54 Journal of Regulatory Compliance Vol. I
to the administrative safeguards, the “addressable” measures to physically
protect e-PHI demonstrate the government’s hesitation to mandate strong and
effective security practices, perhaps for fear of an onerous one-size-fits-all
solution. The addressable measures include: ( 1) procedures to allow facility
access to restore lost data; 57 ( 2) policies and procedures to safeguard data
from unauthorized physical access, tampering, and theft; 58 ( 3) procedures to
control and validate a person’s access to the facility and to software
programs; 59 and ( 4) policies and procedures to document repairs and
modifications to the physical components of a facility (e.g., doors and locks,
windows, and hardware). 60
3. Technical Safeguards
The technical safeguards and implementation specifications are perhaps
the most effective tools to combat cyber-attacks and, at least in theory, the
government’s most useful tool to incentivize improvement of cybersecurity
practices in the healthcare industry. However, the breakdown between
“addressable” and “required” measures once again casts doubt on the impact
the law can have to change industry behavior.
There are five technical standards set forth in the Security Rule, only three
of which contemplate mandatory ( i.e., required) measures. First, the
regulations call for implementation of “policies and procedures
for. . .systems that maintain [e-PHI] to allow access to only those persons or
software programs that have been granted access rights….” 61 Within this
standard, there are two required specifications: ( 1) assignment of a “unique
name and/or number for identifying and tracking user identity”; 62 and ( 2)
establishment of procedures for “obtaining necessary [e-PHI] during an
emergency.” 63 The second required standard specifies implementation of
“hardware, software, and/or procedural mechanisms that record and examine
activity in information systems that contain or use” e-PHI. 64 These first two
rules are operations-based in that they call for measures to track or access
data within the IT system, as opposed to protecting the data from outside
On the other hand, the third mandatory implementation standard is
intended, at least in part, to protect data from hackers (or other similar outside
57. Id. § 164.310(a)( 2)( i)–( ii) (2013).
61. Id. § 164.312(a)( 1) (2013).
62. Id. § 164.312(a)( 2)( i)–( ii) (2013).
64. Id. § 164.312(b) (2013).