The Need for Risk Assessment of Peripheral Devices

RiskLaSalle Consulting Partners continues to emphasize the importance of security and risk assessment in the workplace, particularly for HIPAA covered entities and business associates. One of the areas we have seen overlooked in risk assessment is the peripheral devices that exist on a computer network. Peripheral devices are devices on your network other than your computers and servers. These include devices such as printers, multi-function copiers, scanners, tablets, and mobile phones. If any of these devices are used to store or process sensitive information, and contain a hard drive or other form of memory, then your organization may be vulnerable to a security breach.

The HIPAA Security Rule risk analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) mandates that organizations identify and assess exposures that may compromise the confidential nature of ePHI. Failure to protect confidential ePHI can result in hefty penalties and other legal action.

Affinity Health Plan, Inc. paid federal regulators a settlement amounting to $1.2 million after they returned copy machines to a leasing company, unknowingly releasing the ePHI of over 300,000 individuals contained on the machines’ hard drives. The breach was discovered by CBS Evening News, who purchased the copy machines as part of an investigation, after Affinity Health Plan returned them to the leasing company. While the incident was the first HIPAA settlement involving copiers, it may not be the last.

We recommend subjecting peripheral devices to a risk analysis. This precaution can assist in avoiding the legal and financial consequences of violating HIPAA regulations. Please contact LaSalle Consulting Partners for more information on the risk assessment of peripheral devices.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326