We have witnessed an explosion of technological innovation since HIPAA was enacted in 1996. Most businesses swapped their filing cabinets for cloud computing systems years ago. This new method of storing data electronically certainly has its benefits; it’s easy to use and much less wasteful. However, backing up data electronically comes with its own unique set of challenges.
This week, we encourage you to ask yourself, “Are my backups as safe as I think they are?” and provide helpful tips for securing your information. Successfully backing up your data decreases the likelihood of a breach and allows your business to continue operating in the event of a disaster.1
Every year, the number of ransomware attacks on businesses’ databases increases.
When it comes to backing up data containing PHI, you can never be too careful. No one method is enough to completely protect your information.2
Three-Two-One Rule
Above all, we recommend implementing the Three-Two-One Rule: keep three copies of your data on two different storage platforms, one of which is offsite.3 Maintaining an offsite backup is crucial, especially in the case of a disaster. If an adverse weather event, flood, or fire damages your office space, you will still have another copy of your important data.
Additionally, an offsite backup can save you in the event of a hack.
You should periodically test all backup systems to make sure everything is functioning properly. We recommend backing up your data every day.1
To limit the likelihood of breaching information stored on your onsite server, you must implement HIPAA’s technical, administrative and physical safeguards to secure PHI (Protected Health Information).4
Technical Safeguards
When using a cloud storage provider, you need to take the following steps to ensure the safety of your data.
First, do not use a new company. You want to go with an established vendor to ensure that your information will be secure on their servers for as long as you need. When you use a new company, there is always a risk that they will go out of business, meaning you could lose your stored information.
Any time you work with a third party, you need a signed Business Associate or Business Associate Subcontractor Agreement. Without this contract, you can be held liable for any of your vendor’s mistakes in the event of a breach.2
Be prepared to invest in additional storage drives for onsite servers. Most companies need a good deal of storage to secure all of their documents, especially if there are servers in multiple locations. This is something worth spending money on because losing data to hackers in a breach is far more costly than taking precautionary measures. Losing your data means losing your ability to service your clients.1
You can add extra security measures to the cloud or server login. Multi-factor authentication is a wonderful tool. This is easy to set up, and it can prevent the wrong person from viewing PHI they should not see. Multi-factor authentication requires users to verify their identity before gaining access to the database or system. For example, a user will be asked to enter a code sent to their mobile device or email after entering their login credentials.
Lastly, HIPAA requires that you protect PHI in rest and transit. Sensitive data must be encrypted at all times. Make sure to choose a cloud service provider who can keep you HIPAA compliant.5
Administrative Safeguards
Your security policies and procedures should include detailed arrangements for adverse weather events and any other potential disasters. HIPAA requires your organization to have a fully developed and tested Disaster Recovery Plan.4
Additionally, your policies should include rules about who is allowed to access specific information. A good rule of thumb is to implement the Minimum Necessary Standard, meaning that only individuals who absolutely need PHI to complete a job have access to it. And, they only need the minimum amount of information necessary to complete the task.
For example, you do not want to use an Admin Account to perform backups, because those credentials are likely accessible to several employees of the company. This means the account is more likely to be compromised, as it may be used on more platforms and websites.3
Physical Safeguards
Devices that store PHI, like servers, and desktop computers, must be kept in a secure location. Leaving an unlocked laptop that is logged in to your network, sitting on an unattended desk, could compromise PHI by allowing unauthorized personnel to view PHI.
Your office, or any building where this type of information is stored, should have security and fire suppression systems.
Limiting or forbidding employees’ access the premise after business hours is also a good practice.
Lastly, keeping access logs of personnel that enter secure onsite storage space helps you keep track of who sees PHI so you can make sure only necessary parties are privy to this information.1
In conclusion, the best way to secure all data is to work with a knowledgeable and trusted professional. Our HIPAA Prime™ service creates a custom solution for your business, so you never have to worry about your ability to serve your customers.
