Healthcare , HIPAA/HITECH , Industry Specific
Feds to Health Sector: Don't Skimp on Physical Security
Cyberattacks Soar, But Guarding PHI From Break-Ins, Natural Disasters Is CriticalDespite a seemingly endless barrage of cyberattacks hitting the healthcare sector, physical threats against patient data still remains a danger, a U.S. federal regulator said.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
From 2020 through 2023, the Department of Health and Human Services received more than 50 reports of major breaches affecting a total of 1 million individuals related to compromises of unsecured protected health information involving stolen computing equipment and related devices, said HHS' Office for Civil Rights in an advisory Wednesday.
That's an improvement over less than a decade ago when breaches involving lost and stolen devices containing unencrypted patient data dominated major breaches posted on the HHS OCR HIPAA Breach Reporting Tool website.
But it's still too many, regulators said.
Only 7% of data security decision-makers are concerned with breaches due to lost or stolen equipment, even though these account for 17% of breaches, HHS OCR said, referring to findings by Forrester Research in its report, The State of Data Security, 2023.
While hacking incidents dominate major health data breaches, HIPAA-covered entities and their business associates should not slack off in their physical security, including facility access controls.
Unlocked facilities could attract criminals - who, in their haste to flee the scene, "could also destroy physical structures or electronic components required for power or cooling for devices, or damage infrastructure required for network connectivity - all of which can introduce additional delays and costs to fully recover," regulators said.
'Addressable' Issues
The HIPAA Security Rule's facility access control standard consists of four "addressable" implementation specifications: contingency operations, facility security plan, access control and validation procedures and maintenance records.
Addressable implementation specifications require HIPAA-regulated entities to assess whether an implementation specification is a reasonable and appropriate safeguard in its environment, and if so, to implement it, the agency said.
The four addressable implementation specifications for physical security are:
- Contingency operations must include plans for responding to emergencies or other occurrences, such as flooding, that damage systems containing ePHI.
- Facility security plans should include policies and procedures to protect its facilities and equipment from unauthorized physical access, tampering and theft.
- Access control and validation procedures must involve access to facilities based on an individual's role or function, including visitor control and access to software for testing and revisions.
- Maintenance records should document information related to repairs and modifications made to the physical components of a facility related to security.
"Implementing facility access controls is analogous to securing your home. Prior to locking your home's entrances, you have not effectively secured your home; similarly, absent appropriate facility access controls, you have not fully secured your ePHI," HHS OCR said.
Also, as weather conditions become more extreme and natural disasters more prevalent, regulated organizations probably should evaluate their facilities' physical resilience, the agency said.
Subject to Enforcement
HHS OCR reminded HIPAA-regulated entities that they are subject to potential enforcement actions if the failure to implement facility access controls leads to a PHI breach.
A potential failure to implement facility access controls contributed to a $3.5 million HIPAA settlement by the agency in 2018 with Fresenius Medical Care Holdings in the aftermath of five separate breaches reported by the Massachusetts healthcare organization in 2012 (see: $3.5 Million Penalty for Five Small 2012 Breaches).
Three of those incidents, which affected a total of 366 individuals, involved equipment stolen from FMC's facilities. The compromised ePHI included names, admission dates, days and times of treatments, birthdates, Social Security numbers, telephone numbers and addresses.
Among other potential HIPAA violations, HHS OCR's investigation into the breaches cited FMC's failure to implement policies and procedures to safeguard its facilities and equipment from unauthorized access, tampering and theft, the agency said.
Unfortunately, many healthcare organizations have a tendency to focus on security risks involving centralized processing and storage points, which requires significant investments of time and effort, "often at the expense of necessary and transparent collaboration with the physical security functions," said Wes Morris, senior director of consulting services at privacy and security consultancy Clearwater.
As part of their own facility access security risks, regulated entities should consider the risks posed by third parties, he said.
"Where facilities are managed by an external party - such as a landlord in a leased space - covered entities and business associates should treat landlords as they would any other third party vendor with high likelihood of incidental access to PHI by verifying their physical security controls and their vendor chain for cleaning, maintenance and physical security," Morris said.