Workstation Use
In Part II of our HIPAA Security breakdown, we’ll be talking about the next portion of Physical Safeguards, Workstation Use. Workstation Use (Standard §164.310(b)) may be the most dynamic piece of HIPAA’s Security Rule, at least as far as physical security is concerned, while being the shortest in length! HIPAA defines a workstation in the Final Rule as “a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment.’’ As it stands, almost every computer you will ever access is a workstation.
Throughout the days in a healthcare organization, nearly every employee comes into contact with confidential PHI in some form. For those that are electronically accessing such data – or have the potential to – Workstation Use is a vital set of policies to implement. The possibility exists for PHI to be compromised on any workstation used, through several potential threats or vulnerabilities. By creating and enforcing these policies and procedures, you can minimize the inherent risk of accessing PHI electronically.
You may be thinking, “How can we be compromised? The computers are in the office, where no one else has access!” or “I don’t think we need a policy that tells people what websites they can’t visit!” While those examples may seem like common sense, HIPAA requires the policies be in place nonetheless, and for good reason.
Whether it be an innocent as an employee curiously clicking a Facebook link, following a pop-up ad, or even just downloading a file they believed to be safe, the potential for malware to infect your computer isn’t negligible. A simple key-logger could record every single keystroke typed on a machine, compromising any patient data entered from the point it started onwards. The recent rise of ‘Ransomware’ presents another cause for concern. A single email attachment or wrongfully trusted file and your entire database could be lost. Even leaving a computer logged-in unattended poses a risk for unauthorized access to information.
These scenarios are the reason why Workstation Use, coupled with Part III’s topic of Workstation Security, are key. Bring together a taskforce to construct policies and procedures that reinforce the security of your practice’s PHI. Set a policy that requires logging off prior to stepping away from a workstation, as well as one that ensures usernames and passwords aren’t kept in a noticeable place. Another policy might detail monitor position so that visitors and patients do not have a line of sight to PCs with PHI. Requiring privacy filters might even be a possibility.
Use the eyes of an outsider.
From the time you (or they!) walk into your clinic and up to the front desk to schedule an appointment, to the point of seeing the providers themselves, have you left any PHI or security-compromising information visible? From there, transition into the ways in which it can be prevented based on what you’ve seen.
Security is an ever-changing obstacle, and our goal at NeKY RHIO is to assist you in meeting and surpassing HIPAA requirements. If you’re curious as to how your clinic or healthcare organization is currently handling its Information Technology security, as well as HIPAA’s Security Rule in general, we can help.