Privacy Protections for Backup FilesNY Breach Incident Offers Security Reminders
Some 1.7 million individuals are being notified of a health information breach incident at The New York City Health and Hospitals Corp. It's the largest breach reported so far under the HITECH Act breach notification rule, which went into effect in September 2009.
Computer backup tapes were stolen from an unattended, unlocked truck that was being used to transport them to a secure storage location. A spokesman for NYC Health and Hospitals told HealthcareInfoSecurity that while the organization had encrypted most of its backup files, the tapes that were stolen, unfortunately, had not yet been encrypted.
Many organizations are phasing out physical backup media in favor of backup over the Internet. Of course, that has its risks too, unless proper security measures are followed.
Security consultant Rebecca Herold says the incident reinforces the need for encryption of information stored on mobile media.
But is storing backup tapes offsite the best way to back up protected health information? Herold's answer: "It depends."
"It depends upon the situation: the size of the backups, how often they are made, where the facility is located and so on," says Herold, who heads Rebecca Herold & Associates. "There are now many ways in which backups may be made in addition to this older, more traditional way. However, this may be the most feasible way to take backups offsite for some organizations. The method used should be most appropriate for the risk environment of the organization and situation."
Security expert Kate Borten of The Marblehead Group offers a similar perspective, saying no one approach to information backup is the best fit for all. "I don't think it's black and white."
She adds: "Many organizations are phasing out physical backup media in favor of backup over the Internet. Of course, that has its risks too, unless proper security measures are followed."
Business AssociatesThe New York breach incident provides another important lesson, Herold says. "It also demonstrates why healthcare providers, and all kinds of organizations with sensitive information, need to ensure the business associates to whom they entrust confidential and sensitive information have effective safeguards in place.
"Counting on just a BA agreement is not enough. Organizations need to go further and require business associates to provide some kind of proof or assurance that the actually have safeguards in place. If they don't obtain some type of assurance, it is likely this type of incident will happen."
But sometimes, unfortunately, nothing can be done to prevent human errors, such as a truck driver forgetting to lock the doors.