TRENDING:

The Security Scrutinizer with Howard Anderson

Privacy Protections for Backup Files

NY Breach Incident Offers Security Reminders Howard Anderson (ismg_editor) • February 16, 2011    
Privacy Protections for Backup Files

Some 1.7 million individuals are being notified of a health information breach incident at The New York City Health and Hospitals Corp. It's the largest breach reported so far under the HITECH Act breach notification rule, which went into effect in September 2009.

Computer backup tapes were stolen from an unattended, unlocked truck that was being used to transport them to a secure storage location. A spokesman for NYC Health and Hospitals told HealthcareInfoSecurity that while the organization had encrypted most of its backup files, the tapes that were stolen, unfortunately, had not yet been encrypted.

Many organizations are phasing out physical backup media in favor of backup over the Internet. Of course, that has its risks too, unless proper security measures are followed. 

Security consultant Rebecca Herold says the incident reinforces the need for encryption of information stored on mobile media.

But is storing backup tapes offsite the best way to back up protected health information? Herold's answer: "It depends."

"It depends upon the situation: the size of the backups, how often they are made, where the facility is located and so on," says Herold, who heads Rebecca Herold & Associates. "There are now many ways in which backups may be made in addition to this older, more traditional way. However, this may be the most feasible way to take backups offsite for some organizations. The method used should be most appropriate for the risk environment of the organization and situation."

Security expert Kate Borten of The Marblehead Group offers a similar perspective, saying no one approach to information backup is the best fit for all. "I don't think it's black and white."

She adds: "Many organizations are phasing out physical backup media in favor of backup over the Internet. Of course, that has its risks too, unless proper security measures are followed."

Business Associates

The New York breach incident provides another important lesson, Herold says. "It also demonstrates why healthcare providers, and all kinds of organizations with sensitive information, need to ensure the business associates to whom they entrust confidential and sensitive information have effective safeguards in place.

"Counting on just a BA agreement is not enough. Organizations need to go further and require business associates to provide some kind of proof or assurance that the actually have safeguards in place. If they don't obtain some type of assurance, it is likely this type of incident will happen."

But sometimes, unfortunately, nothing can be done to prevent human errors, such as a truck driver forgetting to lock the doors.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Why Entities Should Review Their Online Tracker Use ASAP
Why Entities Should Review Their Online Tracker Use ASAP
Why Connected Devices Are Such a Risk to Outpatient Care
Why Connected Devices Are Such a Risk to Outpatient Care
What's Behind Disturbing Breach Trends in Healthcare?
What's Behind Disturbing Breach Trends in Healthcare?
Addressing Security Gaps and Risks Post-M&A in Healthcare
Addressing Security Gaps and Risks Post-M&A in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Threat Modeling Essentials for Generative AI in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Critical Considerations for Generative AI Use in Healthcare
Using AI to Separate the Good Signals From the Bad
Using AI to Separate the Good Signals From the Bad
The State of Security Leadership
The State of Security Leadership
How Generative AI Will Improve Incident Response
How Generative AI Will Improve Incident Response
Generative AI: Embrace It, But Put Up Guardrails
Generative AI: Embrace It, But Put Up Guardrails

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.