12.2 FACILITY ACCESS CONTROLS

Previous page
Table of content
Next page

12.2 FACILITY ACCESS CONTROLS

Standard: Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are located, while ensuring that properly authorized personnel are allowed access.

Facility is defined as the physical premises and the interior and exterior of a building or buildings in the preamble. Therefore, this standard applies to all facilities that a covered entity is physically and 'virtually' located, including all office locations and remote data center facilities, while the facility houses the covered entity's ePHI. It also applies to the electronic information systems within these facilities. Leasing, sharing or owning a facility (or an information systems in the case of housed services) does not exempt each covered entity from being accountable for meeting the requirements of the facility access controls standard, although the implementation can be delegated.

This standard calls for limiting physical access while ensuring that properly authorized access is allowed. The objective is to prevent unauthorized access, damage and interference to the business premises and the ePHI systems within. However, the level of protection would be different from facility to facility and from system to system based upon the sensitivity, criticality and access requirements. For example, a central facility that houses a large volume of ePHI would need a higher level of protection than a branch office where ePHI is only accessible during normal business hours and never locally stored. Within a facility, the data center or computer room where all critical ePHI systems reside would need a higher level of protection than a user 's workstation.

A covered entity applying the appropriate facility access control can use the concept of secured areas or physical security domains. Each domain or area will have a well-defined physical boundary with incremental increases in security access controls beginning at the property boundaries. These areas can be differentiated with various physical security controls, such as, 'authorized employee only' signs, closed doors, locks, badge or PIN controlled mantraps. A large covered entity with multiple locations and hundreds of employees would need a more granular classification system than a smaller organization. For example, a covered entity can classify its facilities and areas within the facilities into four domains:

  • Perimeter: where the physical security control of the covered entity ends, for example property boundaries.

  • Public Area: where the facility is physically accessible to the public, for example lobbies , loading docks, and customer service areas.

  • Private Area: where the majority of the work force of contractors and vendors can access, for example an employee's working space.

  • Restricted Area: where only authorized personal with certain privileges that perform a critical function are allowed access, for example laboratories, computer rooms, storage areas for sensitive materials.

A well defined security perimeter with appropriate security barriers and entry controls that follow the physical security model of layered defense- in-depth is the key to facility access controls. The goal is to have fewer people with authorized access to every layer that they are entering dividing the facility into different access controlled security zones. The data center, computer room, or telecommunications facility would be a good example of such restricted areas. Critical or sensitive information processing facilities should only be housed in restricted areas. The restricted area should be physically protected with electronic, mechanical, or prevalent door locks to prevent unauthorized access, theft, and tampering. Physical access to this area is granted based upon roles or functions and controlled with a centralized identification management system that requires all employees to use unique personal identification, i.e., badge and PIN. Physical access to systems within this area should be protected by locked equipment racks, console restrictions and monitored by a CCTV system. These safeguards will set multiple obstacles until someone breaches security and gains access to the most sensitive areas. Security breaches may be traceable to a specific person whose actions may also have been recorded.

Yet the protection provided should be proportional to and commensurate with the identified threats, vulnerabilities, and risks. A covered entity must know where ePHI is housed, how it is transmitted, and how it can be made accessible. All information assets should be classified corresponding to the security objectives of confidentiality, integrity and availability. A classification level can help set the physical security requirements for areas involved with ePHI. A classification of ePHI required in the 'application and data critical analysis' or generally implied in the security management process helps a covered entity to correctly gauge its facility access control requirements.

A covered entity needs to define the guidelines for its staff that may need to work from home, from a remote office location, while traveling and using mobile devices, or areas where many of the above facility access controls can not be applied. The physical security requirements for off-site systems and unattended devices should be equivalent to that provided for on-site equipment being used for the same purposes, while considering the risks of working outside of the covered entity's premises.

A facility access control procedure must be developed to define each step of what must be done and how it should be done while using the objectives and requirements of the facility access control policies as guidelines. An example would be that a procedure needs to address how facility access is requested , authorized, established, modified, revoked , monitored and evaluated. It must also specify supervisory requirements, define the escort procedures for contractors and other visitors to secured areas, and define the documentation requirements for an escorted person's date and time of entry and date and time of departure .

Developing facility access control policies and procedures is the just the first of many steps that a covered entity must do to become compliant. The implementation of such policies and standards often requires some level of technical solution and work force training. Regardless of what kind of access control and facility control systems are used, the solutions for access control systems or facility control systems, whether highly sophisticated or basic in nature, must be evaluated periodically and work force compliance must be enforced via access log reviews, incident reports , and security evaluations. It is worth noting that in many covered entities, facility management is often under a different chain of command within corporate structure. This authority conflict must be resolved prior to the implementation of the standard of 'Assigned Security Responsibility'.

To implement this standard, a covered entity can follow these steps:

  1. Develop an organizational facility access control policy:

    1. Defining facility control objectives, requirements, and,

    2. Defining roles, responsibilities, and progressive sanction actions for compliance violations, and,

    3. Appointing a site coordinator for each location if necessary.

  2. Develop detailed facility access control operational procedures:

    1. Identifying all facilities/locations where all EPHI systems are located, transmitted, and are accessible, and,

    2. Defining facility security domains within each facility in respect to how EPHI is accessible physically and the associated risks, and,

    3. Identifying facility access controls technical solutions (badge, PIN, etc) currently or planned to be used in each location and every security zone, and,

    4. Defining minimal required physical access for all job functions or roles (i.e., location, areas, normal office hours, after hours, holidays, etc) and,

    5. Defining facility access authorization, establishment, modifications and termination process, and,

    6. Defining how to supervise and escort vendors, visitors, temporary employees, facility maintenance staff, and,

    7. Defining technical or physical controls that are used to prevent unauthorized access; and,

    8. Defining how facility access violations will be detected , reported and sanctioned.

  3. Implement this policy and procedures:

    1. Designing and implementing technical solutions: facility access control systems, access intrusion detection systems, and,

    2. Providing detailed hands-on training for facility access control personal, and,

    3. Providing general physical security awareness training for the entire work force including contractors; and,

    4. Implementing ongoing inspections and evaluations by conducting walkthroughs of the perimeter and facility.

Additionally, each covered entity must evaluate the need to implementing and deciding how to implement the four 'addressable' implementation specifications to be fully compliant. The policies and procedures defined under facility access controls should, at a higher level, set the criteria and rationale for each specification requiring implementation. Contingency Operations and Access Control and Validation Procedures are direct subsets of facility access controls for a specific situation. The 'Facility Security Plan' and 'Maintenance Record' deal with the planning and record retention aspects of facility access controls.

Smaller covered entities are not likely needing to implement sophisticated security measures since they are also not as likely to needing them as would larger covered entities. Smaller covered entities are likely to have smaller physical facilities (often leased or shared), smaller work forces, a smaller sized and less complex information systems, and smaller amounts of ePHI. Consequently, they would assume less facility access threats, exposures and risks. The smaller amount of risk involved means that the response to that risk can be developed on a smaller scale than that for larger organizations. It is possible that a small practice, with one or more individuals equally responsible for establishing and maintaining facility access, will not need to establish complex policies and procedures for granting access because the access rights are equal for all of the individuals. However, the same entity may still need to address some of the implementation specification, such as visitor control, in some form. It is possible but very unlikely that a smaller covered entity may not need to implement any of the 'addressable' specifications. Nevertheless, although a covered entity may determine that an implementation specification may not be needed to meet the standard, it still has the obligation to document the rationale and decision in relation to its risks.

12.2.1 Contingency Operations (Addressable)

Implementation Specification: Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

The 'Contingency Operations' specification is closely related to the Contingency Planning standard. Contingency planning defines what is needed and what must be done for disaster recovery and emergency mode operations. Contingency operations under the physical safeguards section defines the physical operational process that provides appropriate access and prevents unauthorized access to the facility, ePHI systems and media while implementing the contingency plans for an emergency. What may constitute disaster recovery and emergency mode operations must be defined in the contingency planning.

A covered entity must first assess the need to define detailed procedures that provide guidelines for accessing facilities in the event of an emergency. The procedures should address how access to ePHI is restricted to only authorized individuals during restoration operations. For example, the plan should specify that, where feasible , only recovery team leaders or designated individuals for a particular system should gain entry into the data center or computer room to restore a system from backup tapes. This procedure should address all facility; systems and media access needed to support restoration of lost data. Although facility and media access might be the same for all systems if there is only one data center and one tape storage, emergency access to systems may be different. Media access needs include access to media library, off-site tape storage, online storage (SAN or NAS), emergency boot disks, etc. Further, this procedure should also include how unauthorized accesses can be detected and prevented. Although this specification can not be realistically implemented unless an emergency situation were to occur, a covered entity could evaluate it with tests and mock drills.

A small covered entity may not need to implement this implementation specification. Alternatively, it can develop a simple procedure to state that all personnel including part-time technicians will need equal access to office and media to restore business applications.

To implement this specification:

  1. Develop a formal facility access contingency operations procedure:

    1. Defining the situation and criteria to trigger disaster recovery plan and/or emergency mode operations, and,

    2. Defining the level of access required to the facility, information systems, workstations, and backup media under emergency situations, and,

    3. Defining who would need these accesses and how these access requests will be granted, for instance pre-authorized, and,

    4. Defining how this access will be monitored and reviewed to prevent abuse and access violations, and,

    5. Defining how these accesses will be revoked and terminated once normal operation status is resumed.

  2. Implement this procedure:

    1. Providing training for emergency response staff and facility access management staff, and,

    2. Validating that facility access control systems (badge, Honeywell, etc) are capable of emergency procedure operation, and,

    3. Maintaining adequate staffs or having access to adequate staff to execute any defined contingency operations processes.

12.2.2 Facility Security Plan (Addressable)

Implementation Specification: Implement policies and procedures to safeguard the facility and equipment therein from unauthorized physical access, tampering, and theft.

Facility security plan establishes how a covered entity's facility will comply with all the policies, procedures and guidelines required under the facility access controls section. Each covered entity must first assess the need to adopt policies and procedures that should delineate all the activities related to the securing of a covered entity's physical facility. The assessment of business needs should be determined by 'accurate and thorough' analysis of threats, vulnerabilities, probabilities, impacts and level of risks that are related to unauthorized access, tampering and theft, that could eventually lead to security breaches of ePHI confidentiality, integrity and availability. A security survey and audit of existing facility practices can help a covered entity discover its security gaps and validate whether a facility security plan may be needed. For instance, perform a walk-through of the building perimeter, interior and data center to assess physical security controls and identify control weaknesses, or check the building property and identify exposures that would allow unauthorized access through windows , doors, loading docks, vents, air shafts, and roof or basement entries.

This implementation specification needs to address the protection of both the facility and equipment located within. . In particular, it should discuss facility security program requirements, components , organization, roles and responsibilities, security inspections and evaluations, security risk assessments, vulnerable areas, security domains, restricted areas, security measures, general access to premises, policy for passes and badges, least privilege access entry, keys, locks and centralized controls, personnel recognition and identification, security surveillance and monitoring, and a security guard program.

A covered entity needs to define the scope of the security plan, such as listing buildings, secured areas, information systems facilities, and equipment. A facility security plan generally includes definition of facilities, physical security objectives and requirements, a list of acceptable security controls, procedures during emergency mode operations, periodic testing of security measures that have been implemented, and periodic review of the physical access lists. This plan should include monitoring (i.e., surveillance cameras , motion and door sensors, environmental monitoring equipment, and computer operations center controls), environmental controls (air conditioning, smoke detection and fire suppression systems), and entrance /exit controls (visitor sign-in log, picture identification and/or card access badges, and security guards ).

The security perimeter should be clearly defined in the plan. Physical protection can be achieved by creating several physical barriers around the business premises and information processing facilities. Each barrier should establish a security perimeter, while increasing the total protection required. Covered entities should use security perimeters to protect areas that contain ePHI processing facilities. A security perimeter may be a boundary that is identified by a barrier, e.g. a wall; a card controlled entry gate or a manned receptionist 's desk. The setting and strength of each barrier may be the result of a risk assessment.

The perimeter of a building containing ePHI processing systems should be physically sound. A manned reception area or other methods of controlling accesses to the facility should be situated. Access to the facility and systems within should be restricted to authorized personnel only. Physical barriers should, if necessary and feasible, be extended from real floor to real ceiling to prevent unauthorized entry and environmental contamination. All fire doors on a security perimeter should be alarmed and should be designed to close quickly. Restricted areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Wherever a covered entity leases space or shares space within a building with other organizations, the covered entity retains responsibilities for considering facility security. Considerations in the facility security plan should be given on how to prevent unauthorized access from other parties in the same facility. Facility security measures taken by a third party (building management, owner, etc) must be evaluated and documented in the covered entity's facility security plan.

The use of an external contractor to manage information-processing facilities may introduce potential security exposures, such as the possibility of compromise, damage, or loss of data at the contractor's site. These risks should be identified in advance, and appropriate controls agreed upon with the contractor and incorporated into the contract. Particular issues that should be addressed include: identifying sensitive or critical applications better retained in-house, implications for business continuity plans, security standards to be specified, the process for measuring compliance, allocation of specific responsibilities and procedures to effectively monitor all relevant security activities, and responsibilities and procedures for reporting and handling security incidents.

Covered entities can follow these steps to implement this requirement:

  1. Develop a facility security plan policy:

    1. Defining facility security objectives and requirements for the plan, and,

    2. Defining the roles and responsibilities of the facility security organization, and,

    3. Defining the plan's submission, approval, implementation and re-evaluation requirements.

  2. Develop a facility security plan procedure:

    1. Identifying potential threats and risks to facility security (unauthorized access, tampering and theft), and,

    2. Identifying facility access controls requirements (security monitoring, environmental controls and exit/entrance control, etc), and,

    3. Defining a process to perform periodical testing of physical security systems and reviewing of access lists.

  3. Implement facility security plan policies and procedures:

    1. Developing a facility security plan, and,

    2. Implementing, testing and revising this plan.

12.2.3 Access Control and Validation Procedures (Addressable)

Implementation Specification: Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revising.

The implementation specification of Access Control and Validation Procedures is a subset with detailed procedures under facility access control procedures. Depending upon the level of details in its facility access control procedures, each covered entity must first assess the need for procedures on how to control and validate appropriate physical access to a facility, restricted areas and the software programs for testing and revising. The physical security control and validation procedures should be established to address the security risk in each area.

The appropriate level of access based upon a role or function's minimal need to ePHI must be defined for individual or a class of employees, vendors, contractors and visitors, and may include facility maintenance personnel. The access privileges can be restricted to an authorized facility, certain designated areas, and specified systems. It can also be restricted to the work date and hours, and off-hours and holidays. All personnel within the facility where ePHI is accessible should wear personal identifiable badge or ID cards. Piggybacking at badge controlled doors should not be allowed and a violation should be reported as a security incident. Visitors, contractors, vendors and maintenance personal should be cleared, escorted and supervised at all times.

A covered entity can choose a manual or technical access validation security measure after considering the volume of access needed. For example, the receptionist should ask for a picture ID to validate someone is who he or she claims to be. All physical access badges should have a picture for personal identification and bar code for access rights. Validation should occur when access is requested, authorized and coded in the system. It can also be real-time when the access is actually used while the request is sent to a centralized control system for validation. Validation should also be deployed when physical access is reviewed, modified and revoked. The following controls should be considered :

  • Physical access to ePHI processing facilities should be controlled and restricted to authorized personnel only.

  • All personnel access should be authorized and validated with authentication controls, e.g. swipe card plus PIN.

  • All personnel should be required to wear visible identification and unescorted strangers and anyone not wearing visible identification should be challenged and reported.

  • An audit trail of all access should be securely maintained and access rights should be regularly reviewed and updated.

  • Visitor access should only be granted for specific and authorized purposes and instructions on the security requirements of the restricted areas and on emergency procedures should be provided.

  • A covered entity should supervise, clear and escort all visitor access and document their date and time of entry and departure.

  • A manned reception area or other means to control physical access to the site or building should be in place.

  • Physical access to software, development tools for testing and revising, and related system documentation should be controlled and secured in a file cabinet or a tape library.

A covered entity can follow these steps:

  1. Develop a formal facility access control and validation procedure:

    1. Defining access authorization, control and validation requirements, and,

    2. Defining minimal needed physical access for all personnel access based upon their roles or functions, and,

    3. Defining procedures to verify access authorization before granting physical access to a restricted area, and,

    4. Defining security services personnel (guard and operators) operating procedures for normal business hours, off-hours, and emergency situations, and,

    5. Defining procedures to validate, review and ensure users only have physical access to those areas and systems/data required by their jobs, and,

    6. Defining procedures to authorize and escort vendor, contractor and visitor access, and,

    7. Defining procedures to restrict access to systems and software by authorized personnel for purposes of testing and revising.

  2. Implement this procedure:

    1. Providing training for facility access management personal (guards, receptionist, access management staff, etc), and,

    2. Providing awareness education for entire work force on appropriate facility access and vendor/visitor control and validation, and,

    3. Surveying and reviewing these procedures to ensure they are working properly.

12.2.4 Maintenance Records (Addressable)

Implementation Specification: Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example, hardware, walls, doors, and locks).

This addressable specification is a documentation requirement for physical security configuration change control. Each covered entity must first assess the need to implement policies and procedure to ensure facility repairs and modifications are documented and maintained. If a covered entity shares or leases office space, it may not need to initiate, supervise and document these changes. It could obtain and maintain a copy or could require the building owner to maintain such documentation.

A covered entity should define what changes in the facility's physical components are related to security, for example:

  • security domain changes in perimeter, public, private and restricted areas;

  • physical access barrier changes in walls, ceilings or floors that may affect physical access;

  • facility security configuration changes in badges, escort/visitor controls, and emergency procedures;

  • environmental/life safety controls, changes in the facility's power, UPS, firewall, and fire detection and suppression, HVAC consideration, water leakage, toxic materials, etc;

  • facility entry control changes in security guards, gates, mantraps, biometric access control systems, locks, safes, file cabinets and locked racks; and

  • intrusion detection monitoring and alarm changes in CCTV, motion detectors, metal/radiation/explosive detectors, sensors and alarms.

If a covered entity decides not to retain all facility maintenance records, it should define what records should be kept or made available. For example, maintenance records policy can state that all facility and system maintenance that triggers facility security changes should be documented and maintained in accordance with documentation retention standards set by the policies, procedures and documentation section of the HIPAA security rule. A procedure then specifies what information should be captured, such as who proposes and plans the maintenance, who authorizes and supervises the maintenance, who performs the maintenance, and the details of the maintenance activities that may change the facility's security. Additionally, the procedure should require a security evaluation or risk analysis be performed prior to and after maintenance.

Further, maintenance records should be protected from loss, destruction and falsification. If these records are retained via electronic storage media, consideration should be given to the possibility of degradation of media used. To safeguard against loss due to future technology changes in media readers and format readability, procedures should be included to ensure the technical capability of accessing data throughout the retention period. Record maintenance systems should be chosen such that all required records can be retrieved within an acceptable timeframe and in an acceptable format. The procedure should ensure clear identification of records and of their statutory or regulatory retention period in the system of storage. It should permit appropriate destruction of records after the retention period has expired .

To meet these obligations, the following steps should be taken within an organization:

  1. Develop a formal facility maintenance record policy:

    1. Defining the covered entity's security objectives and requirements for maintenance records, and,

    2. Defining an organizational structure, roles and responsibilities.

  2. Develop a formal facility maintenance record procedure:

    1. Identifying the components of the facility which are related to physical security and the type of repairs and modification will trigger changes in the facility's security plan, and,

    2. Identifying the documentation requirements (authorization, project plan, detailed activities performed, and the parties involved with change), and,

    3. Defining operational processes for records retention, storage, handling and disposal, and,

    4. Defining appropriate controls that should be implemented to protect essential maintenance from loss, destruction and falsification, and,

    5. Evaluating whether security risks and threats created by this maintenance require additional facility access control changes.

  3. Implement Facility Maintenance Record Policy and Procedure:

    1. Providing detailed training for building maintenance personnel, and,

    2. Providing detailed training for any third party vendors if necessary.



Previous page
Table of content
Next page
HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181
BUY ON AMAZON
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
C++ How to Program (5th Edition)
GO! with Microsoft Office 2003 Brief (2nd Edition)
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
File System Forensic Analysis
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy