Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Facility Walkthrough Checklist

advertisement 
Practice Name:__________________________________________
Location: ___________________________ Date: _____________
HIPAA/HITECH Privacy & Security
Facility Walkthrough Checklist
This document is designed as a checklist that can be used to determine security risks on a
walkthrough of a facility.
The items in this checklist are derived from NIST SP 800-53 Recommended Security Controls
for Federal Information Systems and Organizations. As such, the items in this checklist are
neither required for HIPAA Compliance, nor guarantee HIPAA Compliance. However, this
checklist can be useful to a health care provider for identifying physical security risks in the
facility and can be used as part of an overall risk assessment.
The entries in the ID column relate directly to the IDs found in the “Physical and Environmental
Protection” section of SP 800-53 where more information and guidance can be found on the risks
and remediation of said item.
To use this checklist it is suggested that you:
a) Print this document and carry on the walkthrough
b) During walkthrough, place checkmarks or x’s in the Yes/No column
c) Get additional information from facility staff member about items that are not visibly
apparent or about policies and procedures controlling access to the facility
d) Make any additional notes in the Notes column
e) After walkthrough, fill out an electronic copy of the document and provide to the
provider to be included with other Risk Assessment documentation
Facility Walkthrough Checklist v1.0
Page 1
Practice Name:__________________________________________
Location: ___________________________ Date: _____________
ITEM
YES/
NO
ID
CONTROL DESCRIPTION
NOTES
General
Policies
PE-1
Documented policies and procedures
that address physical and environmental
security
Method to determine who is authorized
to access secure area of the office (e.g.
badges, swipe cards, biometrics)
Physical
Authorization
PE-2
Inventory of
Assets
PE-3f
Inventory of physical assets maintained.
Delivery/Removal
Records
PE-16
The organization authorizes, monitors,
and controls components containing
EHR entering and exiting the facility.
Alternate Work
Site
PE-17
The facility provides an alternate work
site or remote access for employees in
the event of an emergency.
Visitors escorted
PE-7
Visitors are authenticated and escorted
or monitored at all times.
Visitor records
PE-8
Visitor access records exist containing
name/organization, signature, form of
ID, time of entry and departure, purpose
of visit, and person visited.
Access
Authorization
(Visitors)
PE-3a
PE-3b
Access
Authorization
(Staff)
PE-3a
PE-3b
Physical access authorization for visitor
access to secure area of office (e.g.
sign-in sheet, Photo ID verification,
Photo in EHR)
Physical access authorization for staff
access to secure area of office (e.g.
badges)
Public Area
Protected
Appropriately
PE-3d
Secure Area
Physically
Protected
PE-3c
Facility Access
Access to publicly-accessible area
controlled in accordance with identified
risk (e.g. receptionist able to monitor
waiting room, after hours locks or alarm
system)
Access to secure access physically
monitored or protected (e.g. receptionist
monitors entry, locked door, or security
camera)
Facility Walkthrough Checklist v1.0
Page 2
Practice Name:__________________________________________
Location: ___________________________ Date: _____________
ITEM
YES/
NO
ID
CONTROL DESCRIPTION
Keys etc secured.
PE-3e
Keys, combinations, and passwords
physically secured.
Locks changed
PE-3g
Changes locks and keys when lost or
stolen or staff termination.
Monitors not
visible
PE-5(2)
Secure systems
with access to
EHR
PE18(2)
Computer monitors are protected from
visibility by unauthorized individuals
(e.g. by situating in such a way that they
are not visible or security filters on
screens)
Systems with access to EHR are
protected by theft by physical location
or anti-theft controls (e.g. cable locks)
Output devices
protected
PE-5(1)
Devices such as monitors, printers, and
fax machines protected by physical
access control.
Network/phone
cable protected
PE-4
Power protected
PE-9
Transmission lines are protected (e.g.
wiring cabinet is locked, cables are
protected by conduit, no access to
cables in publicly accessible area)
Power equipment and power cabling are
protected from damage or destruction
(e.g. redundant power, physical
protection of cables)
NOTES
Physical Protections
Emergency Systems
Emergency power
shut-off
PE-10
Water shut-off
valves
PE-15
Emergency
lighting
PE-12
Ability to shut off power to the EHR in
the event of an emergency and ability to
shut off power from a safe location.
Power shut off protected from
unauthorized activation.
The organization protects the
information system from damage
resulting from water leakage by
providing master shutoff valves that are
accessible, working properly, and
known to key personnel.
The organization employs and
maintains automatic emergency lighting
for the information system that activates
in the event of a power outage or
Facility Walkthrough Checklist v1.0
Page 3
Practice Name:__________________________________________
Location: ___________________________ Date: _____________
ITEM
YES/
NO
ID
CONTROL DESCRIPTION
NOTES
disruption and that covers emergency
exits and evacuation routes within the
facility.
Fire detectors and
suppression.
PE-13
The organization employs and
maintains fire suppression and detection
devices/systems for the information
system that are supported by an
independent energy source.
EHR in secure
location
PE18(1)
Doors
locked/monitored
to secure area
PE18(3)
The EHR system is positioned to
minimize potential damage from
environmental hazards such as flooding,
fire, electrical interference, and theft.
Physical entry points to secure area are
protected from unauthorized entry.
EHR systems
monitored
PE-6
Physical access to EHR systems is
monitored. (e.g. access logs, cameras,
alarms)
Emergency power
PE-11
Temp and
Humidity
Controlled
PE-14
The organization provides a UPS to
facilitate an orderly shutdown of the
information system in the event of a
primary power source loss.
Maintains and monitors temperature
and humidity controls within the area
where the EHR resides.
EHR System
Notes:
Facility Walkthrough Checklist v1.0
Page 4
Related documents
Laurie A. Huryk RN, BSN - New Jersey Primary Care Association
Laurie A. Huryk RN, BSN - New Jersey Primary Care Association
EHR Implementation: Lessons Learned
EHR Implementation: Lessons Learned
ASUS Powerpoint Template
ASUS Powerpoint Template
Exam 1 Review
Exam 1 Review
the Orientation and Induction Program template
the Orientation and Induction Program template
Practice Fusion Tutorial
Practice Fusion Tutorial
Assumptions Checklist [Word File]
Assumptions Checklist [Word File]
03 NPDES Application for Point Source Discharges from the
03 NPDES Application for Point Source Discharges from the
Download
advertisement