As we discussed in the previous blog, a cyber security policy is crucial for any facility operating within the LTPAC industry. It is vital that there is a policy in place to deal with security issues and standards surrounding hardware, software, patient files, employee records, payment information, and internal communications.
The First, and Simplest, Safeguard
While the first terms that may come to mind when dealing with cyber security may include “anti-virus software” and “firewalls,” there are other safeguards that must be in place before establishing anti-virus software, firewalls, and other technical safeguards. The first step (and often most overlooked) is the simplest: ensuring the physical security of your electronic assets and data.
Physical security typically deals with physical assets such as computer terminals, laptops, printers, thumb drives, shredding machines, CD-ROMs, and printed materials or records. It is vital that you include measures in your cyber security policy to support the security of this type of property.
Protecting your Physical Assets
Protecting your physical electronic assets and printed records isn’t just a smart move; it is also required for all medical facilities in conjunction with the HIPAA Security Rule and its standards. According to HIPAA, “Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity’s electronic information systems. The safeguards are focused on protecting electronic information systems and related buildings and equipment from natural hazards, environmental hazards, and unauthorized intrusion. “
Physical safeguard components include, but are not limited to, such measures as:
- Locking up offices, workspaces, file rooms, or other unoccupied rooms at the end of the day or when they are not in use
- Turning off computers when not in use
- Ensuring that only employees have access to workstations and other equipment (printers, faxes, tablets, etc.)
- Installing an alarm system or video surveillance system
- Installing a physical lock on laptops containing sensitive data (a password may not be enough)
- Routinely checking your external cable box to make sure that no one has spliced your cable in an attempt to steal it
- Ensuring that all keys to offices, file cabinets, laptops, etc. are returned upon an employees termination with the facility
- Using a reputable shredding company for sensitive document shredding
- Creating a policy to support the aforementioned objectives
For further information regarding specific HIPAA standards for physical security standards and measures, click here. As always, you may have to add additional physical safeguards to your cyber security plan based on the layout of your facility, the equipment in your facility, and other factors.
The next three blogs will discuss the next two elements of a comprehensive cyber security policy: developing and implementing administrative safeguards, developing and implementing technical safeguards as well as outline how to develop a contingency plan in the event of a cyber breach or attack. Additionally, the blogs will provide resources for LTPAC managers and professionals.
- Developing and implementing administrative safeguards
- Developing and implementing technical safeguards
- Developing a contingency plan in the event of a cyber breach or attack