Cybersecurity is to IT professionals whilst physical security is to Security Experts. However, as technology advances, it is important to take note that software and computers today power the physical security systems, implying that cybersecurity and physical security are overlapped concepts. It means to say that we need to protect both IT and Physical Assets from vulnerabilities, threats, and risks.
Security experts agree that employees are often one of an organization's biggest security weak spots. According to one security professional, 'You could have the best security policies in the world, but they aren't worth their weight in paper if your employees don't follow them.' The best way to find out if your employees are following your organization's security policies is to watch the employees in action. One way to do this is to walk through your organization's facilities and mark off a checklist that compares your security requirements with actual employee practices.
Physical security is the most fundamental aspect of protection. It is the use of physical controls to protect the premises, site, facility, building or other physical assets. The process includes layers of physical protection measures to prevent unauthorized personnel from accessing your property (office, building, stores, factories, etc.). HIPAA regulations (45 CFR 164.310 (a)(1)) provides guidelines on these Physical Safeguards.
Physical security systems can be any of the following:
And how important are these physical safeguards? Firstly, these physical security systems help protect your property and premises against theft, crime, and unauthorized personnel and attacks whether internal or external or man-made or acts of nature. Secondly, these physical safeguard systems are for tracking and monitoring purposes. Implementing a physical security policy for surveillance throughout the premises help organizations track and monitor the productivity and security of employees. Then, lastly, these physical security systems are for archiving and recordkeeping purposes too. Examples are in special cases like data theft, anything that has been recorded in the CCTVs can be acquired for legal matters.
Organizations must create and maintain a Facility Security Plan that documents the procedures to safeguard access to the facilities, information systems, and equipment used to store ePHI specifically relevant in the healthcare industry particularly covered entities and business associates. The plan is to outline access to areas within the facility by job description, give special attention to the security of the server room, and outline methods used to ensure that PHI and ePHI are not viewable to visitors or unauthorized access. The Facility Security Plan addresses Contingency Operations that allow access during emergencies that supports the organization's Disaster Recovery Plan, Access Control and Validation procedures for workforce members, Physical Access Controls to limit access based on need to view and restrict access to software for testing and revision, and to ensure that all maintenance records for the facility, such as repairs and modifications are documented and maintained.
So here are some samples procedures that can be put in place to control physical access to your facility and areas within your facility where ePHI could be accessed, just enter your email address for Free access: