Most security professionals know that HIPAA compliance is a federal mandate, with penalties up to $1,500,000 for a breach. Leon Rodriguez, the director of OCR (Office of Civil Rights for the Department of Health and Human Services), comes from a law enforcement background and he has pushed for, and got, more fines levied, more enforcement, and listings of organization posted on the infamous “Wall of Shame,” which lists all the unfortunate organizations that have had breaches.
Most of the HIPAA security people I meet are in the IT department. They are really good at using scanning tools, penetration tests, and encryption, but they sometimes overlook physical access controls issues. Oftentimes they have not consulted with the organization’s other side of security – the facility and security directors. Sometimes they don’t even know the name of the security director!
It turns out that the worst breaches involve not esoteric IT issues that you have to be a genius to understand, but instead consist of missing physical controls. For example, the recent Horizon BlueCross BlueShield breach of 842,000 patient records in New Jersey involved someone taking unencrypted laptops from the IT department. While all the regular laptops at use in Horizon were encrypted, two laptops in the IT department were not, and these are the ones that were stolen.
I’ve also seen IT departments that have cypher locks on the door to the IT area, but the door is propped open. Why? Because even though there is a lock and a buzzer, the receptionist doesn’t want to have to mess with that when she brings her lunch back from the hospital cafeteria. Why the security director hadn’t put a stop to this was one of my first questions!
Active monitoring of cameras is another area of concern. At a healthcare organization where IT security and facility security work together, they have their cameras monitored. Any alarm that occurs is immediately sent to the security director, who can take out his phone and look right at the door that caused the alarm. In one case, a staff member forgot something at the office, so she came back, got the book, and after she left the office, she didn’t close the door all the way.
Because the director was instantly alerted, could look back at the door and back up the camera’s recording, he could see exactly what happened and then call the person within three minutes so they could drive back and properly close the door.
When I’m doing a HIPAA audit or risk analysis, I expect to see that every office that has e-PHI (electronic Protected Health Information) should have locked doors, keypads, access control badges and monitored cameras. But the reality is that only about 50 percent of the organizations have all these controls in place for all the doors.
Working at home is another area where physical access control is critically important. We’ve all heard about the laptops full of patient information being snatched from kitchen tables near open windows, forgotten in a taxi, or stolen after it was left in an unlocked car overnight.
Because more and more people are working at home at least one or two days a week, it’s a critical part of your HIPAA compliance to make sure these people have good controls in their home offices, and that they are provided a strong set of guidelines to follow when working with ePHI at home.
Good communication between these two branches of security is the key to making sure these things don’t happen in your organization. The IT director and security director can both get their jobs done faster, easier and keep the organization safer if they start working together.