SecureState Blog

Read SecureState's award winning blog.

Assessing Third Parties for HIPAA Compliance

Recently, SecureState has seen a significant increase in our clients asking us about physical security assessments. This type of work is especially relevant for our clients in the medical industry, where protecting personal health information (PHI) is an essential part of HIPAA compliance. As hospitals, doctors, and insurers are depending further and further on third party companies, they want to know that each of these third party companies is protecting information and their business environment physically, not just electronically.


As part of third party compliance efforts, healthcare systems are now requesting that companies they contract work with show the same levels of protection that they show. For example, a hospital recently requested that one of our clients complete a physical security assessment. The hospital expected that the environment of these clients and any confidential information, such as PHI and personally identifiable information (PII), is protected by electronic security as well as physical security. Because these types of information are so in demand among criminals and can fetch well over a hundred dollars per record, anyone handling this information needs added levels of vigilance and security to ensure the privacy of patients.  Since healthcare providers are held accountable for any lapses in security among their third party contractors, they have a vested interest in making sure these companies are taking every reasonable precaution.

If you are one of these third party companies, replying to a request for a physical security assessment can be a bit problematic. Knowing who to turn to and understanding the methods they use can be an intimidating prospect. Here at SecureState, we have been working with clients to show them the weaknesses in their current physical security and make recommendations on improvements.

There are two basic methods for addressing this kind of request, which can be tailored to meet your needs and the sensitivity of the data you are handling. These methods are:

Physical Attack and Penetration

SecureState’s consultants have experience working with a variety of physical security systems, and know the ways criminals approach these systems. Using this expertise, our consultants perform a simulated attack on your site, attempting to gain access to a specific area or set of data. Having done this, we will explain our methods, and the best ways to prevent similar attacks from actually succeeding in your environment.

Physical Security Assessment

SecureState’s consultants will visit your site and conduct a non-invasive walkthrough, guided by your security personnel. Our staff evaluates access control systems, security guards, CCTV cameras, access badges, locks, security lighting, fences, and much more. As we go through the walkthrough, we highlight areas for improvement

After each of these assessments, we provide our clients with detailed reports on all of our findings, and recommendations tailors to meet immediate tactical need and provide long term, strategic solutions. Many times, simple actions like adjusting camera positions, relocating security personnel, and so on can make a small but immediate difference, while longer term solutions such as visitor management and access control can provide a greater piece of mind. For third party compliance, we also will provide a letter of assurance to our clients, so that they can indicate to any organization looking to work with them that they have assessed their physical security and are working to address any issues.

With recent data breaches at various healthcare companies making headlines, it’s easy to see why security is becoming a major focal point in the industry. As retail companies like Target have shown, third parties are often a lucrative target for attackers, so it makes sense that the healthcare industry would focus on addressing issues there. Physical security is often overlooked in these efforts, but the recent change in the focus of healthcare companies indicates they will not remain that way for long.