Healthcare Information Security

Patient Privacy News

Protecting Healthcare Physical Assets Containing PHI

Covered entities must consider all physical assets containing PHI when working toward holistic security measures.

By Bill Kleyman

- Administrators are actively looking into more ways to protect their virtual machines, their data points, and all of those logical resources that the organization relies upon. As the healthcare entity becomes even more digitized, we must never lose focus around the entire security picture.

Physical safeguards with PHI key consideration for healthcare organizations

This means protecting physical assets that process PHI, sensitive data, and ones that could potentially pose a security threat. A recent article pointed out that improperly disposed paper records pose a notable threat to the healthcare industry. The reality is that as many organizations go digital, they’re actively trying to get rid of these kinds of records. However, the move from analog to digital isn’t always easy.

For example, a defunct medical testing facility left paper records containing PHI for 170 individuals in a dumpster. The paper files included such information as patient names, addresses, phone numbers, blood types, and credit card numbers with expiration dates and security codes. The files also included Social Security cards, driver’s licenses, health insurance cards, prescriptions for lab work, lab results, and medical diagnoses.

Remember, it’s not just paperwork either. Device theft that can result from improper facility security includes the theft of thumb drives and even laptop computers.

For example, St. Luke’s Cornwall Hospital (SLCH) reported a potential healthcare data breach after a USB thumb drive was stolen on October 31, 2015.

READ MORE: Computer Theft Raises Health Data Security Concerns for 8K

After an investigation, SLCH determined that the thumb drive “appears to have included a file” that held certain patient information on it. Potentially exposed data includes patient names, medical record numbers, dates of service, types of imaging service received, and “administrative–type information used for internal business purposes.”

Here’s another example: more than 100,000 patients’ data was compromised when an employee’s unencrypted laptop was stolen from their car. Information on the laptop included patient names, Social Security numbers, addresses and diagnoses.

With all of this in mind, it’s important to examine healthcare security from a holistic perspective. To that extent, let’s look at the physical side of healthcare security.

Healthcare is impacted by IoT and new endpoints

There is a revolution going on around physical end-point control. New HTML5 technologies give us the capability to stream content to almost any type of user. Furthermore, virtualization has enabled heavier applications to be centralized and delivered via mechanisms like VDI and application virtualization. However, end-point security is absolutely critical. Healthcare organizations have the ability to control both internal and external physical devices. Furthermore, they are able to contextually secure and manage these end-points. Next-generation security now goes far beyond the cool factor of a new type of firewall. Now, we have powerful end-point protection (EPP) and end-point detection and response (EDR) systems that take physical device security to a new level. We’re talking about advanced security AI and even machine learning capabilities. Maybe it’s time to look at a new way to control and secure the end-point with powerful EDR and EPP technologies. These systems are adapting to new types of threats and help protect critical data points from possible leaks.

READ MORE: Understanding Health Data Security and Print Infrastructure

Creating good security policies

In the healthcare world, some of the biggest breaches where the result of an unlocked server room or poorly encrypted Excel files. For example, about 228,000 patient files were compromised after a former Medicaid employee illegally transferred 17 Excel spreadsheets with Social Security numbers and other personal information to his personal Yahoo account. Remember, good security policies span users, data centers, devices, and more. There are two ways to look at this. From a security policy perspective, there are new technologies that actually help automate the entire security policy change workflow. This means from submission and design to risk analysis, implementation, validation, and auditing. Furthermore, a good security architecture with visibility into your end-points can recommended policy changes directly on the device, saving time and avoiding manual errors. Physical healthcare security will also span data centers, the racks within them and all of the data that flows through that network. One of the biggest pieces of advice around a good security policy is to ensure a truly well-planned out and comprehensive approach to holistic security. Beyond that – never get complacent and always test against those policies. Ultimately, your goal will be to lock down sensitive data points, ensure that files can be traced, and enforcing good end-user control policies. New solutions help you gain greater control around both your physical network and the files flowing through it. In fact, some file control systems allow for advanced data loss prevention (DLP) and even watermarking of sensitive files.

Controlling network data and access

Treat your healthcare IT environment as an ever-changing entity managing critical users and data. Constant audits will give you better visibility into your infrastructure and help you gain control of your data. Alerts, proactive monitoring, and testing are all key mechanisms to keeping an environment safe. Controlling network and data access means creating visibility into your entire network. Do you have any rogue accounts? Any lost admin users out there? No? Are you sure? A lot of times healthcare organizations will work with hundreds, sometimes thousands, of contractors. Too often there aren’t seamless ways to decommission contractors as communication between HR and IT isn’t always perfect. Never lose control of your data points and always know who has access into sensitive data repositories. From there, as your user count grows, find good ways to manage these users and prevent lost or rogue users from “accidentally” creating a security problem.

Cloud isn’t going anywhere. In fact, many healthcare projects now directly revolve around building a new business model around the capabilities of cloud computing. Either way, for those healthcare organizations working with a hybrid cloud model or their own private instances, securing the physical side of your infrastructure will be absolutely critical.

READ MORE: Centene Healthcare Data Breach Affects 950K Patients

When you begin to understand everything from end-point to rack security, you’ll see the full spectrum of healthcare security control. Most of all, never, ever, forget about your users. Make sure to manage their devices, their access, their digital personas, and how they interact with your healthcare data.  

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks