The US Department of Health and Human Services’ Office of Civil Rights published its August 2018 cybersecurity newsletter focusing on security considerations in the receipt, removal, and movement of electronic media and devices. These devices include laptops, smartphones, servers, desktops, and tablets as well as electronic storage devices, such as hard drives, USB drives, CDs and DVDs, tapes, and memory cards.
These devices and media are commonly used by many health care organizations to process, transmit, and store sensitive protected health information (PHI). Those who have physical access to these devices and media could potentially change configurations or information, install malicious programs, or access sensitive information––all of which could adversely affect the confidentiality, integrity, or availability of PHI.
The OCR reminded covered entities that they must implement policies and procedures governing the movement of hardware and electronic media containing electronic PHI (ePHI) in and out of an organization’s facility as well as internally to reduce the risk of loss, theft, and potential PHI breaches.
Health care organizations should consider the following questions when developing policies and procedures regarding device and media controls:
- Is there a record that tracks the location, movement, modifications, repairs, and disposition of devices and media throughout their lifecycles?
- Does the organization’s record of device and media movement include the individuals responsible for these devices and media?
- Are workforce members, including management, trained on the proper use, transportation, and handling of devices and media to safeguard ePHI?
- Are appropriate technical controls, such as access controls, audit controls, and encryption, in use?
HIPAA covered entities and business associates are required to have a security-management process in place that includes conducting a risk analysis and implementing a risk-management process to reduce risks and vulnerabilities. Asset inventory and tracking can help organizations identify, analyze, and manage risks associated with the devices and media used within their environments. Device and media inventory and tracking controls can also help organizations respond to and recover from security incidents and breaches. An organization’s risk analysis and risk-management processes should guide it to identify and implement its approach to appropriate device and media controls.
If you have questions regarding the content of this blog post, please contact Fran Ciardullo, special counsel, at fciardullo@barclaydamon.com, or another member of the firm’s Health Care & Human Services Practice Area.