Physical safeguards for email servers

According to the Journal of Medical Systems study ‘Security Techniques for the Electronic Health Records’, “Breaches in physical safeguards are the second most common cause of security breaches [7, 30]. Physical safeguards encompass techniques such as assigned security responsibilities, workstation security, and physical access controls.”

Physical safeguards under HIPAA are designed to secure the actual places and devices where electronic protected health information (ePHI) lives, which includes email servers, workstations, and related infrastructure. Establishing rules and controls around physical access, environment, and device security, these safeguards help prevent unauthorized individuals from physically accessing or damaging the systems that manage sensitive communications.

Beyond doors and locks, HIPAA also provides for environmental controls. Email servers must be housed in environments protected against fire, flooding, extreme temperatures, and power outages. Physical safeguards, such as fire suppression systems, climate control, flood sensors, and backup power sources, ensure that email services remain up and running securely without interruption, thereby maintaining both the integrity and availability of email communications.

What are physical safeguards?

Physical safeguards are part of HIPAA’s Security Rule, specifically appearing in Section 164.310. HHS Security Rule guidance provides that physical safeguards are defined as, “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

The safeguards are part of three central measures used to create a well rounded outline for HIPAA compliance in covered entities and business associates. The Physical safeguards guide the way that electronic protected health information (ePHI) is guarded from unauthorized access, tampering, or destruction in physical locations like data centers. 

The main types of physical threats to email servers

One of the most damaging physical threats is unauthorized physical access, meaning that an attacker or insider gains direct access to server hardware or the facilities. Deliberate physical attacks such as sabotage and vandalism are another threat. Sabotage involves intentionally damaging or disabling servers and networking equipment to disrupt email services or cause loss of data. 

This can include actions like cutting cables, damaging hardware components, or disabling power supplies. Vandalism, though sometimes less targeted, similarly harms physical assets, potentially resulting in email downtime or data destruction.

A Cognitive Technological Workplace study exploring insider threats notes, “Based on insiders’ intentions two types of IsT exist: intentional (also known as malicious) and unintentional (also known as accidental) which can be posed by an individual or a group (Predd et al. 2008) and it is unintentional IsT (UIsT) that is of interest to this work. Unintentional insiders do not mean to harm the organisation, but their actions or inactions can put assets and operations of the organisation at risk, affecting systems’ confidentiality, integrity and availability (CIA security triad).” 

Employees or contractors with authorized access may inadvertently or maliciously compromise physical safeguards by failing to follow security protocols, sharing access credentials, or bypassing security controls.

Why physical safeguards are necessary for email servers 

The fundamental reason physical safeguards are necessary is that the security of electronic communications cannot be guaranteed solely by software or network controls. While encryption, firewalls, user authentication, and other technical safeguards protect the logical aspects of email security, they do nothing if an attacker can physically access the server or storage device. Physical access allows malicious actors to steal hardware, insert rogue devices, bypass encryption by extracting data directly, or disrupt email services through damage or sabotage.

The above mentioned study found that, “Physical security safeguards were only mentioned 12.5% (5/40) of all occurrences of safeguards.” The rationale behind protection is straightforward: if unauthorized individuals cannot get near the hardware, they cannot physically steal or tamper with sensitive content, a failure point often exploited in healthcare breach incidents. Physical safeguards also mitigate the risk of insider threats by clearly defining and enforcing boundaries on physical access. 

The physical safeguards that protect email servers 

• Controlled facility access: Limiting physical access to the email server room or data center to prevent unauthorized access. 
• Security cameras: Monitoring server rooms and sensitive areas with surveillance systems. 
• Access control systems: Using biometric scanners, key cards, or keypad entry at the entrances of server rooms. 
• Server room locks: Installing high security locks on server room doors to prevent unauthorized access. 
• Environmental controls: Implement measures like fire suppression systems, temperature controls, and humidity detection to protect servers from environmental hazards.
• Uninterruptible power supply: Ensure that backup power systems are in place to protect servers from power outages and surges. 
• Workstation security: Securing individual workstations that may have access to email servers by preventing unauthorized use. 
• Cable management: Protect and secure network cables to prevent accidental or intentional tampering. 
• Equipment maintenance: Maintain logs of who can access the server and when. 
• Physical server backup storage: Store backup servers or data offsite in secure locations to prevent data loss from disasters. 
  
  

FAQs

What is the HIPAA Security Rule?

The HIPAA Security Rule sets national standards for protecting ePHI by requiring healthcare organizations to implement administrative, physical, and technical safeguards.

Who does the Security Rule apply to?

It applies to covered entities such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who create, receive, maintain, or transmit ePHI on their behalf.

What recent changes were introduced in the 2025 HIPAA Security Rule update?

The update eliminates the distinction between required and addressable specifications, making all safeguards mandatory. It introduces requirements like the use of encryption of data at rest and in transit for purposes such as email communication, regular vulnerability scans and penetration tests, enhanced incident response plans, and stronger vendor oversight.

When is a business associate agreement necessary with email providers?

When an email provider handles, stores, or transmits ePHI. 

Do both covered entities and business associates need to implement physical safeguards? 

Yes, both covered entities and business associates must implement physical safeguards to protect patient information.