(c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized
Tell Me More:
The Workstation Security standard encompasses the area of secure workstation location, that is the general physical surroundings of the workstation. Secure workstation location may result in physical safeguards such as walls, kiosks or hoods which limit the visibility of monitors. It addresses issues such as:
- Physical attributes of the surroundings
- The sensitivity of data to be accessed from a site
- Monitor positioning (screens turned away from public)
For example, a terminal used to access sensitive information may be placed in a locked room and restricting access to that room to authorized personnel. Another example is not placing a terminal used to access patient information in any area of a doctor’s office where the screen contents can be viewed from the reception area. Screens should be turned away from the public.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Is access to the building controlled?
- Is access to the computing facility controlled?
- Are systems adequately protected from theft?
- Are procedures in place to adequately dispose confidential information per HIPAA requirements?
- Are workstations secured after hours?
- Are the activities of the cleaning crew monitored?
- Are data backups sent to an off-site location for safe storage?
- Have procedures been developed for testing and revision of applications and systems?
- Are members of the workforce trained on key security issues?
- Has the organization implemented physical safeguards to eliminate or minimize unauthorized access/viewing of health information on workstations?
- NIST SP 800-12 chapter 15 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems