July 15, 2014 Leave a comment
When it comes to workstation security, there are a couple of different things a covered entity should consider. First, it is important to look at the physical environment surrounding workstations and establish safeguards to prevent both intentional and incidental access by unauthorized users. Second, it is important to establish the who, what, when, and where regarding access to electronic protected health information (ePHI) on workstations. HIPAA breaks these requirements into two standards: workstation security and workstation use respectively. We will discuss workstation security in this tip.
In order to comply with the HIPAA regulations regarding workstation security, a covered entity must “implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.”1
So, how should a covered entity physically protect its workstations from unauthorized users? Lets first look at some possible threats and vulnerabilities to workstations that could result in an adverse impact on a covered entity.
Without appropriate physical safeguards in place, a covered entity opens itself up to potential human threats that may include an unauthorized user vandalizing or compromising the confidentiality, integrity, or availability of ePHI; or the unauthorized disclosure, loss, or theft of ePHI that could lead to identity theft.2,4 Here are some potential vulnerabilities that could result in these adverse impacts:
- Leaving a workstation with access to ePHI unattended.
- Positioning workstations with access to ePHI in a manner that does not prevent unauthorized users, such as patients and visitors, from incidentally viewing ePHI on the workstation.
- Placing workstations with access to ePHI in publicly accessible areas.
- Using mobile devices, such as laptops, tablets, and smartphones as mobile workstations to access ePHI. Especially, when used in inappropriate locations or in a manner that would allow unauthorized users to view the screen while ePHI is visible.
- Placing workstations in locations where they are not protected by physical security, such as doors, locks, or keyed access.
- Allowing the movement of mobile and non-mobile devices and office equipment without regular monitoring and tracking.
There are a number of physical safeguards a covered entity can implement to reduce the probability that a particular threat will exercise a particular vulnerability associated with workstation security. Here are some examples:
- Keep doors locked for rooms where workstations containing ePHI are housed, in order to control access.
- Use privacy screens and/or face computer screens away from doorways, windows, and when screens may be visible to passersby.
- Establish policies and procedures that prevent unauthorized access to unattended workstations or electronic devices, such as implementing an automatic log off or lock workstations and devices that are inactive for a specific amount of time.
- Place information system components and storage media in a location that would restrict access to authorized users.
- Establish policies and procedures for mobile devices (laptops, tablets, and smartphones) that limit or restrict how and where ePHI is accessed or stored on these devices.
- Restrict unauthorized physical access to other electronic devices, such as printers, copiers, and fax machines that handle ePHI.
- 7. Develop policies and procedures that establish the acceptable use and storage of electronic devices that remotely access ePHI.2
When identifying and implementing physical safeguards specific to your organization, it is important to first identify all methods of physical access to your workstations and then analyze the risk associated with each type of access (the probability that a particular threat will exercise a particular vulnerability and the resulting impact if this should occur). Here are several sample questions a covered entity should consider according to NIST SP 800-66 and the HIPAA Security Series of papers:
- Is there an inventory of all current workstation locations?
- Are any workstations located in public areas?
- Are laptops used as workstations?
- Are any workstations in areas that are more vulnerable to unauthorized use, theft, or viewing of the data they contain?
- What are the options for making modifications to the current access configuration?
- What safeguards are in place, i.e., locked doors, screen barriers, cameras, guards?
- Do any workstations need to be relocated to enhance physical security?
- Have employees been trained on security?
- Are physical safeguards implemented for all workstations that access EPHI, to restrict access to authorized users?
- Are current physical safeguards used to protect workstations with EPHI effective?
- Are additional physical safeguards needed to protect workstations with EPHI?1,3
Workstation. Workstation is defined in the Security Rule as “An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions [including printers, copiers, fax machines, smartphones, and monitors], and electronic media stored in its immediate environment.”
Threat. Threat is defined in the Security Rule as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
Vulnerability. Vulnerability is defined in the Security Rule as “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised.”
Physical Safeguards. Physical safeguards are defined in the Security Rule as “physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Access. Access is defined in the Security Rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”
Health Insurance Portability and Accountability Act of 1996 relevant Standards and Implementation Specifications:
§ 164.310(c) – Workstation Security
- ”Security Rule Educational Paper Series: Physical Safeguards,” hhs.gov, accessed April 24, 2014, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/physsafeguards.pdf.
- “Security Risk Assessment Tool Physical Safeguards Content,” healthit.gov, created March 18, 2014, http://www.healthit.gov/sites/default/files/20140318_sratool_content_-_physical_volume_v1.docx.
- “NIST Special Publication 800-66: An Introductory Resource Guide for Implementing the HIPAA Security Rule,” hhs.gov, accessed April 24, 2014, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf.
- “NIST Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations,” nvlpubs.nist.gov, revised January 15, 2014, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.