Security and Backup: Yes…backup, again!

Once a month, on average, our technical support specialists are confronted with a customer whose database has become corrupted because of some hardware issue and who has no usable backup. After last week’s adventure, I decided I would again write about backup. Then, last night, I saw a discussion on a Psychology and Technology listserv that included some of our customers talking about full disk encryption of a Mac laptop. Encryption is something we recommend for every customer who uses our software or maintains any Protected Health Information (PHI) on a computer…especially on a laptop. To round out the clues that security and backup should be my topics of choice this week, I noticed an article in eweek of March 21, 2011 entitled ‘Remote access presents complexity, security issues.’

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.