As the technologies used to deliver telehealth services become more complex, telehealth providers as well as other HIPAA “covered entities” have an increasingly demanding role to play in ensuring the security of protected health information (PHI). To fulfill this role, both telehealth providers and their business associates (such as the information technology companies and data storage providers that support telehealth platforms) must implement not only technical safeguards, but also physical security measures. From locks, to security guards, to alarm systems, physical security measures are a critical piece of the overall data protection equation. While physical security may be an obvious concern for organizations that store sensitive data on-site, this topic deserves renewed attention in light of the growing popularity of off-site, cloud-based storage; new regulations; and more aggressive enforcement of Health Insurance Portability and Accountability Act (HIPAA) and state health privacy laws.
Physical security is often overlooked when covered entities are assessing their own privacy and security practices and those of potential business associates. One factor that contributes to this oversight is the increasing number of providers that are choosing to store their PHI off-site (either with a vendor or a vendor’s subcontractor). However, regardless of where PHI is ultimately stored, telehealth providers should always factor physical security into their privacy and security assessments. Further, providers should consider conducting a physical security inspection of any facility where significant volumes of electronic PHI are stored (including, in some instances, the data centers where the information being hosted in the cloud is stored). Physical security inspections not only reveal the physical security controls that a facility has in place to protect PHI, they can also be a good indicator of an organization’s overall information security practices. Poor physical security management is often a signal of greater systemic problems, and should lead a provider to think twice about its choice in data storage vendor.
A physical security inspection generally consists of the following five elements:
1) Perimeter Security. Perimeter security serves as the outermost layer of physical site protection. Perimeter controls can be natural barriers, such as shrubs, rough terrain, or bodies of water, or artificial barriers, such as gates and fences. However, perimeter controls are not limited to physical barriers. For example, facilities may also utilize continuous lighting systems and surveillance cameras to help maintain perimeter security.
2) Facility Access Management. Important considerations in the area of facility access management include: (1) whether a facility uses a security guard or receptionist to control the flow of entrants into the building; (2) whether an additional guard or receptionist monitors entry into work areas; and (3) whether specific authentication methods (e.g., smart cards, passcodes, etc.) are required to access different areas of the building (e.g., elevators, the server room, work areas, etc.) during and outside normal business hours.
3) Server Room Security. A physical security assessment also requires an evaluation of the facility’s server room. As part of this evaluation, attention to the server room’s location is critical. Specifically, covered entities should note the floor where the server room is located and whether the room is adjacent to windows, water sources, or areas with high public traffic. Additional factors to consider include whether the server room has its own temperature and humidity controls, whether the servers themselves are kept inside locked racks or cages, and whether the room is equipped with a fire suppression system and/or emergency power shutdown controls. Along with server room controls, covered entities should also note whether any loose media containing PHI (in paper or electronic form) are kept elsewhere in the facility. If so, measures used to protect such media should be recorded.
4) Door and Window Security. Door and window controls can range from simplistic locks to sophisticated alarm systems. In assessing building doors, covered entities should identify which doors are open to the outside (and whether such doors automatically lock) and determine whether door frames are permanently mounted to adjoining wall studs. Door and window materials also warrant consideration (e.g., a window made of standard plate glass versus a glass-clad polycarbonate or laminated glass window). Additionally, if the facility has an alarm system, the covered entity should determine which doors and windows are alarmed and whether interior surveillance cameras are also used in these areas.
5) Facility Heating, Ventilation, and Air Conditioning (HVAC) and Electrical Systems. The physical security assessment should include an evaluation of the storage site’s HVAC and electrical systems. Particular HVAC considerations include whether the server room uses a HVAC system that is separate from the rest of the building (this is preferable), whether the server room has a positive pressure air system, and whether building ducts and vents were designed to prevent possible use by intruders. In terms of electrical systems, the physical security assessment should include an evaluation of whether the facility’s electrical closets are secured and whether the facility has back-up generators or battery systems that would allow it to operate without power.
Increasingly sophisticated threats to information security, new regulatory requirements, and ramped-up enforcement of HIPAA are prompting many health care providers and other covered entities (and their business associates) to revisit their security policies. As these policies are revisited, physical security should undoubtedly be part of the conversation. Whether a telehealth company stores its data in its own facilities or relies on a vendor or a downstream subcontractor for its storage needs, physical security controls provide a vital line of defense. While technical security measures do offer telehealth providers significant data protection, the value of a carefully designed and managed physical security plan should not be underestimated.