mode.” 49 Finally, companies are to identify a security official responsible for
the development of its policies and procedures. 50
The foregoing required safeguards are surely beneficial aspects of any
robust cybersecurity program, but they largely focus on operations, as
opposed to mandates specifically targeted at preventing an external breach.
For example, the rules might encourage an entity to allocate just enough
resources to IT security which are necessary to track who is accessing the
information, when it was accessed, and for what purpose; but such measures
will do nothing to prevent unauthorized access in the first place from cyber
criminals, whose methods are constantly changing. Further, general
compliance practices and basic technical protections such as data backups are
already prevalent. As the “addressable” measures set forth below illustrate,
nothing in the rules requires serious and uniform ( i.e., industry-wide)
investment in administrative cybersecurity measures, even for measures
widely-used in other industries that can be understood by laypersons
throughout the organization.
The addressable administrative safeguards regulations, on the other hand,
confront a host of prevalent cybersecurity risks that have in fact caused recent
external data breaches. These non-mandated administrative measures
include the following: ( 1) “[p]rocedures for guarding against, detecting, and
reporting malicious software;” 51 ( 2) “[p]rocedures for monitoring log-in
attempts and reporting discrepancies; 52 ( 3) “[p]rocedures for creating,
changing, and safeguarding passwords;”53 ( 4) “[p]rocedures for periodic
testing and revision of emergency contingency plans;” 54 and ( 5) “[assessment
of] the relative criticality of specific applications and data….” 55
2. Physical Safeguards
Physical safeguards require the covered entity or business associate to
implement policies and procedures to limit “physical access” to its electronic
information systems and the facility or facilities in which they are housed,
while also ensuring properly authorized access is allowed. 56 This
implementation standard does not address the primary cybersecurity risks
which emanate from hackers using computers outside the facility where e-
PHI is stored. Nonetheless, all data is at risk because of its value and, similar
49. Id. § 164.308(a)( 7)( ii)( A)–( C) (2013).
50. Id. § 164.308(a)( 2) (2013).
51. Id. § 164.308(a)( 5)( ii)( B) (2013).
52. Id. § 164.308(a)( 5)( ii)( C) (2013).
53. Id. § 164.308(a)( 5)( ii)(D) (2013).
54. Id. § 164.308(a)( 7)( ii)(D) (2013).
55. Id. § 164.308(a)( 7)( ii)(E) (2013).
56. Id. § 164.310(a)( 1) (2013).