One of the lesser emphasized areas of cyber security is physical security. HIPAA regulations cover in detail the physical security of computer systems. If you get a HIPAA Risk Assessment and it doesn’t include on-site visits to each location, the Risk Assessment document is incomplete. A growing area of concern is mobile computing, and multi-factor authentication using smart phones. With data now readily accessible outside the office, physical security has taken on new meaning.
Breaching physical security of data systems means that a person who is unauthorized gains access data. The unauthorized person is most likely an employee, but could be a client, vendor, criminal or other person. The most common physical data breach happens when a computer systems is left logged in and unattended. A curious employee would be able to impersonate an authorized person and gain access to data they should be seeing.
As part of a HIPAA Risk Assessment, physical security of a company’s data systems are evaluated. Are the computers in areas secured from unauthorized persons? Very often computers need to be in areas where they intersect with unauthorized persons, such as in a retail environment. In cases like this, computers should be set with short timeouts to lock the computers when not in use. Laying out a work space so that monitors are not facing public areas is also a good practice.
Local data storage on servers, computers and storage devices must also be protected. The best practice is to have the servers hosting the data to be in a secured and locked room. The room must have adequate ventilation to ensure the room remains at room temperatures. Servers need to be protected from theft so that the data on them is protected.
The latest threat to physical security is the increasing dependence on mobile computing. Smart phones, tablets and laptops are setup to access corporate data with remote access software. Sometimes corporate data is also stored on these devices. Since there is no way to “lockup” a mobile device, precautions must be implemented to protect the corporate access to data on the devices. Devices should be protected with a password or bio-metrics for access. Any data on the devices should be encrypted. The operating assumption from a security perspective isn’t if the device will be lost or stolen, it is when the device is lost or stolen. Without planning and implementing best policies on mobile devices, a criminal can gain access to corporate data by stealing a mobile device.
The smart phone has become the de facto “token” for multi factor authentication (MFA). Smart phones serve as MFA tokens either by getting a text message with a six digit code, or through apps like Google and Microsoft Authenticator. A criminal wanting to impersonate you has a high interest in stealing your cell phone. A recent Wall Street Journal article chronicles how cyber criminals targeted a person and stole his phone to gain access to his MFA (He Thought His Phone Was Secure; Then He Lost $24 Million to Hackers). His estimated loss was over $24 million dollars.
Physical security is often over looked in our high tech industry, but it must be considered and planned for in order to protect corporate data.
Click HERE for HIPPA physical security regulations.