Hospital’s HIPAA security officers have a tough job. Not only are they required to protect all information technology (IT) systems that store sensitive information, but they are also required by HIPAA regulations to have oversight of physical protections for electronic equipment that also can create, store, or dispose of protected health information or PHI. The regulation extends the scope of their job into areas that have typically been outside of the traditional “IT space.”
Until recently, the Chief Information Security Officer or CISO (as many HIPAA Security Officers are known by) has stayed inside their comfort zones, focusing primarily on securing servers and workstations. This myopic view sometimes overlooked the fact that PHI is stored in medical devices which are located throughout a hospital or clinic. This creates the potential for a responsibility gap and can lead to the loss of sensitive information when a device goes missing.
Assessing the Risks
Medical devices are not typically assigned to an individual, but rather to the clinical engineering department or perhaps, a care unit. As such, the responsibility for protecting these devices is typically diffused, resulting in a lack of individual accountability if they go missing or are accessed by unauthorized individuals. Facility managers and security officers need only to periodically review the “Could Not Locate” (CNL) list to gain an understanding of the complexity of the problem and estimate the annual financial loss to the organization.
In addition, many medical devices do not require user ID and passwords for access and those that do, may still have the factory default settings. This leads to a higher risk of unauthorized individuals gaining access to patient information stored on medical devices, which is a HIPAA violation.
Both security events listed above should trigger a mandatory compliance evaluation which could result in a reportable breach to the Office for Civil Rights (OCR). Depending on the severity, OCR may be obliged to investigate how the organization is protecting the security of patient information.
The Role of a Facilities Security Plan
Protecting medical devices and the regulated information stored on them is the responsibility of the CISO. This requirement is documented in the 2013 HIPAA Omnibus Rule which updated the language from the original 2003 HIPAA Security Rule. Government regulators have the authority to hold the CISO accountable, but clearly, the CISO cannot protect medical devices without the cooperation of facilities managers among others.
One tool to help the CISO is in the HIPAA Security Rule which requires healthcare providers to publish a Facility Security Plan that implements “policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.” The CISO also has direct accountability to ensure this is accomplished, but facilities managers should assist as many of the security controls will be implemented by the facilities team.
One framework to establish a Facilities Security Plan is to define risk levels based on the amount of sensitive information and infrastructure that needs to be protected, then establish a set of minimum security controls for each area. For example, areas that contain critical infrastructure such as power, cooling/heating, data centers, and compressed gas can be designated as a Tier 1 – or highest risk areas. Access to these areas would be restricted to only authorized individuals and approved third-party maintenance staff under escort and direct supervision. Cameras should be deployed and monitored 24/7 for all Tier 1 areas.
The next level of risk (e.g., Tier 2) would include patient care areas and areas that contain sensitive information and systems that are off-limits to visitors. This includes operating rooms, medical records, rooms that handle large amounts of cash (other than the cafeteria or gift shops), and the executive suite. Badges should be used for all Tier 2 areas to all members of the workforce to monitor access and identify unauthorized individuals.
Tier 3 areas would include areas where patients and authorized visitors may visit without escort and would include areas where sensitive information cannot be stored, unless locked or under direct supervision.
Tier 4 areas would be public access and prior authorization is not needed. This could include the visitor waiting rooms, and parking facilities.
Using the Facilities Tier System to Protect Medical Devices
A strong medical device security plan would include a requirement to protect medical devices and should define areas where medical devices be stored, charged, or serviced. Based on the risk, this is likely in a Tier 1 or Tier 2 area. Since medical devices should be assumed to contain sensitive information, and many do not have user access controls such as user IDs or passwords, physical protections are the best way to protect those systems. Devices that are in use may be moved to patient rooms, but these devices should not be stored in vacant patient rooms which would be Tier 3.
Facilities managers may also manage the uniformed physical security guards. These individuals should be trained to look for violations of the Facilities Security Plan, specifically with respect to where medical devices are stored or charged. Any violation should be reported to the CISO so that additional training can be performed.
Using this frame should reduce the number of medical devices added to the CNL list, reduce the potential for unauthorized access to data stored, and ultimately, help protect the patient’s information, reduce cost to the hospital, and help keep the hospital off of the OCR website of reportable HIPAA Breaches.
Clyde Hewitt is an executive advisor for CynergisTek.
1. https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf : Federal Register / Vol. 78, No. 17, Page 5694, 45 CFR §164.308(a)(2)
: Federal Register / Vol. 68, No. 34, 45 CFR §163.310(a)(2)(ii)
: Federal Register / Vol. 68, No. 34, 45 CFR §163.310(a)(2)(ii)See the latest posts on our homepage