Healthcare organizations are some of the most targeted victims of data breaches and other digital attacks. If all their critical data on employees, business operations, and most importantly, patients, is stored on-site, then one cyber attack puts everything at risk. Healthcare organizations need a HIPAA compliant backup of Electronic Medical Records (EMR) and Electronic Health Records (EHR), known collectively hereafter as EHR, to protect themselves from losing all of their critical files.
HIPAA Security Rule for Backups
The HIPAA Security Rule sets forth standards for the protection of electronic protected health information (PHI). Covered entities under these rules include health plans, health care clearinghouses and health care providers. The HIPAA Security Rule has also extended to include providers and business associates who work with HIPAA compliant companies.
Under these standards, the entities mentioned must back up retrievable copies of electronic health information. There are a few different requirements as far as EHR backup:
- A minimum of 128-bit encryption
- Physical storage must have areas of secure access
- A data security management process, including managing information and planning for emergencies.
Data must be backed up frequently and must be recoverable in case the original copy is damaged beyond accessibility. Most importantly, a copy of the data must remain off-site under these regulations. This regulation can be difficult to abide by as off-site storage can be costly or difficult to maintain. While this may be the case, HIPAA has imposed a fine for those who do not comply with a maximum of $1.5 million for all violations of an identical provision.
Need for an Off-site Backup
Aside from HIPAA requiring that health care organizations back up their data, it is generally good practice for smooth operations. On-site storage systems may be affected by natural disasters such as flooding or an accident involving a maintenance issue within the building. In some cases, a disgruntled employee may use their credentials to delete or alter data. Regardless of the situation, if there isn’t a backup copy of critical patient files, healthcare administrators will not be able to properly assess a patient’s condition.
HIPAA mandates that covered entities have a contingency plan and security incident procedure in the event of a natural disaster or emergency that threatens the safety of EHR. While Software as a Service (SaaS) backup and cloud services are convenient, not having a form of cold storage offline can mean that a cyber attack affects even your backup system. In the case of VFEmail, a cyber attack was able to reach its backup system to delete almost a decade’s worth of data.
The U.S. Department of Health and Human Services stated that there are no specific technologies that must be used as a technical safeguard, but there are several advantages to certified secure physical backups.
Considerations for an Off-Site Backup
Off-site backups are a necessary part of any industry’s disaster recovery plan. While it began with tape drives and CDs, off-site backup has matured to external hard drives, web-based software, and cloud services.
SaaS–this automatic backup is installed on your server and data is transmitted automatically to a remote server. The software must be encrypted and the software provider must comply with all HIPAA regulations.
Cloud Service–The software on a primary storage system automatically backs up data to the cloud service provider’s off-site location. The service provider is in charge of the backup and must also abide by HIPAA rules.
Hard Drives/USB–These external backups are portable for transport to an off-site location and do not require much physical space. These devices must also be completely secure. Our SecureDrive products fulfill both of these needs as portable and hardware encrypted devices.
Protection Anywhere, Anytime
Using an off-site SaaS or cloud service for backups can become complex when healthcare organizations have to ensure that providers sign a Business Associate Agreement, abide by HIPAA regulations, and preferably have a HIPAA officer on staff. This means that a healthcare organization must put complete trust in their provider or software service. Having compliant storage within your company’s control keeps a third party out of your operations.
The SecureDrive BT is a portable hardware encrypted storage solution that can only be accessed through a secure app on a mobile device. It boasts Military Grade AES 256-bit XTS encryption and is HIPAA compliant. Admins for the devices can decide who has access to the devices and when and has the option to set read-only mode.
The drive is remote management ready with features like geo- and time-fencing to restrict drive access to predetermined times and places. The SecureDrive itself is OS independent to work across any system with a USB port. These devices keep PHI completely secure in the case your primary means of storage is compromised.