As we discussed the existing physical safeguards at the healthcare facility, the client assured me that the ePHI was stored on a server in a locked room. When I asked him to show me the room, I was shocked. Not only did this room have a door that opened directly to the outside, I knew the door was unlocked as I had walked in to the practice through that very door! Imagine the shock on my client’s face when he realized that anyone could have come in through that door and walked away with his server and other computer equipment. He had wrongly assumed that someone on his staff had locked the door.
This highlights following two key points:
- Don’t assume that the existing security controls at your facility are working properly. What good is the lock on the door when no one checks to see if the door is locked! That’s why having clearly written security policies and procedures is so important. Having a policy that designates a staff member to ensure that all physical safeguards (such as locks, alarms) are installed and working properly is critical in preventing unauthorized access to your healthcare facility.
- It is critical to conduct an onsite facility visit as a part of the risk analysis process. An onsite visit may reveal areas where security measures may be lacking or not working as they should. It could uncover potential risks to ePHI in computer systems such as a poorly ventilated server room causing the server to overheat or servers placed on the floor which could be prone to water damage from a flood. Additionally the physical location of the practice could be an issue such as being in a high crime neighborhood or being co-located with a company dealing with hazardous materials that may damage your systems that store ePHI.
A comprehensive risk analysis looks at all the potential threats and vulnerabilities to the ePHI, security measures in place and classifies the risks as high, medium or low. The practice can then choose to accept, avoid, transfer or mitigate the risk through the appropriate implementation of security policies, procedures, technology and training.