• Customer Stories

      • XTREME-D

        Find out how XTREME-D was able to meet its objectives and has positioned itself for further growth by partnering with Digital Realty and leveraging PlatformDIGITAL®.

        Keep Reading
      • Telefónica UK

        See how they leveraged PlatformDIGITAL™ Data Hub to localise data aggregation, staging, analytics, streaming and data management to optimise data exchange and maintain data compliance.

        Keep Reading
      • Criteo

        By partnering with a company like Digital Realty, Criteo has somebody who can work with them to ensure they move a long way towards their sustainability goals

        Keep Reading
      • Join Digital

        With increasing demand for a turnkey experience, Join™ helps their customers brings the built and digital worlds together with the essential Network-as-a-Service and IT-as-a-Service offerings for Smart Buildings and Smart Workplaces.

        Keep Reading
      • AIB

        AIB, Inc., a leading data exchange and management firm serving over 1600 automotive customers, sought to diversify their cloud portfolio to realize reduced latency, increased availability, and harden security posture.

        Keep Reading
    • Global Data Insights Survey

      Read the survey

    • Investor Relations

      Digital Realty owns, acquires, develops and operates data centers. The company is focused on providing data center, colocation and interconnection solutions for domestic and international customers.

    • Investor Relations
    • Leadership
— Blog

Maintaining HIPAA mandated Physical Security and Controlled Access, Is an In-house Solution the Best Solution?

Don Lisco
October 9, 2013

For many years the prevailing methodology of Healthcare Providers and Payers was to maintain their own datacenters and, for most providers, that meant allocating a significant footprint within their primary clinical facility. The driver for this methodology was twofold: cost and security. Cost is a big important topic that I will address in future posts as there are too many facets to do it justice in a single post. However physical security is more direct.

HIPAA requires the following, Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion. The standards under physical safeguards include facility access controls, workstation use, workstation security, and device and media controls. The Security Rule requires covered entities to implement physical safeguard standards for their electronic information systems whether such systems are housed on the covered entity’s premises or at another location.”

Whether a covered entity utilizes space within their clinical facility, builds their own data facility or leases wholesale space and manages it themselves, the same rules apply. In all situations, even those with off-site datacenters separate access control, provisioning, policies, management and HR regulations apply. This presents both a burden as well as a risk for those providers who choose to build out a server room within their clinical facility. Inherently the population of people who should have access to the equipment is typically only a small fraction of staff, clinicians, patients, vendors and visitors who occupy the site at any time. The management of a single badge system has proven to be more complicated than providing specialized access devices which require their own overhead. Within these server rooms exist equipment with ePHI and for those without, segmentation of these servers is both inefficient and complex and resulting in expanded access to more staff than actually necessary.

For example, natural and environmental hazards go beyond not locating servers below a dialysis treatment room which could develop a leak, penetrate the ceiling and destroy multiple applications and data stores. I saw this happen just a few years ago. It also means ensuring your applications are safe from environmental disasters as CPOE, EMR and Lab systems are critical to patient care and ensuring their availability is akin to providing physical security.

Depending on the provider's capabilities, certain aspects of HIPAA regulations requirements can be addressed or assisted with meeting beyond what might be feasible with an in-house solution. Being off-site limits the population of potential threats: the access control system is managed by professionals but administered by the provider; environmental risks both internal and external are addressed thru hardened design features; and a density of carriers ensures access via multiple paths.

So the question remains: is ensuring physical security enough of a driver to rethink some providers and payers current model?

Architech image02 2021 12 17 134536 Architech image01 2021 12 17 134535 Architech image03 2021 12 17 134537

Future-Proof Your Digital Deployment

Connect with a Digital Realty Cloud Certified Solution Architect to help build your scalable growth strategy and transform your business.

Connect with Us