[BreachExchange] How your business can ensure HIPAA-compliant backups

Tue Jul 3 18:56:53 EDT 2018

http://www.healthcarebusinesstech.com/how-your-business-can-ensure-
hipaa-compliant-backups/

HIPAA compliance doesn’t stop at the data you’re actively using. It applies
to everything in your organization – up to and including your backups. In
this guest post, Tim Mullahy, executive VP and managing director of an
enterprise class, tier 3 data center, explains how to ensure you aren’t
caught off-guard by that fact (and slammed with a hefty fine in the
process).

Healthcare organizations are under constant pressure to keep protected
health information (PHI) safe from prying eyes and malicious parties. It’s
as much a part of working in the industry as dealing with patient overflow
or staff burnout. And it’s something you yourself need to be cognizant of –
and not just because of the penalties you might run into under regulatory
frameworks such as HIPAA.

Failing to adequately protect PHI can land you in hot water with more than
regulatory agencies. It can also destroy patient trust – something that’s
already at an all-time low where healthcare providers are concerned. Not
only that, depending on where you’re situated, victims of a healthcare data
breach can seek legal recompense.

In short, you need to ensure your organization is airtight, and that every
device, system, and individual is compliant. And not just data that you’re
actively using, either. Your backups need to abide by HIPAA, as well –
here’s how to ensure they do.

Remember there’s no such thing as ‘too secure’

HIPAA has some pretty strict guidelines as far as data storage is concerned
– and these are guidelines you need to follow even if it feels a bit
inconvenient at times. All backups must be strictly access-controlled and
data should only be stored in approved locations. That means no leaving
thumb drives or laptops sitting out, and no storing backups in systems that
aren’t properly air-gapped and secured with 128-bit encryption at minimum.

It also means, while backups should be easily retrievable, it should also
be easy for authorized personnel to delete them in the event this becomes
necessary. Physical security is important, too. It’s no good putting a
bunch of digital safeguards in place, if a bad actor can just walk into
your server room.

In short, your backups should be guarded by measures such as:

- keycard readers, physical locks and/or biometric scanners
- uniformed security personnel
- CCTV surveillance/monitoring
- fire suppression systems
- workstation lockdown capabilities
- strict media/device controls for personnel
- regular security awareness training for all staff in the facility
- clearly-defined security roles for all staff in the facility
- a contingency planning – what happens in the event of a disaster, and how
will staff ensure your - safeguards remain active during that crisis?
- access logs – you should know exactly who accessed a file or server, when
they accessed it, and what they did with it at any given time
- offsite storage – avoid storing backups onsite if possible
- a minimum of 128-bit encryption, and
- notifications for:
 -- when a file is accessed
 -- when a file, system or device is backed up
 -- when a file is modified
 -- when a physical server is accessed, and
 -- unusual network activity.

If it helps, you might envision your business as a submarine. Even a single
leak can sink the entire vessel. Don’t let your backups be that leak.

Keep your backups redundant

Another requirement under HIPAA is redundancy. You need to store your
backed-up data in more than one offsite environment. And each one of those
environments must be equally secure.

Additionally, it’s important that you store infinite revisions of each
protected file. And those revisions should be well-organized and searchable
in case you’re audited. Again, this is something else that’s required by
HIPAA.

Given that you need to back your data up on an incredibly frequent basis,
it should go without saying you’re going to need to invest a decent amount
into storage capacity. Make sure you budget for that. It’s a necessary
expense.

Test everything regularly

Even with all the measures outlined here, your backups are functionally
useless if their integrity isn’t absolutely guaranteed. With that in mind,
it’s imperative (and required by HIPAA) you periodically test your backups
to ensure everything is working as intended. You should also regularly
revisit your disaster recovery process and crisis management plan to see if
there’s anything that could be improved or updated.

If you’re working with a vendor, verify them

Last, but certainly not least, if you aren’t maintaining your own backups,
you need to make certain the vendor you’re working with follows all the
other steps on this list, including and especially unlimited revisions.
Additionally, the vendor needs to have undergone an annual HIPAA-compliance
audit and must be willing to sign on as a covered entity.

Should they refuse or if their security falls short anywhere, find someone
else. It’s not worth the trouble it will cause you in the long run.

Keep your backups in good health

HIPAA can be challenging, intimidating and confusing to follow, especially
when it comes to protecting your backups. Here’s hoping this has cleared
the air a bit and made things just a little less murky for your
organization. The rest is up to you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180703/c4f65168/attachment.html>