The voice for the medical software reseller community.

“If you can touch it, you can own it,” is one saying in information security.  Attending to the physical security of the electronic assets should be on the reseller’s agenda with installation of the EMR system.  Resellers, as part of implementation and ongoing support services, should be prepared to offer clients assistance regarding HIPAA mandated physical security, especially for the EMR systems. 

Some of the requirements involve areas where resellers can provide professional advice and input as part of the entire value-added package of services.  More specifically:

§           Security Plan.  The reseller can provide some advice regarding physical placement of the server.  The safeguards will vary with the size of the operation.  For larger facilities, the server should be in a locked room with limited access.  At smaller facilities, it might be located right in the office.  At a minimum, staff should be instructed to allow access by authorized personnel only.

§           Workstation Use and Security.  Resellers should provide advice regarding the physical placement of workstations, including setting screens so that they are not easily viewed by patients and visitors.  Various products, such as add-on filters, are available to limit the viewing angle and provide an additional measure of security.  One emerging threat is the use of small storage devices with connections.  A person with physical access to a workstation (either an insider or an outsider) can insert a USB storage device into a workstation and quickly download large quantities of information.  Potential safeguards would include either placement of workstations where only authorized individuals have access, and/or disabling USB ports which are not required by the user.  EMR systems often include mobile and portable devices, and specific policies should be in place regarding appropriate use of this equipment.

§           Device and Media Controls.  Backup media should be placed in a secure location, again, appropriate for the size of the facility.  In a larger facility, this would man a locked room or cabinet; this might not be necessary for a smaller facility.  Any media which is disposed or recycled (as in donating old PCs with hard drives) should be wiped with appropriate software.  See the archives for suggestions of free or low cost software.  An even more secure approach is to destroy media prior to disposal.

Resellers should be prepared to give professional advice regarding the above elements of the HIPAA physical security requirements.  You should be aware that there are even more physical security requirements of the HIPAA regulations which go beyond these areas.  These include making arrangements for facilities to use in the event of an emergency, the use of visitor logs and  keeping maintenance records.

This concludes our series on EMR and HIPAA.  Stay tuned for additional HIPAA topics.

Gary Pritts is not affiliated with InvestMed; he is a healthcare, business and information systems consultant with 25 years of experience.  To contact Gary with questions about this article or HIPAA in general, visit his website at:  www.eagleconsultingpartners.com