...
Physical Security in a Disaster
If there is a disaster that causes the access control mechanisms to fail open, University staff may or may not be allowed near the facility for some time. When they are allowed back, the building manager is responsible for providing physical security to any remaining systems until controls are restored. This may mean that a person within the covered entity is physically watching the area or that equipment is moved to secure, offline storage.
The response must be documented and given to the HIPAA liaison. This documentation must include:
- Any potential exposure period during which staff were not allowed new the enclave
- Any missing equipment or equipment that has been clearly tampered with
- Who was responsible for watching a equipment during what time periods
- How, who and when systems were moved to a secure, offline storage facility
- Who has access to the offline storage facility
Modifying Physical Security Controls
...