HIPAA Physical Security Assessment

What the Framework Requires

The HIPAA Security Rule organizes physical safeguards into three categories. Facility access controls (164.310(a)) require policies and procedures to limit physical access to electronic information systems and the facilities housing them. Workstation use and security (164.310(b) and (c)) require that workstations accessing ePHI be physically protected from unauthorized access. Device and media controls (164.310(d)) require policies governing the receipt, removal, and disposal of hardware and electronic media containing ePHI.

Healthcare environments present a unique challenge for physical security. Hospitals, clinics, and outpatient centers are designed for open movement. Patients, visitors, and vendors move freely through hallways, waiting rooms, and common areas. An operator in a public waiting area may be within Bluetooth range of medical devices, within line-of-sight of workstations displaying patient records, and within steps of unlocked IT closets, all without bypassing a single access control.

OCR enforcement actions have increasingly cited physical access failures. Organizations that can demonstrate regular physical security assessment, including penetration testing that validates facility access controls, have stronger standing during breach investigations and audit responses.

What We Test

• Facility access controls on areas housing ePHI systems: server rooms, IT closets, nurse stations with EHR terminals, medical records storage
• Workstation security in patient care areas: unlocked EHR terminals, shared login credentials, screens visible from public spaces, unattended mobile devices
• Medical device exposure: Bluetooth-enabled devices, infusion pumps, patient monitors, and diagnostic equipment reachable from public waiting areas or adjacent hallways
• IT closet and network infrastructure access: whether network switches, patch panels, and wireless controllers in clinical areas are secured against unauthorized physical access
• Social engineering against clinical and administrative staff using healthcare-specific pretexts (vendor, visiting physician, patient family member, insurance representative)
• Visitor management in clinical settings: escort compliance, badge visibility, movement between restricted and unrestricted areas
• Media and device controls: unencrypted USB drives, unattended laptops, printed patient records left at nurse stations or in common areas
• After-hours access testing: whether facility access controls maintain effectiveness during off-shifts, weekends, and holidays when staffing is reduced

The Crosswalk Advantage

HIPAA physical safeguards align directly with NIST SP 800-53 PE controls. Facility access controls map to PE-2 and PE-3. Workstation security maps to PE-5 (access control for output devices) and PE-18 (location of information system components). If your client also processes payment card data (common in healthcare billing), the same test plan satisfies both HIPAA and PCI DSS Requirement 9. One engagement, two audit evidence packages.

See how the same engagement satisfies PCI DSS, SOC 2, and NIST RMF requirements.

Which Tier Fits

Healthcare engagements typically require custom ROE to ensure testing does not disrupt patient care. THRESHOLD delivers the annual physical security assessment that auditors and OCR investigators look for. STRONGHOLD is appropriate for large health systems that need realistic adversary simulation, including testing whether an operator can reach ePHI systems from public areas without triggering a response. CADENCE aligns with HIPAA risk assessment cycles and provides continuous evidence of physical safeguard effectiveness.