Potential clients come up to us asking if our access control system complies with HIPAA standards when they are looking to to become fully HIPAA compliant. It is not an usual occurrence but it often crops up. They are vaguely aware, from the requests of their lawyers, that they have to make their office secure by addressing both their network security and physical security. When we started KISI, we were equally confused and unaware of this either. So we did a little digging.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act.
According to HIPAA standards, “The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).
Your duty as a HIPAA compliant company is it to prevent unauthorized physical access to Protected Health Information (PHI).
That sounds convoluted. How do you actually become HIPAA compliant? Further investigation allowed us to discover the four standards set under the HIPAA Security Rules.
These four standards in the Physical Safeguards are
- Facility Access Controls,
- Workstation Use,
- Workstation Security and
- Devices and Media Controls.
In addition to ensuring robust network security in the office through establishing firewalls, encrypted data, communication policies, background checks, secure servers, Two Factor Authentication (2FA) and all the other digital measures you need to be compliant with, physical security matters as much even though it is often underlooked.
Insights we took from October 2015 New York City Tech Security Conference:
The path to get unauthorized access: get inside, snoop around, exfiltrate. @varonis Physical security is as important as network security
— KISI (@KISI) October 15, 2015
We realized that Facility Access Control is the most relevant HIPAA standard that most access control systems have to comply with.Facility Access Control is the most relevant HIPAA standard that most access control systems have to… Click To Tweet
HIPAA Standard: Facility Access Control
Here’s a typical scenario: most companies usually get a key card (or key fob / card key) system in the first place. The downside? According to the requirements of the US HSS, most might not actually be complying with the standard.
Here is the original excerpt about the requirements in terms of access control by the law:
Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
In brief, it mentions everything that is required from you to make your physical access and facility access HIPAA compliant. (If you are interested in the granular details of the standard, you can read the standards here.)
That explains why our potential clients were asking us about HIPAA compliance. Most access control systems and offices might not be complying with the standards.
Take for instance, with keys you obviously can’t limit authorized access once you gave out the key. People can easily pass the keys to unauthorized personels. The switch from keys to key cards is also particularly motivated by such security fears and risks.
And see this insights from a dissertation by Seymour E. Goodman and Herbert S. Lin of Committee on Improving Cybersecurity Research in the United States, National Research Council
Because the intent of security is to make a system completely unusable to an unauthorized party but completely usable to an authorized one…
That’s why people traditionally used keycards to allow “authorized access” – key card system are meant to comply with the security measures and standards of the law. With smartphone access, it can be used as an authorized way to access your facility.
Who says you have to use an access system such as a key card system that actually creates more trouble than it’s really useful? Other than the fact that it complies with the law.
Here are the 3 security measures a cloud managed, modern access control system can comply with. When deciding for a new access control, compare this to key card systems which lack the features and security measures.
- Managed access: You decide which access level an employee, freelancer, visitor or client has and which doors should be accessible for this access group.
- Real time audit: At any time you can pull a report of real time access events including unsuccessful, unauthorized or denied requests.
- Remotely disable physical access: Limit access to your facility remotely by disabling access from your smartphone with instant effect.
If you like to hear more about how your space can become HIPPA compliant, let us show you how easy it is and why many modern organizations use our cloud-based software to automate compliance.
Feel free to get in touch with one of our security consultants who can tell you more.
An additional note:
If you host a data center, you might also want to look at SSAE 16 SOC 2, Type 2 Certified Facilities-Controls-Process.
SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for defining how data centers report on compliance controls.
The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles.