CHAPTER 27
Physical Safeguards, Facility Security, Secure Systems and Networks, and Securing Electronic Media
Dennis M. Seymour
In this chapter, you will learn how to
• Understand the necessary physical safeguards for your system, including location, access, and access-control devices
• Understand how privacy requirements impact physical safeguard requirements, including how to assess or audit compliance with privacy requirements
• Identify and explain guidelines for building systems including office hardware, environmental controls, personal controls, and storage devices
• Understand encryption and how an organization determines if it should implement it
• Understand common encryption-related terminology
• Understand guidelines for security and preservation of electronic media for storage devices and secure disposal of electronic media
• Assess your organization’s risks related to physical security and conduct an assessment of your organization’s practices for securing electronic media
Physical Safeguard Requirements
In ancient times (you remember—prior to the turn of the millennium), most of our sensitive medical records were created and stored on paper, often stored in dark and dingy corners of the basement of the medical center in rooms only specific staff members could access. When a patient had an appointment or came into the emergency room, a staff member had to request the paper record be retrieved for the clinical staff to review. The doors had locks, maybe the medical center was advanced enough to have key pads with access codes, and the room had sprinklers and fire extinguishers—but then every other room in the medical center also had many of those safety and security devices.
In today’s medical centers, many of those old paper records may still be there, but they have most likely been scanned into the medical centers’ electronic records systems and are rarely referenced. They might even be archived away in some offsite storage location or repository, or in some cases even the National Archives. The security of the location where the electronic data are stored has new considerations, in part based on compliance requirements and in part due to the differences between storing paper and electronic media. The amount of time these records are stored is largely dependent on the organization who once used them.
Often, when a healthcare organization transitions from paper to electronic records, it does so in phases and the transition is not planned in depth. Even before the health record was electronic, it is likely individual offices within the organization were already using technology such as desktop computers, facsimiles, and printers for office functions such as e-mail, scheduling, transmitting data, and billing. Initially these functions were likely running on the local desktop and not stored centrally, and in most cases there was no real network to speak of for storage. At some point the organization may have moved to using servers and networking to store the data from these office operations, without considering the specific security requirements for these data. Prior to the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, many organizations did not consider the requirements for the security or privacy of these data. Even after HIPAA, many small office environments did not have privacy or security professionals involved in their process for adding hardware, software, applications, and so forth to their office environment.
Locating Storage Devices, Network Hardware, Printers, and Other Devices
When we consider where we will locate or place the devices used for our healthcare practices, we must consider certain aspects of access to the data and implement an in-depth approach to the security and privacy of the data. The systems will also need to control user access. Consider not only the storage of the data but also the display, transmission, and input/output of the data contained in the system and applications. Beginning with the desktop or other device being used to access the data, we need to consider who will have access to the keyboard and display, as well as how to control who can look at the data on the computer. For example, we may have administrative staff who work in the office but should not have access to all patient data. We may have volunteers who we permit to assist patients and visitors but, again, should not have access to the network for patient data.
We must have the ability to transmit these data from the desktop to a network storage device such as a server. The organization must consider whether this will be a wired or wireless network connection. In either instance, we must determine whether an individual could attempt to gain access by either plugging in their own computer or accessing the wireless network with an unauthorized device. If we have a wired connection, we must consider where the cabling is run, whether overhead in a drop ceiling or within the finished walls. Either way, the wire will likely run to a data closet, which in smaller offices and facilities is often the same closet that stores administrative, cleaning, or other supplies. Some organizations even have switches and routers located on a shelf in the restroom or other publicly accessible areas of the office. Access to this data can be compromised when proper security fundamentals are not applied.
Securely Handling Protected Health Information (PHI)
Your organization’s processes for handling PHI should be based on implementation of best practices, and it should depend on your local assessment of the threats, vulnerabilities, and risk exposure of your location, regulatory requirements such as HIPAA, and other factors. Following are descriptions of the many pieces of the physical system you need to consider in this assessment. Remember also that while the focus of this section is on security, you should consider that privacy is an element of any assessment of risk. A good rule of thumb is that privacy requirements determine what you will secure, and secure safeguards are implemented based on privacy requirements. We determine risk based on these collective requirements.
Monitor Placement
First, you should consider whether visitors or patients can view the screens used to display patient information for scheduling, billing/insurance, or electronic health record (EHR) data. Upon entering the physician’s reception area, you often find the receptionist is behind a wall with a sliding window, with the monitor placed in such a way as to prevent your view. But once you enter the office area, you may walk by half a dozen or more computers on your way to an exam room, and each computer monitor may be clearly displaying radiology, lab, or other data with little regard to privacy of the patient data. The organization should consider the placement of each display screen as part of its overall risk assessment strategy.
Privacy Screens
For computer display screens, including laptops, tablets, and other devices that do not permit placement to prevent “shoulder surfing,” risk mitigation might include the use of privacy screens. These screens allow the user to view the screen from a direct angle, but as you change your angle of view toward the side, the image becomes less and less visible. Information on the screen is not visible beyond a 45–50-degree angle.
Printer, Fax Machine, and Scanner Placement
Printers, fax machines, and scanners should be placed in secure areas away from public access, to prevent printed documents, received faxes, or scanned records that are not immediately retrieved by the user/recipient from being removed by unauthorized personnel. Remember that the safeguards you can implement to control electronic data on your local computer or server are not effective once the data is printed. Ideally, the organization should explore the option of secure printing, requiring the user to log in to the printer prior to the printing of the material. This may often be accomplished also by use of badge scanning, if the facility has implemented an employee badging system.
Screensavers
Most users are familiar with screensavers; however, few actually implement them securely. The best implementation requires the user to press control-alt-delete and re-enter a password when they want to return to using their computer. This and the use of a time lockout (see the next section) together add to a defense-in-depth strategy. Newer operating systems, including Windows and Apple macOS, and associated keyboards often have shortcuts. For example, Windows has windows key-l to lock the computer. With macOS, there are two shortcuts: shift-command-q to log out of your macOS user account (you’ll be asked to confirm), and option-shift-command-q to log out without being asked to confirm.
Time Lockout
Most operating systems (Windows, Apple iOS, Android, etc.) include the functionality to implement a time lockout of access to the device. Best practices usually guide this requirement to be between 5 and 15 minutes. This time period begins when the last keystroke or mouse movement occurs, so simply viewing the screen for an extended period may trigger the time lockout that starts the screensaver program. Organizations must consider the operating environment for users when implementing time-based lockout. An organization’s policies and procedures should include exceptions to primary requirements so that blanket requirements, such as a 5-minute-maximum timeout, do not interrupt healthcare operations. As an example, procedure rooms with access that is restricted to staff members (and the patient) might have longer timeout periods if clinicians perform procedures that take 10–20 minutes or longer and need to have access to the information on the screen without actually interacting with the keyboard or mouse.
Access to Servers, Offices, and Data Closets
The amount of data stored on a device or transmitted through a device needs to be considered when assessing risk; a device that stores or transmits a large amount of data needs to be placed higher on the risk scale than a device that doesn’t store or transmit much data. For example, your laptop may have access to most of the data on the network but not store much information locally. On the other hand, a server stores thousands of times more data, and our data closets, which house routers and switches, are part of a connection which transmits most of the data used by local network devices. Individual access to these devices should be limited to the minimum necessary. For example, if a clinic clerk needs access only to her computer to do her job, that is the level of physical access she should be granted. She should not be given access to the data closets. An IT employee who supports desktop operations needs to have access to the computer used by the clerk, but likely also needs some access to network devices in the data closets. This person might not need access to the data center or even servers on the network. So, physical access to devices should be limited similarly to logical access, and the organization must ensure its policies and procedures support limited access.
The Physical and Environmental (PE) Controls section of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is a valuable reference for the level of security you need to consider.1 Exercise 27-1 toward the end of the chapter provides an expanded look at this topic, detailing how you might conduct an assessment of your organization’s risk relative to physical access to data. There are many security safeguards we are not able to cover within this chapter, or even this book, so reference to SP 800-53 is a great study guide prior to taking any exam.
Data Center
The data center is the primary location where servers and other network communications gear is maintained. The security of this location may range from limited access to extreme (such as National Security Agency, Department of Defense, or secret or top-secret systems). While the level of security required is based on risk, there should always be a process in place to determine which security practices will be implemented, and the specific requirements that have not been implemented based on cost or other considerations need to be documented. Increasingly, larger healthcare organizations are moving to managed service provider data centers or cloud services that are not at their medical centers and often are contracted to managed service providers or contracted facilities, with the organization maintaining their own equipment, often remotely. Exercise 27-1 toward the end of the chapter guides you through a risk assessment of your organization’s data-center security.
Data Closets
The data closet is often located on each floor of a large facility and should be maintained with the same level of security as the data center. Access to the closet grants access to the network environment, meaning that anyone who has access can simply plug or unplug any cable or device as they desire. These closets might house network routers, switches, wireless routers, and, in some cases, even firewalls or servers. At many locations, data closets are often shared with engineering, electrical, or even janitorial employees. This can be a dangerous practice. Consider the situation where the employee working in this closet or storage room opens the door to obtain tools or cleaning materials. They might not consider the security of the area and block the door open with a cart or toolbox to ease access while they work. This grants access to anyone in the area.
Intermediate Distribution Frame / Main Distribution Frame
An intermediate distribution frame (IDF) is a free-standing or wall-mounted rack for managing and interconnecting the telecommunications cabling between end-user devices and a main distribution frame (MDF). For example, an IDF might be located on each floor (in the data closet) of a multifloor building to route the cabling from that floor down the walls to an MDF on the first floor or basement. The MDF would contain cabling that would interconnect to the phone company or to other buildings.
Backups
System backups should be completed on a regular basis and include system-level and data-level backups. These backups may be performed at different time increments; for example, the system backups that include the operating system and all settings might be conducted on a routine basis, but could even be annually for organizations whose hardware, operating systems, and applications change less frequently. Other organizations whose hardware and so forth change more often might complete these system-wide backups more frequently. Data backups, which include the actual healthcare record data rather than systems, OS, and applications, might be done weekly, daily, or, as in the case of some healthcare locations, even hourly. One surprising fact is that many organizations do not apply the same principles for physical and environmental security to the location where backups are stored. Quite often the data center has moderate to high security, while backup tapes are stored in a file cabinet in the IT section.
Backup tapes should be stored with the same level of security, or perhaps even stronger security, as the data in the data center, with access to those tapes restricted to the personnel who have authorization to access the data center. Many data-loss events over the past ten years have involved backup copies of the data, not a compromise of the data center or unauthorized access to the system itself. For the purposes of disaster recovery, continuity of operations, and business resumption, copies of backups should also be maintained offsite. It is important to remember that the security of those backups when in transit or stored offsite should have the same security considerations as you implement onsite.
Access-Control Devices
Access-control devices include devices that provide access to physical facilities and devices that provide access to systems. Some devices can actually provide access to both facilities and systems, as is the case with the Personal Identity Verification (PIV) card and the Common Access Card (CAC) described in this section. Organizations who have implemented security through access-control devices must ensure they emphasize the importance of the security of these devices as part of the overall security-awareness training program.
Key Fobs
A key fob is a type of security token or small hardware device with built-in authentication mechanisms. Just as the keys held on an ordinary real-world key chain or fob control access to the owner’s home or car, the mechanisms in the key fob control access to network services and information. The key fob provides two-factor authentication: the user has a personal identification number (PIN), which authenticates them as the device’s owner; after the user correctly enters their PIN, the device displays a number that allows them to log on to the network. Because a key fob is a physical object, it is easy for the owner to know if it has been stolen. In comparison, a password can be stolen (or guessed) and used for an extended period before—if ever—the theft is detected.
Some companies now provide a service where the user’s cell phone or other device can provide the same service. When the user enters their access PIN, a message is sent by the system to their cell phone with the specific number or code to enter. This code may be used only for a limited period of time and for a single login. The next time the user attempts to log in, a new code is generated and sent to their phone.
Badges
Users who are familiar with Department of Defense (DoD) systems may have seen the Common Access Card (CAC).2 Other users of federal agency systems may use a card called the personal identification and verification (PIV) card.3 Many non-federal organizations have begun implementing very similar cards. The primary purpose of these cards is to provide secure access to both facilities and systems for which the user has authorization based on their role—referred to as role-based access (RBA). Figure 27-1 describes the various elements of the PIV card, including displays of both the front and back of the card. This PIV card (as well as the CAC) must be implemented in a specified manner in accordance with guidelines established by the Federal Chief Information Officers (CIO) Council.
Figure 27-1 PIV card layout. Images courtesy of U.S. General Services Administration (GSA) USAccess Program, http://fedidcard.gov/credfeatures.aspx.4
Biometrics
Over the past few years the use of biometrics has increased in many areas, especially when it comes to access to facilities and IT systems. Back in the ’60s, TV shows such as The Man from U.N.C.L.E., Mission Impossible, and Star Trek made biometrics seem “sci-fi,” but today they are very commonplace. Whether using your finger, voice, facial recognition, or retina, biometrics use is becoming a daily occurrence. It uses the “something you have” security principle and adds to the defense-in-depth strategy. An example of a device used to gain access to a physical location is a biometric fingerprint reader placed at the entry to the data center. This reader requires the user to place their index (or other registered) finger on the biometric reader. The screen then requests that the user add a second identification code, which might be four or more characters. The combination of something you have with a PIN (described as “something you know”) provides two-factor authentication. Many devices, including tablets, laptops, and desktop keyboards, now have biometric readers included in them.
Building Secure Systems
Risk identification should be part of the process of working out the details of how data will be stored, and appropriate security measures to mitigate those risks should be implemented. This includes physical and environmental controls that are often in place but frequently not fully or correctly implemented. Understanding the requirements for these areas is a vital aspect of supporting the IT infrastructure.
Office Hardware
The organization should consider security when selecting hardware, including desktops, laptops, and external storage devices. The ability to properly secure the devices, including cable locks for securing devices to the desk, should be considered. Selecting external storage devices that cannot be “locked down,” including USBs and other drives, should include the ability to encrypt the device to prevent disclosure in the event of loss. Encryption is a topic later in this chapter.
Locks
Locks on safes, filing cabinets, and other storage areas must be commensurate with the risk and sensitivity of the data being stored within the area or cabinet. Consider this: at home, would you store your diamond jewelry in the same drawer as your forks and knives in the kitchen? The more sensitive the information, such as backup tapes from your IT systems, the more secure the enclosure and therefore the locks must be that secure those areas.
Door Locks
Doors should be kept locked when employees are not present, and most office areas should have both a handle lock and a deadbolt lock. Keys that access doors to areas where sensitive data are stored should be controlled, and only those employees who should have access to the area should have access to the keys to that area. Consider reworking your key-control system if you have a single key storage or, even worse, you store keys in the secretary’s desk drawer. Always consider who has access to the area; if the desk is left unattended and unlocked, anyone could gain access to the keys. Also consider how often, if ever, your organization actually takes an inventory of who has keys to sensitive areas. Finally, your organization should have security officers who check secure areas on a regular basis, actually checking to ensure doors are locked and the locks function properly.
Environmental Controls
As you would expect from the name, these controls involve the environment in which the systems, storage, and communications reside. Again, the level of implementation of these controls must be based on the risk versus costs. While some controls must be implemented, not all must be implemented to the same level. We will address environmental controls in the following sections, including HVAC, lighting, surveillance, fire suppression, emergency power, UPS, and others.
Heating, Ventilation, and Air Conditioning (HVAC)
The HVAC of the data center (or other area where IT equipment is stored) is vital to the health of the equipment. Place your hand beside the area of your computer or laptop where the fan is located, or simply sit with your laptop on your lap for 10 minutes. The heat generated by the central processing unit (CPU) can be over 100 degrees. Now consider that your data center may have hundreds, and in larger medical centers or universities thousands, of servers, each generating this heat. As the external temperature increases, so too does the internal temperature of the data center, so the HVAC of the data center is extremely important. Monitoring this information is also vital, including not only the temperature but also the humidity. If the humidity is too high, even a temperature in the high 70s can lead to condensation, which can cause problems with electronic circuits.
Security Lighting
The data center and data closets should have lighting even when power is lost, whether by generator power or by battery (for short-term power loss). This is both for security and safety (so that individuals attempting to circumvent security during the power loss can be seen) and to allow IT staff to see and operate in emergency situations. Exit lights should be included in the emergency lighting plan, and in most jurisdictions emergency exit lights must be illuminated at all times.
Surveillance
Tools to observe the data center may include video cameras, alarm systems, motion detectors, and other devices. Just as with other elements of physical security, the level of surveillance should be based on the risk assessment. In today’s environment, most data centers are designed to be “dark.” The data center equipment is administered remotely, although it could be from rooms adjacent to the data center. Most IT-related tasks that would routinely require physical access are automated. Individuals enter the data center only in rare situations, so there is no need to keep the facility lit. This also means that cameras and other recording devices should be implemented in such a way that they record only when motion is detected or the door records entry by use of an access device. Additionally, the storage of surveillance data should be in a controlled, secure environment, not necessarily within the data center itself. This could be in the organization’s security office or in the office of a security firm hired to remotely monitor your organization’s facilities.
Fire Suppression
In an effort to prevent damage due to fires, the facility should have multiple forms of fire suppression, including handheld fire extinguishers (appropriate for the size and nature of the facility and the equipment), overhead fire suppression (which might include dry-pipe, wet-pipe, or dry-chemical systems), and access to fire department standpipes for larger fire suppression. Organizations should implement dry-pipe fire suppression in data center environments. Dry-pipe systems consist of the same pipes as wet-pipe systems but do not contain water in the pipes until such time as an emergency. This prevents damage from a leak, puncture, or accidental discharge. Dry-chemical systems are optimal for data centers; however, the cost is often prohibitive for many, primarily smaller, organizations. Staff members who routinely have access to the data center and areas adjacent to it should be trained in the use of fire suppression as well as the process for turning off the system. Your organization should work with local fire department personnel to conduct routine visits to your facilities so the staff is aware of the locations of fire suppression equipment, such as standpipes, elevators, fire alarm systems, and so forth. While your facility may never experience a serious event, the ability of your local fire department to support you in an emergency is vital. Staff need to know how to the turn the system off in case of accidental discharge, to decrease the negative effects of water on electrical components.
Generator
Backup electrical power should be available, and as with other aspects of security should be based on the risk to the facility, the possibility of power disruptions, and other environmental factors. As an example, we might think a facility in an area with a history of high winds, tornados, or hurricanes would be more likely to suffer power loss than a facility in California, but a location in California might be subject to earthquakes, which could also cause the loss of power. The generator power must be implemented so that backup power is provided immediately and automatically, without requiring manual intervention.
Uninterrupted Power Supply (UPS)
The UPS provides short-term backup power to systems in the event of power loss or brownout. In an office environment the UPS might be small and provide emergency power to a computer or other equipment so as to permit access to data in the event of power loss. In a data-closet or data-center environment, UPSs might be rack-mounted and provide power to a number of devices, again for a short period of time. In general, a UPS can provide power to devices for a period of five minutes to a few hours, depending on the type of UPS and the amperage of the devices supported. The UPS is intended to bridge the time between loss of power and the implementation of alternate power, such as the generator, for the continuity of business operations over short periods of time.
Other Controls
The following controls are neither physical nor environmental; however, they do tie in very closely to the implementation of those controls.
Personnel
All personnel having access to the data center should be screened. Risk and trust are important elements of the security and privacy of your organization’s data. In addition, training your staff on their responsibility to secure the organization’s data is vital, but their training should also include other areas discussed in this chapter—such as the process to use when allowing visitors into the data center or closets, the use of security devices and fire-suppression equipment, and other areas that might be part of their responsibilities.
Awareness and Training
We have mentioned awareness and training throughout this chapter, but primarily the organization should focus on ensuring that all employees are aware of risks and threats specific to their role, and have the training necessary to support organizational operations related to continued business operations for their role. Examples include ensuring they know how to power down equipment and use fire suppression devices, and ensuring they have knowledge of data destruction requirements for the types of data they access such as printed PHI data, electronic PHI (ePHI) stored on storage devices, and so forth. The organization should consider the following reasons for ensuring employees are trained and aware of information security practices:
1. Compliance requirements change or their interpretation changes.
2. The organization is responsible for the actions of its employees.
3. Consumers are becoming more aware of the requirements that healthcare organizations must comply with.
Sensitivity Labels and Clearance
Data-storage devices should include appropriate labeling based on the type of data and data sensitivity. These labels should include instructions on who to contact should the devices be found in an unexpected place, for example, if lost or delayed while being transported to an offsite storage location or while being transported by a third-party vendor. It is not necessary to state that the device contains personally identifiable information (PII) or PHI; simply label it as sensitive, with instructions for contacting you, including phone number, e-mail address, or mailing address of the facility.
Securing and Preserving Electronic Media Storage Devices
Each of the storage devices discussed in the following sections needs to be considered when planning for the security and preservation of electronic media. An overall policy that includes procedures for the use of storage media is vital to every organization, and instruction on the policy should be part of employee awareness and training programs. Explaining the risks associated to the users of these devices can assist the organization in ensuring employees follow established guidance.
Flash Drives
Often referred to as flash memory, flash drives are small storage devices or cards that store data on flash memory. Flash memory is a nonvolatile computer storage chip that can be electrically erased and reprogrammed. It was developed from EEPROM (electrically erasable programmable read-only memory) and must be erased in fairly large blocks before it can be rewritten with new data. An important note is that, just as with any storage media, these drives introduce a number of risks to the organization, including the possible undetected theft of data or the introduction of viruses or Trojans. Facilities should have policies and procedures in place for the use of these devices. Because of their small physical size but large storage capacity, the risk of loss of large amounts of data via these devices is high. Many organizations go so far as to ban the use of flash drives on their networks. On the other hand, their small size means they are also easy to destroy by shredding or burning, both good processes for eliminating the threat of loss. If your organization finds the need to use these devices—and they certainly have a place in many practice areas, such as with digital cameras to record wounds (e.g., rashes or decubitus ulcers), procedures, etc.—it should develop strong policies and procedures for their use and disposal.
Personal Computers (PCs)
Personal computers, often referred to as desktop computers, frequently store at least some data locally, on the hard drive or memory. However, EHRs and other healthcare data are stored centrally on database servers, not on PCs, and PCs can be used only to access the data via the organization’s network. Typically, procedures such as cutting and pasting, creating screen dumps, or otherwise storing data are not approved and are disabled. The problem is that data in EHRs and other healthcare data sometimes are generated on other devices and stored locally before being uploaded to the database server. For example, as introduced in the prior section, a digital camera may be used to document wounds or procedures, and the images typically are transferred via the flash drive to a PC before being moved to a network storage area or entered into an EHR. While the risk of loss of a PC is lower than that of a more mobile device, a PC should still be secured to a desk via a locking cable.
Laptops
A laptop is essentially a mobile version of the PC, making the risk of data loss significantly higher than with other devices. Generally, the laptop is intended to permit authorized user access to data while not physically at the facility or at a single work location within the facility. Ideally, as with other mobile devices, the hard drive of the laptop should be protected by encryption (discussed later in the chapter) so that if the device is lost or stolen, the data stored on it are much more difficult to obtain. Requiring two-factor authentication or encryption reduces risk of loss of the data. Laptops should be securable to the work location by a cable or a locking docking station. Of course, risk is further reduced if the device is both secured with a cable and the hard drive is encrypted.
Secure Digital (SD) Card
An SD card is a nonvolatile memory card format used in portable devices. In general, the SD card requires a specific slot to access the PC or laptop; it does not use the USB slot. There are various versions of these cards, including the SD, HDSD, miniSD, and microSD. As addressed in the earlier section regarding flash memory, it is important to note that, just as with any storage media, these drives introduce risks to the organization, including the possible undetected theft of data or the introduction of viruses or Trojans. On the positive side, because of their small size, they are easily destroyed by shredding or burning, both good processes for eliminating the threat of loss. As with flash storage, if your organization finds the need to use devices with SD cards, it should develop strong policies and procedures for their use and disposal.
External Drives
An external drive is usually larger and less mobile (although still easily transportable) than the flash or USB drive and resides outside the physical PC or laptop. External drives usually require their own power source, unlike USB or flash drives, which get their power through their connection to the computer. These drives should be covered in the organization’s security policy and procedures, and employees who are authorized to use these devices should attest to the fact they understand and will adhere to policy.
Servers
A server is a computer attached to a network for the primary purpose of providing a location for shared disk access—that is, shared storage of computer files (such as documents, sound files, photographs, movies, images, databases, etc.) that can be accessed by the workstations that are attached to the same computer network. These devices should be secured by both device level access controls as well as enhanced physical security controls.
Network-Attached Storage (NAS)
Network-attached storage (NAS) is file-level computer data storage that is connected to a computer network and provides data access to heterogeneous clients. NAS operates as a file server and is specialized for this task by its hardware, its software, or the configuration of those elements. NAS is often made as a computer appliance—a specialized computer built from the ground up for storing and serving files—rather than simply a general-purpose computer being used for the role. Again, these devices should be secured by both device level access controls as well as enhanced physical security controls.
Storage Area Network (SAN)
A storage area network (SAN) is a dedicated high-speed network that provides access to consolidated, block-level data storage, generally in the form of storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers. The SAN moves storage resources from the user network and reorganizes them into an independent, high-performance network. This allows each server to access shared storage as if it were a drive directly attached to the server. When a host wants access to a storage device on the SAN, it sends out a block-based access request for the storage device. Again, these devices should be secured by both device level access controls as well as enhanced physical security controls.
Encryption
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not of itself prevent interception, but denies the message content to the interceptor. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. An encryption scheme usually uses a pseudo-random encryption key generated by an algorithm.5
The discussion of encryption, including whether an organization should or must use encryption, can cause confusion for many in healthcare. Because HIPAA identifies encryption as an addressable implementation specification rather than a required implementation specification, some organizations mistakenly assume encryption is optional. In fact, addressable means that the encryption implementation specification must be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI. If the organization decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.6 Implementation of encryption can be accomplished by the use of either symmetric key encryption, asymmetric encryption, or public key infrastructure (PKI).
Symmetric Encryption
In symmetric-key schemes, the encryption and decryption keys are the same. Communicating parties must share the same key before they can achieve secure communication.
Asymmetric or Public Key Infrastructure (PKI)
In public-key encryption schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key that enables messages to be read.
TLS/SSL
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as SSL, are cryptographic protocols that provide communications security over a computer network. Several versions of the protocols are in widespread use in applications such as web browsing, e-mail, Internet faxing, instant messaging, and Voice over IP (VoIP). SSL is no longer considered secure, and as of October 2014 should no longer be used as a security protocol. It is a good business practice to use the term TLS, not SSL when implemented.
DES
The Data Encryption Standard (DES) was once a predominant symmetric-key algorithm for the encryption of electronic data. It was highly influential in the advancement of modern cryptography in the academic world. In 1976, after consultation with the National Security Agency (NSA), the National Bureau of Standards (NBS), the predecessor to NIST, eventually selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks), which was published as an official Federal Information Processing Standard (FIPS) for the United States in 1977. DES is now considered to be insecure for many applications. This is mainly due to the 56-bit key size being too small; in January 1999, distributed.net and the Electronic Frontier Foundation (EFF) collaborated to publicly break a DES key in 22 hours and 15 minutes. DES has been withdrawn as a standard by NIST.
AES
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by NIST in 2001. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process. For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but three different key lengths: 128, 192, and 256 bits. AES has been adopted by the U.S. government and is now used worldwide. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.
3DES
In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. The original DES cipher’s key size of 56 bits was generally sufficient when that algorithm was designed, but the availability of increasing computational power made brute-force attacks feasible. Triple DES provides a relatively simple method of increasing the key size of DES to protect against such attacks, without the need to design a completely new block cipher algorithm.
PGP
Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and is also used to increase the security of e-mail communications.
Secure Disposal of Electronic Media
Now that we have considered securing the data, the next step is to consider what we need to do when it is time to dispose of the data or the storage devices on which we store the data. The following sections discuss how to ensure that the devices are disposed of in a manner appropriate to the type of data and the type of device.
Secure Shredding, Degaussing, and Sanitizing
Various processes and methods are available to securely destroy data and media held on storage media including shredding, degaussing, and sanitizing. The most important factor in deciding which process or method is appropriate is again based on the organization’s risk and mitigation policies. The overall goal is to prevent unauthorized access to sensitive information, including ePHI, PHI, and PII.
Secure Shredding
Data shredding is a data-destruction utility designed to securely erase a hard disk or digital storage device, completely removing the data and making the data unrecoverable. The software utilizes an overwrite method of destroying data rather than other means of data destruction (such as degaussing or physical destruction). The downside of data shredding is that it usually makes the storage device unusable. Data shredding (electronic) should not be confused with the shredding of paper documents; often some confusion occurs when only the term “shredding” is used.
Degaussing
Degaussing is the process of decreasing or eliminating an unwanted magnetic field on a magnetic medium, such as a hard disk. In layman’s terms, degaussing converts the current 0s and 1s to randomized 0s and 1s to prevent reverse engineering of the data. Due to a phenomenon known as magnetic hysteresis, it is generally not possible to reduce a magnetic field completely to zero, so degaussing typically induces a very small “known” field referred to as bias. Some organizations require that degaussing occur in multiple passes—for instance, DoD practices require at least seven degaussing passes. The advantage of degaussing is that the media is not destroyed and remains reusable for new data.
Sanitizing
Sanitizing involves the use of anonymization and other techniques to purge data sets (often statistical) of PII in order to protect user privacy. Sanitizing can be used in cases where you want to remove the data and reuse the devices within the given environment.
Determining the Level and Type of Destruction
The overall goal in determining which level of destruction of data to use for the organization and the specific devices must always be to prevent unintentional disclosure or dissemination of PHI or other sensitive data. Best practices should be followed when determining the best process to follow. The type and level of destruction should be based on the type of data, the type of media, and, most importantly, the policy and procedures established by the organization. Allowing individuals to choose the process they follow without guidance could result in data loss, even minor, which could lead to financial loss or embarrassment to the organization.
Exercise 27-1: Assessing Your Organization’s Facility Security Risks
If you work for a healthcare organization, follow the three sets of steps in this exercise to consider the areas covered in the chapter. Before conducting this exercise, obtain management approval to perform the assessment. Clearly, you would not want your efforts to be complicated by negative management reaction to a surveillance observation or a visitor who reports you, thinking you might be considering how to circumvent security.
Office Areas
1. Walk into an office or clinical area. Once inside the door where patients and visitors enter, look around and see if you can identify where PCs, laptops, printers, and other devices are visible. The purpose is to observe whether any sensitive information is viewable in plain sight, including computer screens with data visible, printed material left in printer or fax machine trays, and so forth. A good practice is to conduct this exercise in more than one office or clinical area, both to compare implementation of policies and procedures and to look for internal best practices. Identify the areas in which stronger processes are in place, and look for processes that perhaps exceed the actual organization policy.
2. Now act as though you are the patient being taken from the waiting room to the exam room. What can you observe en route and in the exam room? Next move from the exam room to checkout (billing, scheduling, etc.) and consider during this walk-through the same list of devices.
3. Look for signs or other evidence of where your data closets, data center (which may not be local to your office), or other communications areas are located. Look for open closets, in use by maintenance or housekeeping perhaps, and observe if network devices or equipment is visible.
Next, conduct the same type of review of the areas where the data are stored or transmitted.
Data Closets If you are authorized access to the data closets, or if an authorized individual will provide you escorted access, proceed as follows:
1. Attempt to identify the IDF in the closet.
2. Identify the fire suppression and HVAC provided within the closet, as well as any surveillance devices.
3. Identify access-control devices, including access cards, key fobs, or biometric devices if used.
4. Identify any risks you can observe, such as access issues, lock functionality, improper temperature or humidity levels, poor lighting, and so on.
Data Center Again, if you are authorized to access the data center, or if you can get an authorized individual to provide you escorted access, conduct a review of the following areas:
1. Prior to entering the data center, observe the signage such as warning signs, authorized-personnel-only signs, and so forth. Also, prior to entering determine the types of physical controls implemented, including key fobs, access cards, biometrics, two-factor authentication, and so on.
2. Upon entering the data center, determine the procedure for controlling employee access and visitor access to the data center, including whether the organization requires visitors to record their entry in a log book. Verify what information a visitor must place into a log when they enter. Later you can review the policies and procedures for entry to determine if the log actually requires the same data as policy dictates. As an example, I have seen policies that state the user must enter “form of ID” but there is no column to enter such information on the log. Act as an auditor here; if policy dictates a security measure, the organization must ensure they enforce it.
3. Look for fire suppression (fire extinguishers, sprinklers, etc.), security lighting, surveillance, UPSs and generators for emergency power, and HVAC.
4. Note the temperature and humidity in the data center, if displayed.
5. Note whether trash, boxes, or other items are stored in the data center. Most organizations do not permit these items in the data center to reduce fire hazards. A best practice is to destroy or shred trash, such as empty PC boxes, from the data center once they are emptied.
6. When departing, do you have to also note in the visitor log your departure time? Did your escort stay with you the entire time, and did they ensure you entered your departure time in the log?
Exercise 27-2: Assessing Your Organization’s Practices for Disposing of Electronic Media
Find an individual in the organization who has knowledge of how your organization disposes of electronic media, and set up a time to discuss the practices that are in place. In the interview, determine whether the facility uses secure shredding, degaussing, or sanitization when disposing of electronic media. If the organization uses a combination of these methods, determine whether there is a documented procedure for the type of process to follow in different situations. For example, if a drive is defective and covered under warranty, what process does your organization follow when returning the drive to the manufacturer? Are there any special requirements for disposing of electronic media in your organization, such as medical devices, mobile devices, and so forth?
Chapter Review
This chapter addressed the physical safeguards required for your IT systems, including the location of storage devices, network hardware, printers, scanners, and copiers. Best practices regarding physical equipment were identified for the handling of PHI, including PC placement, privacy screens, printer placement, screensavers, and time lockout. Access points to servers, offices, and data closets are all critical considerations. The chapter discussed how determining the level of safeguards required by your facility’s data center, data closets, IDF/MDF, and backups will depend on the risks to which your facility is exposed, weighed against the costs of providing those safeguards.
Access-control devices were defined and discussed, including key fobs, badges, and biometrics. The chapter presented guidelines for building secure systems, including office hardware, environmental controls, other controls, and storage devices. We discussed guidelines for securing and preserving electronic media and briefly explored encryption and types of encryption. The final topic included best practices for secure disposal of electronic media—including secure shredding, degaussing, and sanitizing—and determining the type and level of destruction of media. The end of the chapter provided two exercises on how to conduct informal assessments of your organization’s risks related to physical security and assessing your organization’s practices for secure disposal of electronic media.
Questions
To test your comprehension of the chapter, answers the following questions and then check your answers against the list of correct answers that follows the questions.
1. Which of the following is a dedicated network that provides access to consolidated, block-level data storage?
A. Servers
B. NAS
C. SAN
D. SD card
2. In a healthcare office environment, which of the following applications must be considered as possibly having sensitive data included within its storage media?
A. E-mail
B. Scheduling
C. Billing
D. All of the above
3. When determining the appropriate location of PCs in your organization, which of the following should you consider?
A. Security of the location
B. Ability to view the screen
C. Whether privacy screens are available
D. All of the above
4. Which of the following is a network device usually located on each floor (sometimes more than one per floor) in a larger building?
A. MDF
B. DMZ
C. IDF
D. Both A and C
5. Which of the following principles is used by two-factor authentication to grant physical access to systems?
A. Something you have
B. Something you know
C. Both A and B
D. Neither A or B
6. Motion detectors are considered to belong to which of the following classes of environmental controls?
A. Fire suppression
B. Surveillance
C. Security lighting
D. UPS
7. Why is employer-provided education and training for employees necessary?
A. Compliance requirements change or their interpretation changes.
B. Healthcare organizations are responsible for the actions of their employees.
C. Consumers are becoming more aware of the requirements that healthcare organizations must comply with.
D. All of the above.
8. What is the predecessor of Transport Layer Security (TLS)?
A. Triple DES (3DES)
B. Pretty Good Privacy (PGP)
C. Secure Sockets Layer (SSL)
D. Data Encryption Standard (DES)
Answers
1. C. A storage area network (SAN) generally provides access to consolidated, block-level data storage, generally in the form of storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear to the operating system to be locally attached devices.
2. D. Even though a healthcare office may have policies in place that prohibit the use of e-mail for communications with the patient about specific sensitive healthcare diagnoses and so forth, the fact is that users and patients could be including this in their communications. As a result, you should assume that e-mail data must be stored with the same security controls as other sensitive data systems. Clearly, patient scheduling and billing applications contain personally identifiable data as well as protected health information.
3. D. All PCs, specifically those used to access sensitive information, should be placed in locations where only the intended viewers of the data can see it. They should also be located in a place that would make it impossible for an unauthorized person to simply pick up the device and walk out without being observed. If a device must be placed in a more public space, consider using privacy screens to allow only a limited field of view of the data being displayed.
4. C. The intermediate distribution frame (IDF) is usually placed in the data closet, while the main distribution frame (MDF) is more centralized and located in the data center or other communications area of the facility.
5. B. The principle of “something you know” covers passwords and personal identification numbers (PINs), as opposed to “something you have,” which covers an access-control device such as a key fob or badge or a part of your person such as a fingerprint or retina.
6. B. Surveillance includes cameras, motion detectors, alarms systems, and other devices.
7. D. As compliance requirements age, they are often changed, or the interpretation of specific requirements might change. Additionally, these changes often enact fines and penalties, and although often the individual might be held accountable for noncompliance, in most cases the healthcare organizations are also responsible for the actions of their employees. Lastly, and this is often a good thing, consumers are becoming more aware of the requirements that healthcare organizations must comply with and therefore are more likely to make an effort to ensure accountability.
8. C. Secure Sockets Layer is the predecessor to TLS, though both are frequently referred to as SSL. They are cryptographic protocols that provide communications security over a computer network.
References
1. National Institutes of Standards and Technology (NIST). (2012). Security and privacy controls for federal information systems and organizations. SP 800-53, initial public draft. Accessed on March 7, 2017, from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.
2. U.S. Department of Defense. (n.d.). Common access card requirements. Accessed on July 21, 2016, from www.cac.mil/.
3. Federal Chief Information Officer Council. (2009). Personal identity verification interoperability for non-federal issuers. Accessed on March 7, 2017, from https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNSVAA4&field=File__Body__s.
4. U.S. General Services Administration, USAccess Program. (n.d.). PIV credential features. Accessed on July 21, 2016, from http://fedidcard.gov/credfeatures.aspx.
5. https://en.wikipedia.org/wiki/Encryption
6. https://www.hhs.gov/hipaa/for-professionals/faq/2020/what-is-the-difference-between-addressable-and-required-implementation-specifications/index.html