12.6 SUMMARY


12.6 SUMMARY

Physical Security refers to those practices, technologies and services used to ensure that physical security safeguards are applied. Physical security safeguards take into account the physical facility housing ePHI, the general operating location and the support facilities that underpin the operation of the information systems.

Accordingly, physical safeguards need to be considered for information resources residing in static facilities (such as buildings ), mobile facilities (such as computers mounted in vehicles), and portable facilities (in-transit facility housing). Appropriate physical safeguards need to be established based on the risks related to geographic location, including natural threats (such as flooding), manmade threats (such as burglary or civil disorders), and threats from nearby activities (such as toxic chemical processing or electromagnetic interference). Lastly, physical safeguards need to assure that the appropriate levels of support facilities such as electric power, heating, and air-conditioning are sustainable as required by the information resources.

Physical security safeguards provide a first line of defense for ePHI resources against physical damage, tampering, theft, unauthorized disclosure of information, loss of control over system integrity, and interruption to computer services. Physical safeguards can be implemented in many ways. For example, physical access controls may be used to restrict and monitor the entry and exit of personnel to/from a room, a data center, or a building. Physical access controls may range from badges and locks to retina scanning personal identification devices and vibration detectors. Physical access controls need to be considered for those areas containing system hardware, as well as for those areas which house network wiring, electric power, backup media, source documents, etc. The challenge for many cover entities is to find a solution, technical or administrative or a combination of both, that is reasonable, appropriate, practical and sustainable. Nonetheless, a covered entity should not always look for technology as a silver bullet to meet physical security requirements. Management commitment and sufficient work force education and training are always the most critical success factors in compliance projects.

Successful implementation of physical safeguards is closely related to other standards under administrative safeguards. For example, physical safeguards should be based upon risk analysis and risk management processes. Information System Activity Review applies if any systems are implemented in the physical security. Sanction policy would apply if a violation is detected and reported in the security incident procedures. A security official who is assigned to security responsibilities can delegate functions and tasks for physical security. Facility access control is tied into workforce security and information access management if a centralized system is used. Security awareness and training programs definitely should include training on all the aspects of the physical safeguards that employees are expected to abide by. Contingency shall include facility contingency operations. Implementation of all physical safeguards should be evaluated to determine their effectiveness and their capability to maintain compliance in the ever-changing environment.

Physical safeguards should also be tied to technical safeguards for sound business practices. If a large covered entity implemented an inventory system, bar code tracking system and centralized badge/PIN access system, the principles of unique user ID access controls, audit controls, integrity, authentication, and transmission security would also be an integral part of a total solution.




HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net