Is securing physical computer hardware as important as cybersecurity? Every day news stories pop up about lax cybersecurity. Just look at the problems of Hillary Clinton and the Democratic National Committee, or the new movie about Edward Snowden.
But the physical security of IT equipment can be even more important. Why would criminals waste time trying to crack software when they can just heist the hardware? Specifically, they easily can take hard drives with a company’s entire data collection.
Old, discarded hard drives can be the most vulnerable because they are easy to forget.
Physical security systems HIPAA
Crucial here is HIPAA, the Health Insurance Portability and Accountability Act, which Congress enacted in 1996. As the U.S. Department of Health and Human Services’ website explains, data is kept not just by health plans, medical providers and health clearinghouses, but by “contractors, subcontractors, and other outside persons and companies. We call these entities ‘business associates.’”
Business associates can include: billing companies, claims processors, health-plan administrators, medical-records companies, records destroyers and outside lawyers, accountants and IT specialists.
Referencing HIPAA, Larry Anderson of SourceSecurity.com wrote, “Physical security systems can play a big role in helping to keep patient information safe and private, as required by various laws.” He noted AMAG Technology “has developed new capabilities within its Symmetry family of products that allow healthcare institutes to demonstrate their compliance with HIPAA.”
AMAG’s own brochure describes its products: “Symmetry hardware complements our full featured software offering by giving customers everything they could need for a new or retrofit security solution. From door controllers to card readers that provide intrusion management, Symmetry gives you all the latest technology with a backwards compatible guarantee of protecting your investment.”
That’s a lot of hardware – especially data stored on hard drives.
Federal Information Security Management Act
The importance of hardware security is emphasized in an article on BusinessWire about CoreSite Realty’s successful validation of HIPAA compliance. That means, “CoreSite data centers maintain stringent compliance standards for data center operations, security and reliability.” And CoreSite also maintains compliance with FISMA, the Federal Information Security Management Act that Congress enacted in 2014.
According to the Department of Homeland Security’s own “FISMA Metrics” report for Fiscal Year of 2017, it is crucial to secure “hardware and software systems and assets…. Identifying these systems and assets helps agencies facilitate their management of cybersecurity risks to systems, assets, data, and capabilities.”
All these regulations heighten the importance of hardware security, especially of hard drives. Anderson’s article described the concerns of Sheila Loy, Director Healthcare Strategies, North America, HID Global. “In fact, HIPAA is just one element in a demanding regulatory environment,” he wrote. “The need to comply is complicated in hospitals by security threats in an environment with high traffic volumes and complex staffing requirements, Loy adds.”
Just think of all the people floating around hospitals in three shifts: doctors, nurses, technicians, patients and visitors.
California’s security requirements are especially strict because, according to Anderson, “hospitals must report any security breach event,” after which “policies, practices and audit trails” are checked by the California Department of Public Health, which then can impose fines if needed.
Ironically, in 2010 the CDPH itself was the victim of a major, physical security breach. Health Leaders Media reported, “A magnetic tape containing sensitive personal and medical information for up to 2,550 residents and employees of 600 Southern California skilled nursing facilities has gone missing in the mail, state officials said.”
It’s clear that data protection is more important than ever. And the best way to protect data is to entirely destroy it when necessary – not just the bits and bytes of computer code, but the physical hard drive itself.