Let’s Get Physical-OCR Issues Reminder that HIPAA Security Isn’t Just Technical

09/06/2024|5 minute read

Key Takeaways:

• The HHS Office for Civil Rights' newest Cybersecurity Newsletter highlights the importance of Facility Access Controls to keep electronic protected health information safe from physical threats.
• The Cybersecurity Newsletter includes best practices for securing facilities and electronic protected health information from theft and any resultant destruction, and for protecting and ensuring continued access to systems during emergencies and natural disasters.
• OCR urges regulated entities not to overlook the implementation of Facility Access Controls, and suggests that plans be updated to reflect heightened risks of potential cybersecurity threats.

While most entities that are subject to the HIPAA Security Rule spend considerable time and effort ensuring that they have implemented appropriate administrate and technical safeguards to protect the health information that they use, disclose or maintain, the Office for Civil Rights' (OCR) August 2024 Cybersecurity Newsletter (Newsletter) reminds entities of the third and equally important aspect of HIPAA security, which is the physical security of health information. In particular, OCR focuses on the importance of Facility Access Controls in the Newsletter, which is a HIPAA Security Rule standard that requires regulated entities to "implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed." The Facility Access Control standard under the HIPAA Security Rule requires entities to consider four different areas or specifications - contingency operations, facility security plan, access control and validation procedures, and maintenance of records - when implementing these requisite Facility Access Controls.

Notably, data cited by OCR shows only 7 percent of data security decision makers are focused on breaches that are often derived from lack of robust of physical security safeguards such as lost or stolen equipment, even though such breaches constitute 17 percent of all breaches. According to the Newsletter, from 2020 to 2023, OCR received more than 50 large breach reports (affecting 500 or more individuals), affecting more than 1 million individuals in total, which were the result of physical security vulnerabilities. Likening appropriate Facility Access Controls to securing a home by locking the entrances, OCR analogized that electronic protected health information (ePHI) is not fully secured without appropriate physical safeguards.

Risks of Stolen Devices and Impeding Delivery of Healthcare

OCR noted the importance of uninterrupted healthcare in the Newsletter regardless of whether the interruption is caused by theft or an emergency. In addition to the inherent risks of stolen devices (e.g., workstations, servers, laptops, external hard drives, backup devices, flash drives, smartphones and medical devices), OCR explained how the loss of certain devices and resultant damage could impede the delivery of healthcare. By way of example, OCR noted that damage to facility structures, electronic parts for cooling devices or network infrastructure could result in added delays and recovery costs.

OCR also focused on the importance of appropriate Facility Access Controls to provide secure physical access to systems during a disaster or emergency. OCR urged regulated entities to consider how the risk of natural disasters and emergencies could impact their systems and facilities, noting that of its 31 waivers for HIPAA requirements issued since 2018, all except one were due to natural disasters.

The Four Addressable Specifications

As noted above, the Facility Access Controls standard under the HIPAA Security rule requires entities to address 4 specific areas for which the Newsletter provided detailed guidance that is summarized below

Contingency Operations

OCR reminded regulated entities in the Newsletter that they must establish contingency plans under the HIPAA Security Rule to respond to an emergency or damage to systems containing ePHI, which could include natural disasters (e.g., floods or fires) or human actions (e.g., malicious hacking or malware attacks, or non-malicious attacks like an inexperienced administrator accidentally disabling critical systems or deleting sensitive data). OCR recommends the following be considered when creating contingency operations procedures, which are the procedures used to provide for the physical access to facilities and to support the execution of plans and restoration during an emergency:

• Determine who must access facilities and ePHI during a disaster or emergency.
• Outline processes to provide accelerated or temporary access to facilities and ePHI.
• Identify alternative means for accessing facilities and ePHI.
• Determine whether there is a plan for monitoring facilities and securing facility access points during disasters or emergencies.
• Identify who is responsible for developing and implementing the organization's contingency plans.
• Develop contingency plans for multiple types of disasters and emergencies (e.g., wildfire, flood, hurricane, tornado, earthquake, power outage, civil unrest, cyber incidents).
• Consider resources and procedures necessary to continue critical activities during prolonged interruptions of operations.

Facility Security Plan

Next, OCR outlined the requirements for a facility security plan, which is the implementation of steps for a regulated entity to protect its facilities and equipment from unauthorized physical access, tampering or theft. OCR noted that different facilities or departments within a regulated entity could require differing security plans and that a security risk analysis should guide the appropriate policies and procedures. Importantly, OCR noted that regulated entities that do not control the buildings they occupy or that share space with other organizations remain responsible for their own facility security plans. According to OCR, Regulated entities would be prudent to consider the facility security measures implemented by third parties as those plans can impact a regulated entity's own facility security plans.

OCR suggested that entities consider how "surveillance cameras; alarm systems; property control/inventory tags; employee/contractor ID badges and visitor badges; private security guards/patrols; facility escorts for visitors/contractors; and biometric, electronic, and/or mechanical security systems" could be integrated into its facility security plan and also noted that a facility security plan should also address workforce training, annual reviews and updates, with a designated person to develop and implement the plan, and tests to ensure the plan is effective.

Access Control and Validation Procedures

Third, the Newsletter highlighted the importance of access control and validation procedures. This HIPAA specification requires procedures to control and validate physical access to facilities by individuals, including visitors, based on their role or function. OCR noted how procedures could vary from organization to organization - e.g., allowing contractor access with sign-in and sign-out workforce assistance or after vetting, allowing contractor access through electronic key cards that restrict accessible areas - and suggested that policies and procedures that (1) account for various roles of groups (staff, contractors, visitors, volunteers, non-staff providers, probationary employees), (2) determine and document access points in the facility, (3) inventory information technology assets, and (4) create a plan for monitoring equipment.

Maintenance Records

The final HIPAA specification addressed in the Newsletter requires policies and procedures to document repairs and modifications to physical components of a facility (e.g., hardware, walls, doors and locks), the development of which can assist with building an effective facility security plan. OCR suggested that such records could document the following about repairs and modifications: date and time, description, location, reasons for the repair or modification (including if related to a security incident), name of the individual responsible for the changes, required follow-up, and the name of the individual(s) (security officer, maintenance supervisor) responsible for overseeing the repair or modification.

Conclusion

In what could be an indication of OCR's enforcement focus, OCR urged regulated entities not to overlook Facility Access Controls by treating them as a "check the box" exercise, especially in light of ongoing, remote cyberattacks. OCR highlighted the risk of extreme weather and natural disasters, urging a review of policies and procedures to consider whether facilities are subject to heightened risk. OCR reminded entities that failure to implement policies and procedures to safeguard facilities and equipment from unauthorized access, tampering and theft has led to multiple breaches in some instances and significant monetary penalties as a result.

The Newsletter appears to signal to regulated entities that OCR is aware of the risks of interrupted operations stemming from cyberattacks and natural disasters or emergencies and that it expects regulated entities to be aware of and prepare for such instances to ensure healthcare entities remain functional and able to provide healthcare without interruption. Moving forward, OCR may increasingly expect regulated entities to produce developed and documented Facility Access Controls plans, and regulated entities would be prudent to consider reviewing and updating those plans as part of their larger HIPAA Security Rule compliance program and security risk analysis process.

Public link

Please use the above public link if you want to share this noodl on another website.