In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity, Weidenhamer advises organizations to:
- Comply with the physical security requirements in the HIPAA security rule. The National Institute of Standards and Technology offers HIPAA security rule compliance guides, he points out.
- Make sure that all critical servers are housed behind locked doors and that auditable access control measures are used.
- Limit data center access to only those individuals who have a legitimate need for access.
- Ensure that visitors, contractors, vendors and others are always escorted within secure areas.
- Use reputable firms, which have been tested for regulatory compliance, to handle offsite storage of backup media and to handle transport of the media.
- Encrypt all devices and media, including backup tapes, that store sensitive information. "Encryption is the single best way to protect sensitive data," he says.
Weidenhamer is audit and compliance manager at SecureState, an information security consulting firm. He has performed a wide range of security assessments, which include internal and external attack and penetration assessments, wireless penetration assessments, web application security reviews and physical penetration and social engineering assessments. He has earned CISA, CISSP, CIPP and QSA certifications.
HOWARD ANDERSON: Organizations are becoming aware of the importance of taking adequate physical security precautions in light of health information breaches stemming from the loss or theft of drives from data centers. For starters, can you clarify the HIPAA requirements for physical security that people should be complying with already?
ANDREW WEIDENHAMER: When it comes to HIPAA, physical security requirements are laid out in the security rule. It's a set of 15 control requirements which cover areas such as physical access controls, workstation use and security controls, and then, finally, device and media controls.
Some of the ... testing procedures are: Do nonpublic areas have locks and cameras? Are entrances and exits secure? Are there contingency plans [for disasters]? [Other key issues are] workstation inventory, workstation physical security and how is data on media disposed of; also reconciliation of backup media, and then backup media policy and procedures. ...
Three Security StepsANDERSON: So what would you say are the three most important steps to take to ensure that a data center housing servers is physically secure?
WEIDENHAMER: In my opinion, making sure that all critical servers are housed behind locked doors, utilizing good, auditable access control measures, is certainly an important one. Access should be limited to only those individuals who have legitimate need for access. And then, ensure that visitors, contractors, vendors and anyone else that doesn't have normal day-to-day access to the data center are always escorted within the secure area.
Overlooked Security MeasuresANDERSON: So what are some of the other physical security measures that hospitals, clinics and others may be overlooking?
WEIDENHAMER: This is not really just a problem with healthcare; it's a problem across the board with all industries, and that's really ensuring that you're using a reputable offsite storage location and secure carrier. Oftentimes, if you're not using one of these vendors, you don't really know when your backup tapes are being transferred to the secure location, how they're being transferred to the secure location, and those sorts of things. So it's really a best practice ... to use a PCI-compliant secure carrier. And even though PCI [Payment Card Industry Data Security Standard] is dealing with cardholder information, if an entity is PCI-compliant, then essentially they're adhering to a basic set of security requirements.
Other assessments, such as SAS 70s, should be performed, and organizations should ensure that their service providers have a SAS 70 performed, and these things should also lay out the physical security controls for the secure carriers and vendors.
Secondly, I think it's imperative that hard copy items containing sensitive information be disposed of properly. This poses one of the single largest points of failures for most healthcare organizations, and we've seen where healthcare organizations have actually been fined by HHS for disposing of sensitive information in a noncompliant manner. So employees need to be trained on what is considered to be PHI [protected health information] and then understand the policies and procedures associated with proper disposal. And then it's absolutely necessary that employees are held accountable for disposal of information outside the stated policies and procedures.
Role of EncryptionANDERSON: In addition to physical security, should organizations consider encrypting the information stored in data centers as an extra layer of protection? Is that practical?
WEIDENHAMER: Yes, absolutely, and I think that PCI does a very good job of this. PCI, once again, requires encryption of cardholder information, so there's really no reason why sensitive e-PHI can't also be encrypted as well. I think the hardest part for healthcare organizations, really, is that sometimes it's unknown where all the e-PHI is located and what is actually considered to be e-PHI. To give you an example, many times e-PHI is located on spreadsheets or other unprotected documents ... due to bad or immature business processes. And most of the time, these types of files are unknown to anyone other than those who actually use them.
Secondly, sometimes it's unclear what is considered to be ePHI. Certainly, medical records need to be protected. However, any data that can be used to link someone to a medical record could also be considered e-PHI. So healthcare organizations need to perform data flow analyses to determine where all sensitive data is located, classify these assets and data, and then implement security controls to protect these systems and data. For backup tapes, most solutions now provide built-in functionality to support tape encryption, which a healthcare organization should be using. And then workstations and laptops that also have the possibility to house e-PHI and other sensitive information should be using hard disk encryption or logically encrypted file containers to store this information.
... Encryption is the single best way to protect sensitive data. Healthcare organizations are going to be in a much better position, in the event that they were breached if, in fact, the data was encrypted. And, in fact, most regulations and state notification laws don't require disclosure if only encrypted information was breached.