Recently 1Texas-based cancer treatment center has been penalized with $4.3 million fine for three breaches linked to unencrypted devices.
Breach happened from three incidents in 2012 and 2013 when an employee’s laptop was stolen at a residence and two unencrypted pen drives went missing which caused possible compromise of 35,000 health records.
physical security of electronic protected health information (ePHI) is often overlooked while focusing on cybersecurity safeguards to maintain HIPAA compliance. The HIPAA Security Rule requires healthcare entities to implement physical safeguards around any devices that have access to ePHI, such as portable devices like laptops, smart phones and tablets.
The OCR’s latest cybersecurity newsletter has given seven questions to ask themselves about their organization’s physical security, listed below:
- Is there a current inventory of all electronic devices such as computers, portable devices, electronic media including location of the devices?
- Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
- Should devices currently in public or vulnerable areas need to be relocated?
- What physical security controls are currently in use for such devices such as cable locks, privacy screens, secured rooms, cameras, guards, alarm systems and are they easy to use?
- What additional physical security controls could be put into place?
- Are policies in place and employees properly trained regarding physical security, for example: the use of cable locks and privacy screens?
- Are there signs posted reminding personnel and visitors about physical security policies and monitoring?
Healthcare entities need to undertakes compliance efforts with HIPAA’s Security rule & healthcare officials need to follow tested procedures before instating extra ePHI physical safety efforts.
HIPAA compliance can be a long and complex process that is crucial to the successful operation of any successful business in the healthcare field. While such standards are meant to serve the privacy interests of constituents they increasingly require manpower that is hard to find in this challenging environment. Telegenisys helps its clients meet such requirements by providing HIPAA certified staff in an zero defects outsourced environment. Know more..