12.4 WORKSTATION SECURITY

Standard: Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

To ensure proper workstation use, all workstations should be protected from physical security threats, environmental, and natural hazards. One of the greatest security risks is at the computer workstation, and all users must take the necessary actions to safeguard and prevent improper use of or damage to equipment or ePHI data that are accessible via a workstation. These security risks are often associated with the applications and operating systems that are running on a particular workstation. They can be also associated with the physical attributes or surroundings where a station resides.

In conjunction with the standard for workstation use, a covered entity should deploy sufficient physical and technical safeguards to protect its workstations. Physical safeguards should be considered in securing the workstation to its location to prevent unauthorized physical access, requiring cable locks for all laptops, positioning the screen away from unauthorized users, securing unattended equipment in protected areas if possible, and use of a tracking mechanism such as a barcode system.

Technical safeguards should be considered in monitoring system logons and logoffs, implementing malicious software (i.e., antivirus and spy ware), implementing personal firewalls for sensitive workstations in the facility and all workstations that remotely access the corporate internal network, and requiring a form of device or file encryption for mobile devices and laptops. A covered entity can assess the need of not to store ePHI locally on a workstation, periodically purge cached temporary files out of secured systems, and implement password-protected screen-savers that are evoked after a specified period of inactivity. Consider the need to implementing workstation security to adequately protect network access, remote access, wireless access, mobile connection, shared workstations and workstations with internet connections. This is especially important in public buildings , provider locations, and other areas where there is heavy pedestrian traffic.

The challenge for workstation security is to evaluate the trade-offs between workstation accessibility and protection of protected health information. Ideally, workstations used to access protected health information would be located only in secured areas, which may not be unacceptable and counter productive. In these cases, consider additional controls such as physical devices to limit viewing, timeout/lockout of individual sessions, use of password-protected screensavers, and other procedures to provide adequate security.

Further, consideration must be given to the security and business implications of interconnecting such facilities, including or excluding categories of sensitive business information if the system does not provide an appropriate level of protection, authorizing only categories of staff, contractors or business partners in using the system and specifying the locations from which it may be accessed.

To implement this standard, a cover entity can follow these steps:

Establish formal and sustainable workstation security process:
1. Classifying all workstations into classes based upon their level of access to ePHI, and,
2. Identifying the technical and physical security requirements for each class of workstation, and,
3. Employing safeguards as determined by exposure to factors such as workstation location, connectivity and accessibility, and,
4. Establishing workstation location criteria to preclude passerby access or minimize the possibility of unauthorized access to ePHI, and,
5. Defining security monitoring services to detect and report unauthorized access, and,
6. Establishing workstation inactivity timeouts by using timed, password-protected screen savers, and,
7. Considering the use of proximity detectors to reduce exposure of unattended workstations, and
8. Providing training for the work force to implement this process for all the equipment within their care.