Securing electronic media and devices—advice from OCR

September 14, 2018
Medicare Web

The Office of Civil Rights (OCR) offered considerations to healthcare organizations for securing electronic devices in its August Cybersecurity Newsletter.

Because electronic devices and media are used to process, store, and share electronic personal health information (ePHI), healthcare organizations need to ensure that their devices are functional and secure.

In the newsletter, OCR reminds HIPAA covered entities (CE) and business associates (BA) that they are required to implement policies and procedures that limit physical access to electronic information systems and the facilities in which they are housed. CEs and BAs must also limit the personnel who have physical access to electronic information systems and have policies and procedures in place for moving devices into, out of, and within the organization’s facilities.

To develop policies and procedures that reduce the risk of loss, theft, and the potential of an ePHI breach, OCR recommends that organizations ask the following questions:

  • Are appropriate technical controls (e.g. access controls, audit controls, and encryption) in use?
  • Are workforce members (including management) trained on the proper use and handling of devices and media to safeguard ePHI?
  • Does the organization’s record of device and media movement include the person(s) responsible for security devices and media?
  • Is there a record that tracks the location, movement, modification or repairs, and disposition of devices and media throughout their lifecycles?

Policies and procedures for tracking devices and performing inventory management will vary according to an organization’s size, so OCR recommends using risk management processes to identity and implement appropriate device controls.

Organizations are already required under HIPAA to have a security management process in place, which includes risk management. OCR recommends asset inventory and tracking be included in that process to help organizations identify, analyze, and manage risks associated with the physical security of their electronic devices and media.

Related Topics: 
HIM/HIPAA, HIPAA