General Considerations

  • When creating strong personal information security measures, physical safeguards serve as a primary line of defense from potential threats.
  • To understand the physical security risks that organisations face, consider these scenarios:
    • An employee reviews sensitive data on their phone while at the restaurant, and doesn’t notice someone nearby looking at their screen.
    • An employee loses their laptop and information on the drive is not encrypted.
    • An employee steps away from their desk to refill their coffee cup, leaving patient information displayed on their monitor or desk as an unauthorised viewer walks by.
    • A disgruntled employee takes photos of documents left on a printer, information displayed on a screen, and log-in credentials taped to a computer monitor.
    • Obsolete laptops or desktops are donated to the local creche without fully erasing the hard-drives.
    • A doctor’s office closes and throws patient records in the dumpster without shredding them.

 

Proper Disposal of Personal Information

  • As organisations transition patient health information from paper to electronic files, it is important that they ensure those paper files are eventually disposed of properly.
  • International acceptable methods for paper records disposal include burning, shredding, pulping, or pulverizing the records until they are unreadable.
  • Improperly disposed paper records pose a notable threat to the privacy as organisations are seeking to get rid of these kinds of records. Data breaches due to improperly disposed of paper records are increasing.
  • Paper files include such information as patient names, addresses, phone numbers, blood types, and credit card numbers with expiration dates and security codes. The files also included copies of identification documents, driver’s licenses, copies of medical scheme benefit cards, prescriptions for lab work, lab results, and medical diagnoses.

 

Facility Security

  • Healthcare facilities also need to ensure facility security to protect from potential thieves. Stealing personal and health information storage devices is appealing to thieves because it allows them to access a large amount of that sensitive data in one place.
  • There is also the issue of thieves who may not necessarily wish to access patient data and just want to steal devices. Because of the value of the equipment, medical practices are lucrative targets from those looking to sell medical devices for profit. Although these thieves may not be interested in the personal and health data, the information is still improperly disclosed and it is imperative that healthcare organisations protect against these kinds of issues.
  • Device theft that can result from improper facility security includes the theft of thumb drives and even laptop computers.

 

Access Controls

  • Access controls, or the way a medical practice vets and controls who is viewing personal and health information, are critical to implementing adequate physical safeguards. By restricting someone’s access, a practice can control for information falling into the wrong hands.
  • Generally speaking, healthcare professionals should only access the minimum amount of patient information necessary in order to complete their care. For example, if a practitioner doesn’t need to know about a patient’s mental health, they will not be able to access their mental health records.
  • However, studies show that these kinds of access controls are not adhered to.

 

Physical Security: General Guidelines

Printers, Photocopiers and Fax Machines

  • Locate printers and fax machines in an area that is accessible by authorised staff only.
  • If you print something, retrieve it from the printer immediately.
  • Do not leave original material in photocopiers or fax machines.

On the Phone

  • Be aware of your surroundings, including cell phone conversations. Be mindful of eavesdropping.

In Meeting Areas

  • Clean the whiteboard of sensitive information when the meeting is over.
  • After a meeting, double check that sensitive information including documents are removed from the meeting room

Mobile Computing

  • Ensure your laptop and personal digital assistant (PDA) are encrypted and/or password protected.
  • Never leave your laptop/PDA items in view in the car.
  • Never leave your laptop/PDA items or mobile phone unattended when travelling or in any other public place.
  • When using a laptop outside of the office environment, ensure that your screen cannot be viewed by anyone other than you.

Clear Desk and Environment

  • When away from the office, sensitive information (paper files and computer media) should be locked in secure cabinets. Do not leave materials unattended in open, unsecured areas such as printers, copy machines, fax machines or meeting rooms
  • All sensitive information for disposal should be destroyed or erased in a secure way.