PHYSICAL SECURITY
1. Inventory of Information Technology Physical Devices.
The IT personnel shall maintain and update an inventory of all information technology physical devices being used in the facility. The inventory shall include but not be limited to, on premise server equipment, firewall and security devices, client workstations, network devices, mobile devices, biometric and authentication devices, as well as other present and future information technology devices that may be relevant for the purposes of PHIE.
2. Access to Physical Infrastructure
Access to the IT physical infrastructure of the health facility shall be limited to authorized personnel, which will be defined by the participating health care provider. Any special access to the physical infrastructure shall be documented thoroughly. Any unauthorized access to the IT physical infrastructure shall also be documented and escalated to the appropriate decision makers for further investigation and action.
2.1. Server Access. The health facility may choose to have either an on premise server, a cloud server environment, or a combination of the two. Cloud technology is discussed separately under the cloud services section of this document. Should the health facility choose an on premise server, it shall provide a designated area for the housing of servers or data centers. It shall be a separate room from the data collection and processing as well as from the office of the IT personnel. The server room shall be marked as “Restricted” and shall only be accessible to authorized personnel. The server room shall comply with the physical security ISO 27001 standards.
2.2. Computer Access. Pre-deployment site assessment shall be conducted prior to installation of computer workstations in the health facility. Computers shall be accessible to authorized personnel only and role-based system access shall be implemented. Each user shall have on account only. Multiple accounts per user are not allowed. A person requesting for access to a computer shall fill-out a request form.
Anti-glare filters on computer monitors shall be installed. This will not only help reduce glare, but also prevent anyone from seeing what is on the screen unless directly in front of the computer.
2.3. Computer Loss. In case of computer loss, the accounts in the computer system shall be reset and deactivated until it is retrieved or reported. The privacy officer shall implement security incident procedures and contingency plans for such events.
3. Bringing of devices outside the health facility. Facility-registered devices shall not be brought outside the premises of the health facility except under circumstances where the point of patient encounter is outside the health facility, such as but not limited to, vaccinations, remote visits, and other community-oriented activities outside the health facility. In such cases where the devices are brought out of the health facility, proper documentation and security check shall be ensured. At the minimum, the following security components should be in place for the device brought out of the facility:
1. Hard disk encryption.
2. Data encryption.
3. Wireless network encryption.
4. Role-based access control.
5. Anti-virus software for vulnerable operating systems.
6. Password-protected user access that complies with facility password policies.
7. Encrypted portable devices such as but not limited to, USB drives, secure digital (SD) card drives, re-writable CD, and other present and future devices.
4. Bring-your-own-device (BYOD). Mobile and portable devices that are property of the health facility personnel may be allowed by the health facility, provided that the facility implements strict policies for access, processing, storage, transmission and output of information that may have implications over patient privacy and health information security.
4.1. Agreement. A signed usage agreement has to be submitted by the owner of the BYOD prior to using the device for handling health data and information.
4.2. Training. BYOD users shall undergo annual security training.
4.3. Configuration. The health facility IT personnel shall implement a mechanism that would create an audit trail of system activity by the BYOD user, including log-in attempts, security incidents, and attempts to access files containing personally identifiable information. The mechanism shall also have a provision for remote access by the IT personnel, in such events that privacy of health data and information are compromised.
4.4. Device Requirements. The privacy officer shall approve a checklist of requirements for the BYOD to comply before being certified as usable for the access of health information. At the minimum, the device shall have the following:
1. Hard disk encryption.
2. Data encryption.
3. Wireless network encryption.
4. Role-based access control.
5. Anti-virus software for vulnerable operating systems.
6. Password-protected user access that complies with facility password policies.
7. Encrypted portable devices such as but not limited to, Flash Drives, secure digital (SD) card drives, re-writable CD, and other present and future devices.
Mobile devices used for job responsibilities are subject to audits even if an employee owns it.
Capturing of patient data using camera phones and bringing of unauthorized electronic devices such as cellular phones, laptops, tablets, and cameras inside the medical records area is strictly not allowed.
5. Business continuity and Disaster recovery. The health facility shall implement policies for business continuity and disaster recovery.
5.1. Physical backup.A data backup plan has to be implemented to create and maintain exact copies of the system for handling health information. The backup medium must be defined, and the interval of backup stated. The backup must also be tested for data validity and integrity. Physical backups shall be encrypted and stored outside the health facility and additional physical security measures shall be in place for accessing and securing the physical backups. In such case that a disaster occurs, the privacy officer shall have a disaster recovery team that can be organized quickly and have a protocol in place for data recovery.
5.2. Business Continuity. Business continuity has to be ensured even in place of disasters. The privacy officer shall have identified a minimum set of data requirements for maintaining the health facility processes for their services. The health facility shall also have the ability to transition from “emergency-mode” services, to full services. Hence, the policies for encoding data outside the full services mode shall be in place.
Events that took place in times of disaster recovery and business continuity shall be documented and reviewed, with updates implemented according to best practices and lessons learned during the disaster period.