System Security

Physical Safeguards

Safeguards can be organized by media, physical controls, and workstation use.  Media control policies are needed to govern the receipt and removal of hardware/software (i.e., diskettes, tapes, optical disks).  They spell out who is authorized to set up or add software to workstations, how accountability for these activities is tracked, and details on data backup, storage, and disposal of patient data.

Physical controls are based on formal, documented policies and procedures for limiting physical access while ensuring properly authorized access is allowed.  Access controls are tied to user roles or functions to conform to key elements of the privacy rule.  Physical control policies and procedures cover equipment control, facility security plans, testing, maintenance records, and verification of authorization prior to physical access.  For example, a sign-in process for on-site visitors is included.  Keep in mind access is keyed to a user ID, authentication protocols, and need-to-know procedures for personnel access.

Workstation use policies and procedures describe appropriate workstation functions and how they should be performed (i.e., logging off before leaving a terminal unattended).  Secure workstation location policies help limit unauthorized viewing of monitor screen displays.  Often this means simply positioning the screen so visitors are unable to see it.  Physical controls for locking individual workstations and computer installation sites need to be designated.

Office level security procedure is also included here.  This addresses how patient records are physically maintained and protected from unauthorized access.⁴

	Page 4 of 10
Citation Number: Vol. 5, No. 3, Page 161