Cybersecurity Data Security Governance, Risk & Compliance Industry Spotlight Security Boulevard (Original) 

Health Care and HIPAA-Compliant Data Storage

Avatar photo by Albert Ahdoot on October 16, 2019

HIPAA-compliant data storage involves implementing both physical and digital safeguards designed to protect sensitive health information from a growing number of threats.

Though global ransomware attacks are on the decline, healthcare organizations continue to be disproportionately targeted by hackers. Experts believe that the healthcare industry now experiences the most ransomware attacks of any sector, with 85% of all malware attacks in 2017 occurring in the healthcare space.

What’s more, malware attacks on hospitals, clinics and other healthcare-oriented organizations have far greater implications than attacks on organizations operating in other industries. While hackers value any piece of personally identifiable information they can get their hands on—in a typical attack, they can gain access to home addresses, Social Security numbers, dates of birth and so on—medical records also include highly sensitive information related to patients’ addiction histories, infectious disease statuses and even domestic violence incidents.

While these attacks can occasionally impede the day-to-day operations of hospitals, clinics and physicians’ offices, they almost always expose the target organization to costly violations of the Health Insurance Portability and Accountability Act (HIPAA)—even when no material damage is done. Be that as it may, healthcare IT teams often dedicate the bulk of their attention to securing internet-connected medical devices and onsite computers, relegating HIPAA-compliant data storage to the back burner.

For the benefit of patients and healthcare practitioners alike, it’s time to give proper healthcare data management the attention it’s due. To that end, what follows is a guide to everything healthcare organizations need to know about HIPAA-compliant data storage in 2019.

HIPAA Regulations: Background

HIPAA includes two distinct policies that govern healthcare organizations’ management of patient data.

The first is the HIPAA Privacy Rule, or as it’s officially titled, “Standards for Privacy of Individually Identifiable Health Information.” This regulation establishes national standards for the protection of sensitive health information. In practice, it means a medical professional or healthcare organization cannot reveal details about a patient’s personal health information beyond what is absolutely necessary to facilitate proper care. It also grants patients control over their own data and medical records.

The second policy is the HIPAA Security Rule, which dictates security standards for protecting health information that is held or transferred electronically. This rule details the technical and nontechnical safeguards that health organizations and their partners must put in place to secure individuals’ electronic private health information. Generally speaking, data storage operations fall under the Security Rule.

In the event a healthcare organization fails to meet the requirements of the HIPAA Security Rule, it will be subject to fines and/or penalties falling under both civil and criminal statutes. Civil penalties range from $25,000 to $1.5 million per year, while criminal penalties can include fines of up to $250,000 and 10 years in prison.

That’s not to mention the cost of a lawsuit filed in response to a HIPAA violation—in 2016 alone, malware and ransomware incidents cost American healthcare organizations $22.8 million in settlements over HIPAA violations.

HIPAA Requirements for Data Storage

HIPAA’s guidelines for proper data storage cover both the digital and physical precautions healthcare organizations must take to keep patient data safe and secure.

There are many technical requirements data centers must meet to remain compliant with HIPAA hosting standards, including (but not limited to):

  • SSL Certificates and HTTPS: Install secure sockets layer (SSL) certificates for any domains and subdomains on which sensitive information could be accessed. Any part of a site that asks for a user login should have an SSL, period.
  • AES Encryption: Use an Advanced Encryption Standard (AES) to encrypt sensitive data stored on servers. HIPAA requires healthcare organizations to encrypt and decrypt electronic private health information “whenever deemed appropriate.”
  • VPN: Use a strong, encrypted virtual private network (VPN) to protect patient data. Include remote VPN access to allow those with proper credentials to log in to the protected network from a remote device.
  • Dedicated Private Firewall: Use a combination of hardware firewalls and software firewalls, as well as a firewall designed for web applications.
  • Disaster Recovery Plan: Craft a disaster recovery plan in case a server malfunction or other unforeseen event causes the loss of health information.
  • Offsite Backup: In addition to having a disaster recovery plan, healthcare organizations must store private health information in an external location.
  • Multi-factor Authentication: Compared to some of the other requirements on the list, multi-factor authentication is relatively easy to implement. As its name suggests, it is a security check that uses two forms of verification to confirm a user’s identity, and it should be installed on all relevant parts of a site.
  • Dedicated IP Address: Data must be stored on a private IP address that is isolated from the public internet.

As for physical storage, HIPAA requires healthcare organizations to keep data on redundant, isolated and secure database and web servers. These servers must have access to a high-speed connection and hardware that can run a variety of software and communications applications for multiple device types. Other physical safeguards a healthcare organization’s data center should feature include:

  • Limited facility access.
  • Controls for authorized or restricted access.
  • Clear policies for access to and use of workstations.
  • Restrictions on the transfer, removal, disposal of and/or reuse of electronic media and electronic private health information.

Many assume that HIPAA violations always stem from online activity, but keeping servers physically safe is an equally important factor in protecting patients’ sensitive—and legally protected—data.

A Helping Hand

Adhering to these requirements can be quite overwhelming, which is why some healthcare IT professionals offload the most complicated aspects of HIPAA compliance to a colocation provider that has passed a rigorous HIPAA audit and can store copies of patient data in a safe, secure and compliant manner.

Healthcare IT professionals may not be required to take the Hippocratic Oath, but by doing their utmost to keep their operations HIPAA-compliant, they can ensure that their work, too, “do[es] no harm.”

Albert Ahdoot

Albert Ahdoot , , , ,
Avatar photo

Albert Ahdoot

Albert A. Ahdoot is the Director of Business Development at Colocation America. He leads the company’s sales efforts by gathering intelligence, crafting sales policies, and implementing new business strategies.

albert-a-ahdoot has 1 posts and counting.See all posts by albert-a-ahdoot