OCR Reminds Covered Entities Not to Overlook Physical Security Controls

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded HIPAA-covered entities that HIPAA not only requires technical controls to be implemented to ensure the confidentiality, integrity, and availability of protected health information, but also appropriate physical security controls.

Physical controls are often the simplest and cheapest forms of protection to keep PHI private and confidential, yet these security controls are often overlooked. Some physical security controls cost nothing – such as ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use.

While this is a very basic form of security, it is one of the most effective ways of preventing theft and one that can prove incredibly costly if overlooked. OCR draws attention to a 2015 HIPAA breach settlement with Lahey Hospital and Medical Center. An unencrypted laptop computer was stolen from the Tufts Medical School affiliated teaching hospital resulting in the exposure 599 patients’ ePHI.

The laptop computer was used in connection with a computerized tomography (CT) scanner. The laptop was in an unlocked treatment room off an inner corridor of the radiology department. Lahey Hospital settled the case for $850,000. A high price to pay for failing to implement a free physical security control.

In 2014, QCA Health Plan agreed to settle potential HIPAA violations with OCR for $250,000. QCA Health plan failed to implement physical safeguards for all workstations to restrict access to ePHI to authorized users only. In that case, the workstation was an unencrypted laptop computer that was stolen from the vehicle of an employee.

In 2012, Massachusetts Eye and Ear Infirmary (MEEI) settled a HIPAA violation case with OCR for $1.5 million. This was another case of an unencrypted laptop computer being stolen that resulted in the impermissible disclosure of ePHI.

In 2016, OCR settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Feinstein Institute had failed to physically secure a laptop computer containing the ePHI of 13,000 patients. The device was also stolen from the vehicle of an employee.

In July 2016, University of Mississippi Medical Center settled a case with OCR for $2,750,000. An unencrypted laptop computer containing the ePHI of an estimated 10,000 patients was stolen from its Medical Intensive Care unit.

HIPAA requires covered entities and their business associates to implement “physical safeguards for all workstations that access ePHI to restrict access to authorized users.” Workstations include desktop computers, laptops, and other computing devices including portable storage devices, smartphones, and tablets.

It is up to HIPAA-covered entities and their business associates to decide on the most appropriate physical security controls to implement, which should be based on their risk analyses and risk management process.

Common physical security controls used to secure electronic devices and ePHI include:

  • Positioning desks to ensure screens cannot be easily viewed by anyone other than the user of a workstation
  • Privacy screens to prevent shoulder surfing
  • Cable locks to prevent electronic devices containing ePHI from being stolen
  • The use of security cameras to deter theft of electronic devices and physical PHI
  • Use of signage to remind employees about the need to use physical security controls
  • Use of port and device locks to prevent CD/DVD drives and USB connections from being used on workstations to copy ePHI and install unauthorized software.

The importance of preventing the use of USB drives by staff was highlighted in a recent study by Dtex Systems into insider threats. While the study was not conducted specifically on healthcare organizations, it did reveal that 90% of the risk assessments conducted on its customers and prospective customers revealed employees were transferring data to unencrypted USB devices.

As OCR explained in its May 2018 cybersecurity newsletter, “While the latest security solutions to combat new threats and vulnerabilities get much deserved attention, appropriate physical security controls are often overlooked.  Yet physical security controls remain essential and often cost-effective components of an organization’s overall information security program.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.