[BreachExchange] HIPAA and Hospitals: Five Reasons Medical Data Storage is Often Not Compliant

[Audrey McNeil]

http://www.hitechanswers.net/hipaa-hospitals-five-reasons-
medical-data-storage-often-not-compliant/

With so much of the data controlled by doctors and hospitals on electronic
devices, including mobile devices, desktop computers, servers, and in the
cloud, the security of that data is quickly becoming the most important
aspect of HIPAA (not HIPPA) compliance.

Many medical providers and some of the largest hospital chains in the
country have been found to be against HIPAA law and out of compliance –
mainly as a result of mishandling digital data.

A survey of 30 hospitals across California showed that while 90% had a full
understanding of the HIPAA privacy rule as it relates to paper documents,
storage of digital content and even access, only 15% handled IT equipment
end of life procedures properly in order to stay HIPAA compliant.

In this survey of small, medium, and large hospitals, it was revealed that
a majority of hospital administrators and IT staff simply did not recognize
the threats involved in the handling of end of life IT assets such as hard
drives, tablets, mobile devices, and even photocopiers with hard drives and
permanent memory built-in.

Being oblivious to these potential areas of HIPAA violation leaves the
medical industry open to common code compliance failures for the safe
handling of client data.

Here’s the top five ways this can occur.

1. Data Containing Devices Are Often Stored in a Non-Secure Location
It was found in a recent study that over 40% of hospitals stored end of
life computers, laptops, tablets, and mobile devices with potentially
confidential data in rooms and storage centers that did not properly meet
security standards.

This poses a major data security threat and opens the door for potential
HIPAA violations from data breaches pertaining to confidential patient
records.

2: Over 40% of Hospital Staff Don’t Realize the Data-Storing Capability of
Equipment
This survey found that over 40% of staff members surveyed did not realize
that devices such as large copy machines and many printers contain hard
drives that permanently store the content that is either scanned, copied,
or printed.

In many instances, copy machines and printers with storage of confidential
data were recycled through electronics recyclers or donated locally without
any certification required for data eradication.

3: Data-Baring Hard Drives are Stored for Too Long
It is a well-established fact that the longer a data containing device is
maintained with data – even in the most secure storage locations – the
higher the likelihood of a data breach.

As a result of staff changes, human error, and mislabeling of equipment, it
has been found that the most common reason for data breaches in hospitals
is through hard drives that are stored for future destruction that are
somehow mistakenly pushed through without proper data destruction protocols.

4: The Use of Built-In or Free Software for Wiping Hard Drives
Studies have shown that 50% of hospital IT staff mistakenly think that
simply overwriting data on a hard drive, formatting the drive, or using
readily available free software online is enough to completely eradicate
data.

However, the facts are very clear that data from a hard drive that has been
overwritten or formatted is easily recoverable using very simple software
techniques and is not HIPAA compliant.

In addition, hard drives wiped using some of the most commonly available
free software solutions actually have slightly more sophisticated tactics
that could result in substantial amounts of data recovery.

5: Hard Drives With Data Are Allowed to be Taken Offsite for Wiping or
Destruction
A survey found that over 40% of hospitals allowed data containing devices
to be removed from their premises in order to be wiped or destroyed
off-site.

Data destruction best practices, however, state that hard drives and other
data containing devices are far less likely to expose a hospital to data
breaches if they are destroyed, shredded, or wiped with a certification
onsite.

Onsite hard drive shredding provided by many certified electronics
recycling vendors and IT asset disposition vendors is the ideal solution
for ensuring that all data containing devices are destroyed with hospital
staff witnessing the entire process. This simple best practice can
massively reduce the likelihood of a data breach.

Become HIPAA Compliant With These Simple Steps
By following some simple data security best practices, hospitals, medical
clinics, and doctors alike can ensure full HIPAA compliance related to data
security on digital devices.

How?

Simply make a list of all of the types of data containing devices within
your organization, then ensure that these assets are processed in an
expedited manner anytime they reach their end of life.

Next, ensure that their hard drives are not stored for longer than 30 days
under any circumstance.

Finally, find a certified data destruction company that can shred these
devices on-site or provide you with onsite and certified data wiping.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170317/98d0ff44/attachment.html>