For example, in the largest breach reported so far under the HITECH Act breach notification rule, insurer Health Net says 1.9 million individuals may have been affected when server drives were discovered to be missing from a data center managed by IBM (see: Health Net Breach Tops Federal List). While details about the incident remain sketchy, the breach reinforces the need to pay attention to physical security details.
The HIPAA security rule spells out more than a dozen requirements for physical security, says Andrew Weidenhamer, audit and compliance manager at SecureState (See: Physical Security: Timely Tips). The National Institute of Standards and Technology offers HIPAA security rule compliance guides, he points out.
Key Physical Security Steps
The three most important physical security steps to take to protect data centers, Weidenhamer says, are:
- Make sure that all critical servers are housed behind locked doors using auditable access control measures;
- Limit data center access to only those individuals who have a legitimate need;
- Ensure that visitors, contractors and others are always escorted within the secure area.
Montgomery County Memorial Hospital, a 25-bed critical access facility in Red Oak, Iowa, takes all these steps at its new data center in a recently opened addition to the hospital, says Ron Kloewer, CIO.
All hospital employees use RFID proximity badges that enable them to open doors to restricted areas, based on their roles. Only about eight staff members have access to the data center, he notes.
A camera at the door to the data center ensures that "every coming and going from the data center is recorded," he adds. And directory maps of the hospital don't display the location of the data center.
HIPAA, PCI ComplianceAn often overlooked physical security measure involves making sure that vendors hired to handle offsite storage of backup media have demonstrated their compliance with all relevant federal regulations, including HIPAA and the Payment Card Industry Data Security Standard, or PCI DSS, Weidenhamer says.
He also urges healthcare organizations to encrypt backup tapes, as well as all media and devices that store protected health information. "Encryption is the single best way to protect sensitive data," he notes. "Healthcare organizations are going to be in a much better position in the event they are breached if the data is encrypted."
A recent major health information breach incident illustrates the value of encrypting backup tapes. New York City Health and Hospitals Corp. notified 1.7 million individuals of a breach that occurred when unencrypted backup tapes were stolen from a truck that was transporting them for offsite storage (See: New York Breach Affects 1.7 Million).
Montgomery County Memorial Hospital will implement encryption of its backup tapes stored offsite in the coming weeks, Kloewer notes. Plus, it's developing a strategy for encrypting drives on servers in its data center.
"Healthcare organizations need to perform a data flow analysis to determine where all sensitive data is located, classify these assets and data and then implement security controls," Weidenhamer stresses.
Business ContinuityA good business continuity plan also can help ensure the integrity, availability and security of information, Kloewer notes.
The Iowa hospital has a fiberoptic link to an offsite backup data center for use in an emergency, he notes. To hold down costs, the hospital didn't use a suspended ceiling in its new data center, keeping it open instead so that heat would not be trapped near equipment if redundant cooling systems failed.
For more information on Montgomery County Memorial Hospital's security strategies, see: Security Spending Up at Rural Hospital.