming from an investigation into a laptop stolen from an unlocked room.
Earlier this year, OCR reached a $100,000 HIPAA settlement with Filefax, a now-defunct medical records storage company at the center of a 2015 "dumpster diver" breach affecting more than 2,000 patients. In that case, investigators found intact paper and film patient records left in an unlocked vehicle and an unsecured dumpster.
Big Breach, Big Fine
The largest breach involving the theft of electronic computing gear was reported in August 2013 by Chicago-based Advocate Health, which reported the theft of four unencrypted desktop computers containing data on 4 million individuals. That incident - combined with two smaller breaches reported by Advocate - resulted in a record $5.5 million HIPAA settlement.
At the time of the settlement, former OCR director Jocelyn Samuels noted: "We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure. This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
Encryption Safe Harbor
While OCR stresses the importance of physical security controls, the use of encryption is generally viewed as the gold standard for securing PHI on mobile and other computing devices, And if gear is stolen or lost, encryption provides a safe harbor for having to report a breach to regulators.
Organizations need to be mindful, however, of potential problems arising out of overconfidence and overreliance on encryption at the expense of physical security controls, Nahra notes.
"While data encryption always helps, it is not a panacea - and companies sometimes don't address the details - for example, a stolen laptop that is encrypted but the laptop was turned on - and therefore not encrypted - is not exempt from breach reporting," he says.
While healthcare organizations appear to be getting more diligent about encrypting mobile devices and storage media, some organizations often are not taking adequate steps to confirm that devices are, in fact, encrypted, Fricke says.
"Policies should clearly state that encrypted media is required and that a HIPAA sanction policy is enforced for infractions. Workforce members should be reminded not to leave devices unattended and in view in vehicles," he says. "Smash-and-grab theft is common. Physical security also involves being aware of your surroundings, especially within the facilities of a CE. Be on the lookout for unknown people in areas where they should not be, and contact the CE's internal physical security department if such circumstances arise."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes that a key challenge in physically securing PHI is keeping track of where all PHI is located.
"Very few organizations have a good inventory of PHI, which can lead to potential breaches, such as long-forgotten laptops getting lost or stolen."
—Adam Greene, Davis Wright Tremaine
"Very few organizations have a good inventory of PHI, which can lead to potential breaches, such as long-forgotten laptops getting lost or stolen from storage spaces," he says. "This is especially true for electronic media, as it takes significant effort - and organizational buy-in - to put in place technical measures to minimize the possibility of PHI floating around on USB drives."
Inventory control challenges can be helped through assets tags, he suggests. "This is an addressable requirement under the HIPAA Security Rule and may not be reasonable for every organization. Organizations who do not closely track what devices have PHI and who is accountable for them should make sure to document their basis for determining that such a control is not reasonable."
In its alert, OCR notes that "many reliable physical security controls are available at little or no cost."
For example, it points out, "privacy screens to prevent someone from viewing your computer screen or cable locks to deter theft can typically be purchased for $20 to $40. Port and device locks that physically restrict access to USB ports or devices such as CD/DVD drives are also available at low costs."
Cost-free measures, OCR says, include positioning workstation screens away from areas from which they could be viewed, keeping electronic equipment and media in secured areas, and using security cameras.