and reporting malicious software;159
2. Implement procedures for monitoring log-in attempts
and reporting discrepancies;160
3. Implement procedures for creating, changing, and
4. Implement procedures for periodic testing and revision
of emergency contingency plans.162
With respect to physical safeguards of e-PHI, the Security Rule should be
amended to change two “addressable” standards to “mandatory.”
Specifically, covered entities should be required to adopt administrative
policies and procedures to: ( 1) allow the facility access to computers and
networks in order to restore lost data; ( 2) safeguard e-PHI from unauthorized
physical access, tampering, and theft; ( 3) control and validate a person’s
access to the facility and to software programs; and ( 4) document repairs and
modifications to the physical components of the facility.163 These measures
are largely aimed at preventing malicious physical interaction with
computers at networks onsite. Although the most significant risk facing
healthcare entities is from cyber criminals conducting operations through
internet channels, physical safeguards are important as well, as the McGraw
case discussed herein demonstrates.
Finally, the technical safeguards in the Security Rule should be amended
in the manner below.
1. Under the “automatic logoff” specification, covered
entities should be mandated to implement electronic
procedures that terminate an electronic session after a
predetermined time of inactivity.164 This will limit the
window of time an application offers an open line of
communication for hackers to abuse, either through
incoming or outgoing malicious traffic.
2. Under the “encryption and decryption” specification,
159. 45 C.F.R. § 164.308(a)( 5)( ii)( B) (2013).
160. 45 C.F.R. § 164.308(a)( 5)( ii)( C) (2013).
161. 45 C.F.R. § 164.308(a)( 5)( ii)(D) (2013).
162. 45 C.F.R. § 164.308(a)( 7)( ii)(E) (2013).
163. 45 C.F.R. § 164.310(a)( 2)( i)–( ii) (2013).
164. 45 C.F.R. § 164.312(a)( 2)(a)( iii) (2013).