2 minute read
5.2.3 Workstation Security (§ 164.310(c
INITIAL PUBLIC DRAFT IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
5.2.3 Workstation Security (§ 164.310(c))
Advertisement
HIPAA Standard: Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.
Key Activities 1. Identify All Methods of Physical
Access to Workstations and
Devices
2. Analyze the Risk Associated
with Each Type of Access92
Description
• Document the different ways that users access workstations and other devices that create, store, process, or transmit ePHI. Be sure to consider the multitude of computing devices, such as medical equipment, medical IoT devices, tablets, smart phones, etc. • Consider any mobile devices that leave the physical facility as well as remote workers who access devices that create, store, process, or transmit ePHI. • Is there an inventory of all current device locations? • Are any devices located in public areas? • Are laptops or other computing devices used as workstations to create, access, store, process, or transmit ePHI?
• Determine which type of access identified in Key Activity 1 poses the greatest threat to the security of ePHI. • Do any devices leave the facility, or are any devices housed in areas that are more vulnerable to unauthorized use, theft, or viewing of the data they contain? • What are the options for making modifications to the current access configuration to protect ePHI?
3. Identify and Implement
Physical Safeguards for
Workstations and Devices
• Implement physical safeguards and other security measures to minimize the possibility of inappropriate access to ePHI through computing devices. • If there are impediments to physically securing devices and/or the facilities where devices are located, additional safeguards should be considered, such as: - Limiting device capabilities to access ePHI - Limiting user permissions to access ePHI - Device encryption - Stringent access controls (e.g., multi-factor authentication) - Screen lock - Device management (e.g., Mobile Device Management [MDM], Endpoint Detection and Response [EDR]) - Workforce education and training related to mobile and remote computing risks to ePHI. • Are physical safeguards implemented for all devices that access ePHI to restrict access to authorized users? • What safeguards are in place,(e.g., locked doors, screen barriers, cameras, guards)?93 • Are additional physical safeguards needed to protect devices with ePHI? • Do any devices need to be relocated to enhance physical security? • Have employees been trained on security?94 • Are some devices not owned by the organization? Do these ownership considerations preclude the use of any physical security controls on the device? • Do the policies and procedures specify the use of additional security measures to protect devices with ePHI, such as using privacy screens, enabling passwordprotected screen savers, or logging off the device?
Sample Questions
92 This key activity may be conducted pursuant to the risk analysis and risk management implementation specifications of the security management process standard. See Section 5.1.1, HIPAA Standard: Security Management Process. 93 See Section 5.1.1, HIPAA Standard: Security Management Process. 94 See Section 5.1.5, HIPAA Standard: Security Awareness and Training.
53
