Is your hospital data storage regime HIPAA compliant?

A laptop displaying security software

Posted on Tuesday, March 21, 2017

The HIPAA legislation places healthcare CIOs under increased scrutiny with regards to data security. Patient confidentiality has always been central to effective healthcare delivery - but are these same principles being applied to your data storage provisions? Here are five factors you may not have fully addressed when considering HIPAA compliance:

1. Physical security

Although hospitals tend to apply industry-standard physical security provisions to their data centres, post-warranty hardware is rarely afforded the same robust arrangements. Employees often neglect to protect assets that still store confidential data, like retired laptops. Stored in an unsecured cupboard, these assets, and the data stored on them, are easily stolen.

2. Employee awareness

With storage built into a wide-range of devices, it is easy to overlook the need to protect assets beyond servers, PCs and laptops. As a result, confidential patient data can be retrieved from a range of other equipment, including photocopiers and printers if not disposed of correctly.

3. Data retention principles

In the age of falling per-terabyte costs, keeping data indefinitely is fairly standard across all industries. But where ageing systems are left unattended/unmanaged, there is a constant threat of data breach. Also important to note is that data at rest is rarely encrypted, making theft of sensitive data even easier.

4. Drive wiping tools

Your choice of tool for wiping unused drives could be leaving patient data at risk of exposure. Many employees operate under the impression that simply formatting drives, or using some freeware from the internet, is sufficient to place patient data out of the reach of hackers. Often these techniques are not as secure as expected - and if data can be recovered, your hospital has breached HIPAA regulations.

5. Offsite data destruction

Some reports suggest that up to 40% of US-based hospitals allow hard drives to be taken off-site for data destruction. Although perfectly legal, the risks of a data breach increase exponentially when drives are removed from site. Instead, your hospital should discuss on-site secure data destruction to help minimize those risks and maintain HIPAA compliance.

The increasing volume of data, coupled with the range of systems in play, make the CIOs job incredibly difficult - particularly when trying to adhere to HIPAA guidelines. As well as raising awareness among their employees about the pervasive nature of data in the modern IT environment, the CIO should seriously consider partnering with an experienced third party like CDS who can advise how best to manage their ageing storage assets safely.

Next steps

To learn more about these services, and how we can help your hospital remain HIPAA compliant, please get in touch.