Security-Physical

This is the third blog post in a series dealing with HIPAA compliance and covers physical security.  The computer, the workstations, and the network will be covered in subsequent blogs.

The format is a series of appropriate questions to you on areas of concern in your and your supplier's domains with respect to the HIPAA required, documented Security Risk Assessment, and Business continuity plan.

As a reminder, some of these questions are economic decision points that your business can make. 

Physical

  • Do you have a corporate and or Facility Security Officer?


  • Do you have industrial grade locks on all the doors to your covered facility?


  • Do you have industrial grade locks on doors into your computer room, network appliance room, and patient file room?


  • Do you have substantial doors into your computer, network appliance room, patient file rooms?


  • Do you inventory tightly control facility keys?


  • Do you have a living documented list of who has keys and access codes to what?


  • Do you regularly change the access codes?


  • Do you have a monitored after hours alarm system?


  • Do you have electronically monitored windows, if any, into your computer room, network appliance room, patient file room, or any other area that might contain patient data?


  • Do you have electronic access to your facility?


  • Do you tightly manage in a controlled and documented manner facility and alarm access codes?


  • Do you electronically log of access to your facility?


  • Do you have a battery or other power to your desktop and network appliances that would last long enough for an orderly shutdown of the devices in case of a power failure?


  • Do you have a battery or other power to your desktop, network, or computer appliances that would last long enough to sustain operations for a defined period of time for the devices in case of a power failure?


  • Do you have an inventory of desktops, network appliances, and power supplies?


  • Do you at some frequency check that inventory?


  • Do your telephones go down in case of a power failure?


  • Do you have or need a few phones in your facility that operate online power?


  • Do you have phone and data services comingled?


  • Do you have a plan for rerouting inbound calls from patients, doctors, or suppliers to another facility in case of an extended facility outage?


  • Do you have a defined perimeter behind which the only HIPAA trained personnel or escorted people have access?


  • Do you routinely document and log guests into and out of your facility?


  • Do you have management controlled photo security badges for office and corporate personnel?


  • Do you have a recording camera system covering critical areas of your facility?


  • Do you have a documented policy for reporting physical security breaches?


  • Do you have documented policies for granting and revoking privileges for new hires and terminated employee that keep the facility secure at all times?


The list goes on but the above questions typify the questions MediFacts has asked itself and addressed for our own facilities. Medifacts can help you through the HIPAA compliance issues surrounding physical security.

Business Continuity Planning

This is the second in a series of Blogs concerning your business including some of the requirements for HIPAA and HITEC compliance and in particular addresses concerns around Business Continuity Planning.

This blogs will cover these five areas dealing with Business Continuity Planning: Definitions, The Computer, The Network, The people, and monetary decision points.

Definitions and Beliefs

First two academic definitions:

Business continuity planning is the activity performed by an organization to ensure critical business functions will be available to customers, suppliers, regulators, other entities, and themselves in order to keep functioning in the case of adversity.

And, from the Gartner Group in their comprehensive study of Medical Systems.

“A business continuity plan should include: a disaster recovery plan, which specifies an organization's planned strategies for post-failure procedures; a business resumption plan, which specifies a means of maintaining essential services at the crisis location; a business recovery plan, which specifies a means of recovering business functions at an alternate location; and a contingency plan, which specifies a means of dealing with external events that can seriously impact the organization. “

HIPAA and HITEC focus on security and the protection of patient data during any of the above scenarios. Medifacts cares about your whole Business too.

There are three homilies around Business Continuity Planning learned the hard way to keep in mind:

“There are only two kinds of computer systems in the world; those that have gone down and those that will”

And, inexplicably, “Systems with well thought out plans will be less likely to have a need to use them”

“An ounce of prevention is worth at least a pound of cure”


Can’t prove these beliefs but they can be considered facts earned in battle.

Medifacts used all these definitions and beliefs in developing our Business Continuity Plan since we are concerned about our whole business and our customer’s whole business. We widened the scope to include steps taken so problems up to force majeure never happen or can be mitigated in a manageable manner.  Indeed, the worst case scenario, force majeure, is the clearest cut problem to solve.

 Here are four categories containing tip of the iceberg questions to think about and address when creating a living Business Continuity Plan.

The Computer system


  • Do you have all the roles, responsibilities, and contact mechanisms of your people and critical suppliers identified for up to and including disaster mode?
  • Do you have a documented, detailed, executable set of understandable instructions in a secure, always accessible place from anywhere, for recovery in case your Company Hero is not available?
  • Do you have in a secure, always accessible Internet from anywhere the User Ids and passwords necessary for recovery or are they on the Company Hero’s private inaccessible files?
  • Do you ever let the backup hero try to run the backup scripts?
  • Do you have someone in charge of disaster recovery aka “On Scene Commander”?
  • Do you have a reliable, readily available, secure backup of the patient data that is really capable of getting the system back online? 
  • Do you regularly move your backup way off site?
  • Do you archive backup or just a copy?
  • Do you at some frequency test load the backup?
  • Do you only have one copy of the backup?
  • Do you accept that a 23-hour old backup is adequate?
  • Do you run on a near fault tolerant hardware and software platform?
  • Do you run temperature tolerant hardware?
  • Do you practice a disaster backup to an alternate site?
  • Do you have remote management capability on your hardware systems in case your primary computer facility is not assessable?
  • Do you have some flavor of RAID or RAID (Redundant Array of Independent Disks)  to protect and recover your data in case of a minor soon to be a major glitch?
  • Do you have backup power and if so for how long?
  • Do your workstations have backup power and for how long?
  • Does your computer alert you in real-time if it gets sick?
  • Do you know the MTTR (Mean Time To Repair) on your hardware?


The Wide Area Network (internet connection) and Local Area Network (LAN)

  • Do you have or need multiple pipes (independent path ISPs) into and out of your facility?
  • Do the pipes auto failover if one pipe goes down?
  • Do you get a pipe failure alert so you can immediately remediate the problem to reduce MTTR (Mean Time To Repair)?
  • Do you have each pipe sized so a single pipe can carry the full load at a slightly degraded response time?
  • Does your actual network speed equal at least half the nameplate capacity during business hours?
  • Do you have a single point of failure on you LAN?
  • Do you have a properly configured spare for the single point of failure devices to reduce MTTR?
  • Do you have backup power for the network appliances and if so for how long?
  • Do you have immediately available trained network personnel familiar with your network?
  • Do you know if all the pieces of an internet transaction are encrypted?
  • Do you issue warnings about or strictures against accessing your system on an unencrypted network?


The people

  • Do you have people after the disaster?
  • Do you know exactly how to contact them and your key suppliers in a disaster?
  • Do you have clear documented instructions on alternate ways to contact you in the case of a disaster?
  • Do you have clear documented expectations of your employees and suppliers in a disaster?
  • Do you have key personnel identified?
  • Do you have a backup for key personnel with access to enough appropriate information to carry on if the Company Hero is gone?
  • Do your people have a designated, available, adequately equipped place to work in case their primary workplace is gone or unavailable for an extended period of time? 
  • Do you have employee created work files on your backup menu?
  • Do you have business critical subsystems not a part of your core product on your backup menu?
  • Do you have paper files and how long could you operate without them?
  • Do you have a customer communication plan?
  • Do you have a way to reroute your incoming phone lines if your phone switch is down to support hot line and normal customer communications?


Monetary decision points

The monetary reality answers to many of the above questions with the exception of having a secure backup of the patient data could legitimately be no; instead of the implied correct answer yes. The company owner, Practice owner, or supplier could just say no as a business decision.  The positive answers to some of the questions are only applicable if you have the scale to support the expenditure. Each step along the trail has an attendant risk that you as a business owner may decide to take. Hard today currency vs. maybe future money is a subjective equation.

Medifacts has internally asked and answered all the above questions and a legion of others about Business continuity. Medifacts takes recovery and our customers seriously.

For current or prospective Medifacts customers we would look forward to reviewing our BCP with you in enough detail as you might need or could stand.

In addition, we can work with you on your specific HIPAA compliance steps. 

HIPAA and HITEC Compliance Attestations

People in the medical field and their attendant suppliers regularly attest the practice or company they own or work for is HIPAA and HITEC Compliant. These attestations are legal documents.

Unfortunately, if recent CMS inspections for HIPAA compliance are indicators, many are not compliant. The resultant penalties for some of the inspected facilities have been in the millions of dollars not to mention the PR embarrassment of being formally judged noncompliant.

One can appeal the inspector’s judgment, but the appeal process causes an addition expenditure of monies out of your pocket.

Your positive answers to few simple example questions may save you from reading the rest of the article

Please show me your practice, ASC, or covered company’s, management signed, yearly Security Risk Assessment Document.
Please show me your documented HIPAA training records for all your employee’s training sessions.
Please show me the clause in your employee manual delineating the personal consequences for non compliance.
Please show me your documented, detailed Business Continuity Plan that protects the integrity and availability of patient data when a disaster at your facility or your IT provider’s facility happens.
Please show me the document appointing a Security Officer and HIPAA Compliance Officer in your practice, ASC, covered company, or Corporate Entity.
The list of attestation elements and documents goes on but this should be enough to make my case.

For those of you that have positive answers to the above, skip the rest of the blog series and buy Medifacts anyway since we are on the same page. One caveat, these questions were only the tip of the iceberg and you may still not be compliant.

One of the main points Medifacts would like to communicate in this particular blog to the practice, ASC management or company owners is: You can’t just throw HIPAA compliance over the fence to the computer people. As you can see from the questions, there are many activities in HIPAA compliance that are personnel and company policy related.

Many medical sites and covered entities probably are, in spirit and intellectual understanding, HIPAA compliant; they just can’t prove it. One should Document –Document-Document; in some IT cases, be ready to demonstrate compliance with printed reports or screen shots; if there are ambiguities about what needs to be documented, error on the side of documenting; and if definitions get in the way error on the more expansive definitions.

In the next few blogs, through a series of questions, the compliance process will be broken down into pieces with a heavy emphasis on Business Continuity Planning and IT system HIPAA compliance. The questions will not be inclusive enough to guarantee compliance, only thought provoking. When addressing security, business health, and Business Continuity the overlap of these items will be obvious. We all are more secure if we know there are plans to not only protect data but also that we will continue to have a job or company.