Logical security covers things can be visualized but are intangible, including data, applications, and information.
Physical security covers things you can see, feel, or touch, including phones, tablets, paper, or computers. This type of security includes being mindful of unauthorized people looking over the healthcare personnel (HCP)'s shoulder to observe the entry of passwords and other authentication, PHI, or other sensitive data (known as “shoulder surfing”).
|Logical Security||Physical Security|
Control of access to ePHI
Protection of physical forms of PHI while traveling through opaque cover sheets and envelopes
Monitor positioning to avoid unauthorized viewing
Use of headphones to avoid unauthorized hearing
According to the Center for Internet Security (2020), a threat actor is a person or group that has the potential to do harm to an organization, its information system, people, or data. This entity can impact the HCP in the form of intercepting communication (network) through inefficient encryption, successful phishing attempts through email and/or text message, and/or modifying/destroying data.
Included in system security are considerations needed to protect mobile (tablet, laptop, phone) and stationary (desktop computer, printer, fax, scanner) devices. Security requirements to ensure smooth processing and functioning of the system include updating software as manufacturer patches become available, malware protection with up-to-date signatures and application revisions, and managing mobile devices. Stationary systems (desktop computers, printers, scanners) have similar protection requirements.
Email is used heavily in interactions between the HCP and the patient. Free email such as Yahoo or Hotmail may not have the security appropriate for the protection of PHI and other sensitive data. The HCP should avoid using this type of email solution, defaulting to send messages through the EHR, corporate email, or approved telehealth medium.
With email and text messages on mobile devices, threat actors may send messages that appear to come from valid sources (e.g., management, credit cards or banks, family). This is where vigilance in managing systems and paying attention to communication methods are key. Refer to Data Security and Privacy for helpful tips on addressing communications security.
Mobile device security is important for managing the security and privacy of data. The following are security best practices for mobile devices per ONC (2020) for addressing the security of data and cellular systems. They are to:
Open or public wireless access points for WiFi can cause data loss or integrity concerns due to minimal security settings. Threat actors can mimic these WAPs, setting a “trap” for users to steal information or credentials.
Health data will need to be protected in storage (database, EHR), traversing across the network (email, entry into the EHR across the network), or actively in use by patients’ wearable health technology (e.g., blood sugar monitors). Threats and vulnerabilities with data stored, in transit, and in use include:
For email and text messages, the following are key points to reduce the risk of malware injection with devices:
Approved telehealth technology communication methods include:
Unapproved telehealth technology communication methods include:
Authored by Cindy Ebner, MSN, RN, CPHRM, FASHRM and Tamika K. Williams, MSIT.CS, CISM, CISSP, CAP, SSCP, HCISPP, COBIT 5 Foundation/Implementation