The Security Scrutinizer with Howard Anderson

Protecting Backup Media: 5 Tips Security Expert Offers Breach Prevention Insights

The incident, which affected beneficiaries in the military's TRICARE program, involved the car of an employee of a business associate, Science Applications International Corp. (see: TRICARE Breach Affects 4.9 Million).

Four of the five largest health information breaches reported since the HITECH Act-mandated breach notification rule took effect involved the loss or theft of storage media (see: Healthcare Breaches: A New Top 5). So what can be done to prevent such incidents?

Covered entities must take steps to ensure their business associates do more than just sign a contract and then never look at it again, let alone perform the indicated actions. 

Security consultant Rebecca Herold of Rebecca Herold & Associates offers five tips for safeguarding backups:

  • Physically protect the backup tapes and the associated machinery and technologies involved with the backups, so only those with a business need to perform the backup activities have access.
  • Encrypt the data on the tapes. "I still hear far too many people say, 'Bah, that's not necessary! Who's going to have any type of equipment to actually read the tapes?' Well, guess what, you can check eBay, Craig's List and other online shops and find such equipment. Plus, there are services out there that will convert the data on such tapes to other types of digital storage for basically anyone who asks."
  • Establish policies and supporting procedures for making, storing and disposing of backup tapes. Then take steps to enforce the policies.
  • Provide training and ongoing awareness communications for those with responsibilities for making backups.
  • Perform regular audits to ensure the controls are in place and determine if new risks have emerged.

If any backup-related activities are outsourced to another organization, then that business associate "needs to have effective security controls in place in compliance with HIPAA and the HITECH Act," Herold stresses.

"Covered entities, business associates and all types of organizations need to establish security controls based upon the risks for their own unique situations," she adds. "Doing a risk assessment is not only important for determining safeguards, but also to meet compliance with HIPAA."

Working With Business Associates

When a healthcare organization relies on a business associate for any purpose, including storing or transporting storage media, "they must do more than simply having the BA sign a BA agreement and then wiping their hands of any other follow-up or oversight due diligence," Herold says.

Although it's important to ensure details about security for backups is included in BA agreements, Herold says, "Covered entities must not depend solely upon a BA agreement to ensure their BAs are actually usually doing effective security."

Herold suggests that BAs "must be more proactive to know and understand basic information security and privacy concepts, and their obligations under HIPAA and HITECH. And covered entities must take steps to ensure their BAs do more than just sign a contract and then never look at it again, let alone perform the indicated actions."

The consultant notes that healthcare organizations have new alternatives for backing up data. "There are some great services that will back up your files over the Internet or through some other type of WAN connection to large data warehouses," she notes.

But with new methods come new risks. To help mitigate those risks, "Encryption is typically done for these types of services, in addition to other safeguards," Herold notes. "Encryption has become significantly easier and less expensive in recent years. It should be a no-brainer, like buckling your seatbelt when you drive."

And speaking of driving, be sure to ask your business associates if they've trained their staff to never leave storage media in their parked vehicles. After all, the TRICARE incident was caused by a thief breaking into a business associate employee's car. Similarly, an earlier breach affecting patients at New York Health and Hospitals Corp. involved a theft from a truck a business associate was using to transport backup tapes.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network