Education, HIPAA / HITECH Enforcement, OCR HIPAA Audits

Re-posting of Lunch and Learn Educational Link

Lunch & Learn – Part 1 Office for Civil Rights & the KPMG HIPAA Audit Program with RISC Management and Consulting
Part One
Part Two


Data Breach, Education, HIPAA / HITECH Enforcement, Tip of the Week

Physical Security – First Line of Defense, First Point of Failure

When an organization is developing or maintaining their information security program they often cruise through the physical security portion.  It is fairly straight-forward to have locks, cameras, and guards.  However, the simple requirements can often be deceivingly complex in their implementation in each organization.

One specific common point of failure is the security personnel and front desk staff.  Many times an organization will contract externally for security staff, and while this can be beneficial in multiple ways from an administrative standpoint, there are considerations that must be made for it to truly be a success.  Vendor staff receives training through education and training on general security tasks, but may not receive training on the importance of information security.   The vendor resources are meant to be transportable, or able to fill roles in various industries.  Therefore an organization outsourcing for security resources must be prepared to train for industry and company specific best practices and requirements.  It must be ensured that the personnel are performing as expected to evaluate the effectiveness of training and focus of the staff.  Contracting for social engineering testing is an effective way to test the penetrability of an organization’s physical defenses.  Will your staff know the boundary of a visitor taking camera phone pictures near a sensitive environment?  

Information security is everyone’s responsibility.  It is crucial each individual understands and follows through with their part to ensure an organization’s information, their most valuable asset, is protected.  Physical security modifications are often brought about in response to an incident.  When it is approached holistically and proactively, as are other compliance standards, there is more assurance and reliability in the program as a whole thereby reducing the risk of compromise, loss of compliance status, and loss of reputation.

A security program is not meant to be stand-alone components – it is meant to be an organized program where each process is intertwined and lends strength to the other pieces.  Physical security is a first line of defense, and training staff appropriately will strengthen that defense when designed to relay content efficiently and demonstrably.

For assistance in evaluating and improving your physical security program, including social engineering penetration testing, please contact RISC Management and Consulting at:, 800.648.4358


Security Rule Standards – 164.308 & 164.310