Risk: Lack of guidelines governing the physical protection of electronic devices
Explanation: The electronic devices used to access ePHI needs to be protected physical from theft and unauthorized access. If not done so, these devices will be accessed by unauthorized persons and ePHI will be compromised. Physical protection of devices is as important as other security mechanisms used to protect ePHI. Physical protection is often not taken into consideration, while other security measures like authorization, authentication etc are given more importance. But the loss of a mobile device or a laptop or tablet poses the same degree of risk as any other unauthorized access.
Major Mitigation: The policies laying down the measures to be adopted for each of the electronic device as appropriate, needs to be defined. For example, if it seems appropriate to keep the desktops and other electronic devices are locked rooms to prevent unauthorized access, a policy to that effect should be in place. Policies must also consider the portable electronic devices, and if needed, mechanisms for tracking their use and whether they are returned before the staff leave the workplace can be defined.
Success Criteria:Regular audits, and physically checking the environment to see the protections in place can give a clear picture whether the policy is being followed, and whether we need additional measures. So too the risk assessment reports can also be considered to know whether these risks are present.