The Importance Of Physical Server Security For Privacy Protection (HIPAA, HITECH, PII, PHI)

The doctor insisted on knowing our physical security arrangements.  We explained that our servers run in a building designed for securing telecommunications equipment and staying online 24/7 with battery backup and powerful generators.  We shared that the building required electronic key cards to enter, security cameras monitoring who accessed the building and the cage required an actual key to unlock and enter. We closed by saying that all keys were under the control of our infrastructure coordinator and had to be checked out to leave his office.

At this point, we smiled and pointed to his server, and asked how his security compared to that.

The server sat under the reception counter ten feet from the front door.   Even more troubling; the admin password for the server was taped to the side of the box, as it seemed the server needed rebooting every few days and the doctor felt the IT professional was too expensive to bring out every time.  While this is an extreme example, it highlights a serious issue affecting the small healthcare business; how to physically safeguard data without spending huge sums of money.

HIPAA and HITECH both have compliance exemptions for small practices.  But, and this is an important but, those exemptions only protect covered entities as long as they follow “best practices”.  In this situation, the doctor likely could not fall back on the small practice exemption because no safeguard existed to protect the server.  Compromised data could result in penalties and public exposure costing the practice money and patients.  The small practice exemption is both a blessing and a curse: It can keep doctors from spending money with no real payback, but it means that the risk doesn’t go away if reasonable steps are not taken.

What can a small practice do to enhance physical security without spending a large sum of money? To begin, everyone must appreciate that the server itself is not the target; it is the sensitive information on the server someone wants.  Best practice for hosting an on-premise server means the office should not use a room in a high traffic area and limit server access to a select few.  It may require retrofitting an area in the back of the office to offer a secured area to house the server.  An electrician will likely have to reroute network cables to this new room and HVAC technicians may possibly need to put in a new cooling vent to keep the room at the proper temperature.  As you can see, costs begin to mount when physically securing the server becomes important.  Unfortunately, the small healthcare practice often overlooks server security when designing the office. What other alternatives exist?

The practice can evaluate the physical security strengths of renting its own space in a facility designed to run and protect computer equipment.  With this approach, the doctor has the benefit of sharing the facility cost with other businesses using the site, but now someone has to travel to the building to handle server issues that arise.  While physical security increases, so too does the cost of managing technical and administrative security.

The practice can also look at a complete off-premise solution to securely host their applications, store data, and provide secured access to users anywhere.  A service like this, whether vendor-based Software as a Service, or a virtual desktop like that delivered by Argentstratus, uses sophisticated security measures and then shares that cost with all users of the system. This approach reduces the cost of physical security to pennies an hour and frees the practice to use the space for treatment instead of storage and security.

Information security starts with making sure people cannot get easy access to the server.  This comes at a cost to the practice.  To house equipment on-premise requires giving up treatment rooms for server rooms.  To move off-premise will require the doctors to know and trust the service provider and insist on practice-centered Business Associate agreements, but in the end, the risk of data loss is real.  Knowing this and dealing with it early will allow the practice to adapt and create best practices that allow doctors to practice medicine, not IT.

About The Author: John Caughell is the Marketing Coordinator for Argentstratus. They are leading experts in the field of cloud technology for the medical industry. If you have any concerns about privacy and security for PII or PHI in the cloud, get in touch with them.