Ever left your front door unlocked, thinking it’s no big deal? Well, that’s what happens when you forget about facility access controls – and the consequences can be far worse than a missing TV! Today, we dive deep into a topic that often gets overlooked but is critical to any organization’s security – facility access controls. Whether it’s ensuring that only authorized personnel can access sensitive areas or protecting valuable equipment from walking out the door, facility access controls are a crucial part of safeguarding not just data but also physical assets. And as much as we love talking about tech, this time it’s all about locks, keys, and keeping the wrong people out.
In this episode:
Check Your Facility Access Controls – Ep 475
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
Check Your Facility Access Controls
[02:30]August 2024 OCR Cybersecurity Newsletter | HHS.gov
Feds to Health Sector: Don’t Skimp on Physical Security
“HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?”
…only 7% of data security decision makers are concerned with breaches due to lost or stolen equipment, even though these account for 17% of breaches. From 2020 through 2023, the Office for Civil Rights (OCR) received over 50 large breach reports affecting over 1,000,000 individuals attributable to stolen equipment and devices containing ePHI. Such equipment and devices were frequently described as being stolen during a burglary and included workstations, servers, laptops, external hard drives, backup devices, flash drives, smart phones, and medical devices.
It’s not just confidentiality remember availability
[13:49]Loss of certain devices, such as servers that maintain patients’ electronic medical records or medical devices that provide diagnostic or treatment services, could delay or impede delivery of health care. In their haste to flee with stolen equipment, criminals could also destroy physical structures or electronic components required for power or cooling for devices, or damage infrastructure required for network connectivity – all of which can introduce additional delays and costs to fully recover.
The four addressable implementation specifications for physical security are:
- Contingency operations must include plans for responding to emergencies or other occurrences, such as flooding, that damage systems containing ePHI.
- [34:53] Facility security plans should include policies and procedures to protect its facilities and equipment from unauthorized physical access, tampering and theft.
- Access control and validation procedures must involve access to facilities based on an individual’s role or function, including visitor control and access to software for testing and revisions.
- [42:23] Maintenance records should document information related to repairs and modifications made to the physical components of a facility related to security.
In the face of ongoing, remote cyber-attacks, regulated entities should not overlook Facility Access Controls or relegate them to a “check the box” exercise.
No matter how strong your digital defenses are, none of it matters if someone can stroll through the front door and access your systems. Facility access controls may seem like a small piece of the puzzle, but they play a massive role in keeping your organization secure. From lost devices to unauthorized access, neglecting physical security can lead to bigger problems than you might expect. So before you lock up for the day, make sure you’ve locked down your facility, too – because the weakest link might be something as simple as an open door.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
