Greetings and welcome back. This week we continue our blog series on the Cyber/Physical/Operational standards for HIPAA and this week we look at HIPAA Physical Security Standards for Server and Telecom Racks. As we saw in our last blog, HIPAA breaches continue to grow in number and severity and one of the key reasons for this growth is very poor physical security of electronic Protected Health Information (ePHI). Let’s use this blog to examine the key physical security standards for HIPAA in order to better understand the types of security that must be put in place to be HIPAA compliant and reduce your chances of a disastrous security breach.
To begin with, please realize that the physical security standards for HIPAA are fairly lengthy so we are posting the first section that deals specifically with the Physical Access Security to your server and telecom rack(s).
§ 164.310 Physical safeguards.
(1)Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
The key provision of the HIPAA Physical Security Statute is Physical Access Controls. These access controls must be implemented to limit access to the electronic information systems and to the facility or facilities in which they are housed.
HIPAA 164.310 requires physical access controls on every server and telecom rack that contains ePHI and on the room in which each is located
What type of access controls are required? The covered entity or business associate must have a system that accomplishes 2 purposes:
Every HIPAA covered entity must:
- Restrict physical access to ePHI from those who do not have access authority
- Grant physical access only to those who have written access authority
Simply put, you must have a Physical Access Control System on every room containing ePHI and on the racks containing e-PHI. Please note that e-PHI is stored in both Electronic Health Records (EHR) servers and on your IP-based phone system which stores messages from patients. If your telecom and EHR servers are located in separate racks, you must either locate them to the same rack within the same room or, insure that all separate racks and their rooms have their own Physical Access Control System. Failure to safeguard both EHR and telecom servers is a common mistake that violates HIPAA rules.
Putting in a card or biometric access system in an existing server or telecom rack is not difficult and it takes only about 20 minutes to install each one. The largest brand is resold by AlphaGuardian Networks with the RackGuardian system and all of its features are integrated into our product. RackGuardian can integrate with a card-access or a biometric access system it controls access to each rack and room and it also logs entries and exits to a room and to each server and telecom rack.
Please remember that nearly half of all HIPAA breaches are physical in nature because there are very few organizations that employ access controls both at the room-level and on the individual racks containing ePHI. Also review this chart from last week’s blog to understand the severity of failing to cover yourself for physical breaches – which are now nearly half of all HIPAA violations.
Now, recall also from last week that nearly half of all physical access and theft violations were from insiders. If that alarms you, it should, but the facts are that ePHI is worth a lot of money on the open market. The value in ePHI is both as raw records – worth around $10 per record, and in Ransomware – worth many thousands of dollars per rack. As physical breaches grow, so do the number and total of HIPAA fines levied against healthcare providers and their business agents.
The Compliancy Group publishes all HIPAA fines levied and settled as of the latest week. As you can see from the chart below, the total fines for HIPAA violations are skyrocketing and showing no signs of leveling-off. At the present rate of fines, the total for 2017 will be $41 million and if trends continue, 2018 could approach $75 million. Please bear in mind that this cost does NOT include the cost of legal settlements with individuals whose records have been breached.
The long and short of this is that placing a Physical Access Security system on your server and telecom racks and on the room in which they are located is a very small price to be HIPAA compliant and avoid the enormous cost of fines and lawsuits. Our patented RackGuardian unit is the only system on the market that integrates Physical Access Control for rooms and their server racks together with full Cyber and Operational security. We would urge every reader to look carefully at this solution and we would be more than happy to have a confidential discussion about how to protect your ePHI from all threats.
Until Next Time,