- When creating strong healthcare data security measures, physical safeguards serve as a primary line of defense from potential threats.
The Department of Health & Human Services (HHS) defines physical safeguards as the following:
Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity’s premises or at another location.
Although the majority of health data storage is being transitioned into digital formats, thus elevating the importance of technical safeguards, physical safeguards still hold a vital role in protecting against healthcare data breaches.
By implementing proper and effective physical safeguards, healthcare organizations are able to mitigate many potential healthcare data breaches.
Proper PHI Disposal
As healthcare organizations transition patient health information from paper to electronic files, it is important that they ensure those paper files are eventually disposed of properly.
According to the HIPAA Privacy Rule, acceptable methods for paper PHI disposal include burning, shredding, pulping, or pulverizing the records until they are unreadable.
Improperly disposed paper records pose a notable threat to the healthcare industry as organizations are seeking to get rid of these kinds of records. Between shut down clinics and clinics transitioning to EHRs, data breaches due to improperly disposed of paper records are increasing.
For example, a defunct medical testing facility left paper records containing PHI for 170 individuals in a dumpster. According to the NWITimes.com, a local restaurant worker found the files in the dumpster and then contacted the media outlet.
The paper files included such information as patient names, addresses, phone numbers, blood types, and credit card numbers with expiration dates and security codes. The files also included Social Security cards, driver’s licenses, health insurance cards, prescriptions for lab work, lab results, and medical diagnoses.
After being contacted, the media company consulted with the Indiana Attorney General turned the paper records over.
Healthcare facilities also need to ensure facility security to protect from potential thieves. Stealing health information storage devices is appealing to thieves because it allows them to access a large amount of that sensitive data in one place.
There is also the issue of thieves who may not necessarily wish to access patient data and just want to steal devices. Because of the value of the equipment, hospitals are lucrative targets from those looking to sell medical devices for profit. Although these thieves may not be interested in the health data, the information is still improperly disclosed and it is imperative that healthcare organizations protect against these kinds of issues.
Device theft that can result from improper facility security includes the theft of thumb drives and even laptop computers. In October 2015, for example, a thumb drive was stolen from St. Luke’s Cornwall Hospital.
The drive contained patient names, medical record numbers, dates of services, types of imaging services provided, and administrative information.
Although St. Luke’s Cornwall Hospital did not disclose much information regarding their typical facility security measures, they may have potentially had gaps that allowed this breach to happen.
By implementing proper security protocol, facilities can prevent device thefts such as that.
Access controls, or the way a covered entity vets and controls who is viewing health information, are critical to implementing adequate physical safeguards. By restricting someone’s access, a healthcare organization can control for information falling into the wrong hands.
Generally speaking, healthcare professionals should only access the minimum amount of patient information necessary in order to complete their care. For example, if a physician doesn’t need to know about a patient’s mental health, they will not be able to access their mental health records.
However, studies show that these kinds of access controls are not adhered to.
In a Ponemon Institute study commissioned by Varonis Systems, Inc., researchers found that 56 percent of respondents felt their organizations only put a low to moderate priority on protecting company data. Additionally, 65 percent of providers reported having access to patient information that they do not need in order to fulfil their job duties.
That said, industry experts predict that as healthcare data breaches continue to plague the industry, hospitals will place a higher priority on adhering to these “minimum necessary” rules.
“The damage can be greatly reduced by managing data access permissions, making sure employees only have access to the data they need to do their jobs, and by monitoring for unusual activity,” said Varonis co-founder and CEO Yaki Faitelson.
As healthcare data breaches grow more prevalent, covered entities might find that attacks come in all forms. Although there is a growing threat of technical and hacking-related attacks, healthcare organizations should still go the extra mile to implement physical safeguards to protect from non-hacking-related attacks.