NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disk/Volume Encryption
With the recent introduction of MA CMR-17 law, most businesses are now required/encouraged to encrypt all customer data. What if any timeline is there for the Readynas products to support AES encrypt...
Physical safeguards account for 24% of the Security Rule, but the requirements are fairly vague. Regarding physical access controls, the rule has an addressable implementation specification that states, "Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision."
Actual HHS documentation on Physical Security: http://www.hhs.gov/ocr/privacy/hipaa/ad ... guards.pdf
|"Covered entities must implement facility access controls as a part of their physical safeguards. The HIPAA Security Rule defines that as "policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed."
Four implementation specifications are included in this standard, all of them addressable:
contingency operations,
facility security plan,
access control and validation records, and
maintenance records.
The first embraces the establishment -- and if necessary implementation -- of "procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency." (Both types of plan are required implementation specifications of the contingency plan standard.)
The second includes policies and procedures "to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft."
The third relates to policies and procedures that "validate a person's [physical] access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision." This is the physical analogue of the "need to know" information access limits described by the minimum necessary rule.
Taken together, the second and third could include such measures as sign-in and/or escort for visitors to the areas of the facility that contain information systems hardware or software. But this would depend on the covered entity's particular circumstances. While some sort of physical access control is obviously necessary for every facility, the particulars will vary considerably. (For that reason, as noted, all of these are addressable rather than required specifications.)
The last of the four covers policies and procedures "to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).
As with all the other specifications, policies and procedures are required to be "formal, documented" ones."| ~UofM-Miller School of Medicine
Actual HHS documentation on Physical Security: http://www.hhs.gov/ocr/privacy/hipaa/ad ... guards.pdf
|"Covered entities must implement facility access controls as a part of their physical safeguards. The HIPAA Security Rule defines that as "policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed."
Four implementation specifications are included in this standard, all of them addressable:
contingency operations,
facility security plan,
access control and validation records, and
maintenance records.
The first embraces the establishment -- and if necessary implementation -- of "procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency." (Both types of plan are required implementation specifications of the contingency plan standard.)
The second includes policies and procedures "to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft."
The third relates to policies and procedures that "validate a person's [physical] access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision." This is the physical analogue of the "need to know" information access limits described by the minimum necessary rule.
Taken together, the second and third could include such measures as sign-in and/or escort for visitors to the areas of the facility that contain information systems hardware or software. But this would depend on the covered entity's particular circumstances. While some sort of physical access control is obviously necessary for every facility, the particulars will vary considerably. (For that reason, as noted, all of these are addressable rather than required specifications.)
The last of the four covers policies and procedures "to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).
As with all the other specifications, policies and procedures are required to be "formal, documented" ones."| ~UofM-Miller School of Medicine
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
