NRPM: Security and Electronic Signature Standards. Physical Safeguards to Guard Data Integrity, Confidentiality, and Availability

08/12/1998

[Please label written comments or e-mailed comments about this section with the subject: PHYSICAL SAFEGUARDS]

 

The requirements and implementation features for physical safeguards are presented at § 142.308(b) of this proposed rule. We would require each of these safeguards to be documented. We would require this documentation to be made available to those individuals responsible for implementing the safeguards and to be reviewed and updated periodically. The following matrix depicts the requirements and implementation features for the Physical Safeguards category. Following the matrix is a discussion of each of the requirements under that category.

PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY


REQUIREMENT:

IMPLEMENTATION:


Assigned security responsibility

 

Media controls (all listed implementation features must be implemented).

Access control.
Accountability (tracking mechanism).
Data backup.
Data storage.
Disposal.

Physical access controls (limited access) (all listed implementation features must be implemented).

Disaster recovery.
Emergency mode operation.
Equipment control (into and out of site).
Facility security plan.
Procedures for verifying access authorizations prior to physical access.
Maintenance records.
Need-to-know procedures for personnel access.
Sign-in for visitors and escort, if appropriate.
Testing and revision.

Policy/guideline on work station use

 

Secure work station location

 

Security awareness training

 

a. Assigned Security Responsibility

We would require the security responsibility to be assigned to a specific individual or organization, and the assignment be documented. These responsibilities would include the management and supervision of (1) the use of security measures to protect data, and (2) the conduct of personnel in relation to the protection of data. This assignment is important to provide an organizational focus and importance to security and to pinpoint responsibility.

b. Media Controls

Media controls would be required in the form of formal, documented policies and procedures that govern the receipt and removal of hardware/software (for example, diskettes, tapes) into and out of a facility. They are important to ensure total control of media containing health information. These controls would include the following mandatory implementation features:

  • Controlled access to media.
  • Accountability (tracking mechanism).
  • Data backup.
  • Data storage.
  • Disposal.
c. Physical Access Controls

Physical access controls (limited access) would be required. These would be formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed. These controls would be extremely important to the security of health information by preventing unauthorized physical access to information and ensuring that authorized personnel have proper access. These controls would include the following mandatory implementation features:

  • Disaster recovery.
  • Emergency mode operation.
  • Equipment control (into and out of site).
  • A facility security plan.
  • Procedures for verifying access authorizations prior to physical access.
  • Maintenance records.
  • Need-to-know procedures for personnel access.
  • Sign-in for visitors and escort, if appropriate.
  • Testing and revision.
d. Policy/Guideline on Workstation Use

Each organization would be required to have a policy/guideline on workstation use. These documented instructions/procedures would delineate the proper functions to be performed and the manner in which those functions are to be performed (for example, logging off before leaving a terminal unattended). This would be important so that employees will understand the manner in which workstations must be used to maximize the security of health information.

e. Secure Workstation Location

Each organization would be required to put in place physical safeguards to eliminate or minimize the possibility of unauthorized access to information. This would be important especially in public buildings, provider locations, and in areas where there is heavy pedestrian traffic.

f. Security Awareness Training

Security awareness training would be required for all employees, agents, and contractors. This would be important because employees would need to understand their security responsibilities based on their job responsibilities in the organization and make security a part of their daily activities.