Facility Access Controls
Description
Implement policies and procedures to limit physical access to ePHI systems and the facility in which they are housed.
⚠️ Risk Impact
Hospital environments are uniquely accessible (patients, visitors, vendors enter routinely). Physical access to workstations, paper records, or server rooms bypasses every logical control.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
Badge access to clinical + data areas. Visitor escort policy. Workstation screen-lock enforcement (1-min idle). Paper record handling procedures. CCTV.
💀 Real-World Attack Scenario
A contractor (legitimately on-site for HVAC repair) was left unsupervised in the IT room for 2 hours. The contractor's laptop bag contained a USB-keystroke-injector. After leaving, IT logs showed PowerShell scripts had executed on the server console. Investigation: physical access enabled the attack despite all digital controls being in place.
💰 Cost of Non-Compliance
Physical-access breaches in healthcare: $4.2M-$8M (IBM 2024).
📋 Audit Questions
- 1.Badge access to ePHI areas?
- 2.Visitor escort policy?
- 3.Workstation screen-lock policy?
- 4.CCTV coverage?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Tailgating culture
- ⛔Workstations unlocked during patient care 'for efficiency'
- ⛔Contractor access without escort
📈 Business Value
Physical controls close attack vectors invisible to digital defenses.
⏱️ Effort Estimate
Annual facility walkthrough + policy
EchelonGraph monitors workstation MDM compliance
🔗 Cross-Framework References
Automate HIPAA 164.310(a) compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →