- A recent data breach involving old records from hospital patients, employees, and job applicants has led a VA medical center to launch new data privacy protocols. The John J. Pershing VA Medical Center said that it will be improving its physical safeguards to better protect sensitive information at the facility.
“The process will now include two-person verification that no records exist in furniture to be moved,” Medical Center Director Dr. Patricia Hall said in a statement, adding that a locked staging area will also now be part of the moving process.
The incident in question involved files being discovered in an unattended file cabinet. Approximately 1,843 job applicants, employees, and patients may have had their information exposed. The statement added that about half of those individuals are now deceased.
Emails, applications, lists of patients, and some Social Security numbers were found, the organization said.
The cabinet was reportedly being moved from one office to another and was temporarily stored at the end of a hallway where there was less traffic. Employees later discovered the old records in the cabinet, but the Medical Center reported that there is no evidence the files were accessed while in the temporary location.
“VA places the highest priority upon safeguarding the personal information of our Veterans,” Hall said. “When an incident such as this is discovered, we will always immediately take prompt remedial action, such as notification – even if the risk of records compromise is very slight.”
An investigation was also launched to determine how the cabinet was placed unattended and what the likelihood was that PHI or other information was disclosed.
HIPAA physical safeguards can easily be overlooked as healthcare organizations increasingly focus on their digital transformations. The push for nationwide interoperability and more entities looking toward options like cloud storage can make it more likely that physical records become an afterthought.
Physical safeguards are “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion,” according to HHS.
Facility access controls, workstation use, workstation security, and device and media controls must all be considered during physical safeguard implementation.
Organizations must evaluate their current security controls and regularly conduct thorough risk analyses to properly determine areas that may require adjustments for stronger physical safeguards.
All physical access to PHI and ePHI must be considered, which could include areas outside of an entity’s office. For example, secondary physical locations where sensitive information may be stored cannot be forgotten. If staff members are allowed to work from their homes, then those locations also must be included when determining potential physical vulnerabilities.
With facility access controls, HHS requires covered entities to “implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”
Organizations need to consider how their policies and procedures are developed and implemented. Authorized access must still be allowed, while at the same time limiting unauthorized physical access to any electronic information system facility or facilities housing the data.
Door locks, electronic access control systems, security officers, and video monitoring are all examples of potential methods covered entities can utilize, HHS explained.
With workstation use and workstation security, healthcare organizations must specify the proper functions to be performed by electronic computing devices and consider how those workstations are used and protected.
For example, if there is a desktop computer in a common area that numerous staff members are able to access, an entity should review which employees have access and why. Those individuals’ job functions and titles should be noted. Continually updating antivirus software and implementing an automatic log off could also help improve security measures.
“Covered entities may implement a variety of strategies to restrict access to workstations with EPHI,” HHS stated. “One way may be to completely restrict physical access to the workstation by keeping it a secure room where only authorized personnel work.”
“As with all standards and implementation specifications, what is reasonable and appropriate for one covered entity may not apply to another,” the agency continued. “The risk analysis should be used to help in the decision-making process.”
Device and media controls are also critical for comprehensive physical safeguards. All electronic storage devices, such as external hard drives or a digital memory card must have their receipts and removals properly monitored.
“This standard covers the proper handling of electronic media including receipt, removal, backup, storage, reuse, disposal and accountability,” according to HHS.
Even with digital storage options, there is still a physical aspect to those devices or tools. Staff members could transport them back and forth, or move them during an office closure.
“Policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility” must be implemented, HHS said.
Natural or environmental hazards, unauthorized intrusion, or even simple oversights from staff members could create data security issues with PHI and ePHI. Cybersecurity attacks and ransomware might make headlines more often, but covered entities must maintain current physical security measures at the same time.