For many years the prevailing methodology of Healthcare Providers and Payers was to maintain their own datacenters and, for most providers, that meant allocating a significant footprint within their primary clinical facility. The driver for this methodology was twofold: cost and security. Cost is a big important topic that I will address in future posts as there are too many facets to do it justice in a single post. However physical security is more direct.
HIPAA requires the following, “Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity’s premises or at another location.”
Whether a covered entity utilizes space within their clinical facility, builds their own data facility or leases wholesale space and manages it themselves, the same rules apply. In all situations, even those with off-site datacenters separate access control, provisioning, policies, management and HR regulations apply. This presents both a burden as well as a risk for those providers who choose to build out a server room within their clinical facility. Inherently the population of people who should have access to the equipment is typically only a small fraction of staff, clinicians, patients, vendors and visitors who occupy the site at any time. The management of a single badge system has proven to be more complicated than providing specialized access devices which require their own overhead. Within these server rooms exist equipment with ePHI and for those without, segmentation of these servers is both inefficient and complex and resulting in expanded access to more staff than actually necessary.
For example, natural and environmental hazards go beyond not locating servers below a dialysis treatment room which could develop a leak, penetrate the ceiling and destroy multiple applications and data stores. I saw this happen just a few years ago. It also means ensuring your applications are safe from environmental disasters as CPOE, EMR and Lab systems are critical to patient care and ensuring their availability is akin to providing physical security.
Depending on the provider's capabilities, certain aspects of HIPAA regulations requirements can be addressed or assisted with meeting beyond what might be feasible with an in-house solution. Being off-site limits the population of potential threats: the access control system is managed by professionals but administered by the provider; environmental risks both internal and external are addressed thru hardened design features; and a density of carriers ensures access via multiple paths.
So the question remains: is ensuring physical security enough of a driver to rethink some providers and payers current model?