How Healthcare Providers Protect Patient Data
Security, accessibility, backup are vital
Hospitals, clinics, and other healthcare organizations handle massive amounts of sensitive information, making effective data backup critical to their operations. In fact, healthcare industry professionals say data backup is not only the key to safeguarding confidential patient information but it’s necessary to their survival.
Healthcare providers and caregivers frequently use what is known as electronic protected health information (EPHI) in their efforts to assist patients. They use this information in nearly every clinical care workflow scenario and clinical care decision. The accessibility of EPHI—which includes everything from lab results and radiology images to patient medications—helps guide patient care. “Ensuring the reliability and availability of this data is critical to our mission and is a top concern in information services,” says Don Waters, vice president of engineering services at Providence St. Joseph Health Information Services. “It’s delivering the right data at the right time to the right place of care every single day.”
Ensuring the accessibility of patient data is also a chief concern according to Mario Lanza, MD, FAAFP, MRO. Lanza is president and medical director of Anchorage-based Alyeska Family Medicine, a full-service clinic that provides services ranging from diagnosing and treating acute and chronic illnesses to routine health screenings and lifestyle counseling. Lanza is committed to taking a comprehensive approach to protecting patient information. “Patients rely on us to have their medical records available when they come in for care,” Lanza says. “Computers fail and hard drives fail. If we were to lose access to the data, it would be catastrophic.”
Lanza is adamant about ensuring Alyeska Family Medicine’s data is reliably backed up, and he feels the cost of maintaining proper data backup and security is money well-spent. “The potential cost of losing all of your data is astronomical,” he says. “If we lost our entire database, we would be out of business.”
IT security is a top priority for Alyeska Family Medicine—especially given the potential threat of ransomware, hacking, and other similar risks. And Lanza appreciates the triple-redundancy system that DenaliTEK uses to back up Alyeska Family Medicine’s data.
DenaliTEK employs a 3-2-1 backup strategy for all of its clients—regardless of their industry. It stores client data in three places: two local devices and one cloud storage location, according to Todd Clark, president of DenaliTEK, which specializes in managed IT services. Some people might feel this approach to data backup and security is overkill, but not Clark. He prefers to use an all-inclusive approach to data backup with health organizations and other businesses. He says: “We happen to think that all of the security and disaster recovery elements of HIPAA [Health Insurance Portability and Accountability Act] are not overkill for any business…We never want to be in the position of saying we can’t get your data.”
HIPAA Compliance and Data Backup
Beyond the practical side of data backup and security, healthcare facilities have a legal responsibility to safeguard people’s information under HIPAA, which in part is designed to reduce the administrative costs of healthcare—particularly through the promotion of electronic recordkeeping—and to increase the security and portability of patient records. Essentially, it strives to protect patient privacy while promoting electronic recordkeeping.
HIPAA applies to all healthcare providers, health plans, and clearing houses—collectively known as covered entities—that electronically maintain or transmit the health information of individuals. Covered entities, as well as their business associates, are obliged to maintain appropriate measures that address the physical, technical, and administrative aspects of patient data (information) privacy. These entities also must have security guidelines in place as part of HIPAA’s Standards for Security of Electronic Protected Health Information, often referred to as the Security Rule. Under the Security Rule, covered entities are required to ensure the confidentiality, integrity, and availability of all the data they create, receive, maintain, or transmit. They also must identify and protect against reasonably anticipated threats to the security or integrity of the information as well as protect against reasonably anticipated, impermissible uses or disclosures.
HIPAA also requires covered entities to implement a contingency plan to prepare for a major data loss that could result from a natural disaster, computer virus attack, or other emergencies. The contingency planning has to include a data backup plan to create and maintain retrievable exact copies of EPHI, a disaster recovery plan to restore any loss of data, and an emergency mode operation plan to enable the continuation of critical business processes for protection of the EPHI while operating in emergency mode.
For Alyeska Family Medicine, a contingency plan was a virtual lifesaver when the clinic’s primary server crashed ten years ago. During the crisis, a corruption of the database on the server threatened to wipe out several days’ worth of data. Thankfully, the clinic had a reliable, clean copy of the data stored in the cloud. “If it wasn’t for the fact that we had our database backed up in the cloud, Alyeska would have been devastated,” Lanza says.
Clark is a huge proponent of using the cloud for offsite data backup. Cloud backup is a secure option, he says. And it gives organizations a viable way to regain data lost through malicious viruses, crippling ransomware, and other computer problems. “If we put the data in the cloud, then we have something we can restore from in the worst possible scenario,” he says.
Data Backup and Storage Solutions
Healthcare organizations can use a myriad of solutions to meet HIPAA’s requirements for maintaining and protecting patient data. Most health facilities are understandably reluctant to disclose details about the specific computer software and tactics they use to safeguard their data during backup and storage. However, their backup solutions generally address the following areas to ensure HIPAA compliance: user authentication through passwords, role-based access, data encryption, offsite storage, storage facility security, and reporting.
At Providence, for instance, the backup and recovery model is driven by the characterization of the data involved. Providence has a very geo-diverse health system footprint, and it uses all of its locations to help ensure data recoverability, security, and accessibility. Backups and data replication are constantly occurring throughout Providence’s health system. “We have a large portfolio of backup technologies throughout our health system,” says Waters, who is based in Anaheim, California. “Each is tailored to support a variety of data systems types and the critical nature of the data to our care operations.”
The frequency of backups at Providence depend on the classification of the data. Some backups take place in real time; others happen at regular intervals. “Creating frequent backups of our data taken at frequent intervals ensures the data availability and integrity and ensures our ability to restore critical patient data should there be an event that impacts the access or availability of the data,” Waters says.
Providence also conducts regular testing to ensure the recoverability of data in case of a major disaster. “We have implemented technology solutions that allow for sustaining clinical care continuity in the event of a significant disaster as well as the ability to completely restore an exact copy of all EPHI,” Waters explains.
As part of its data security strategy, Providence uses strict measures to determine who can gain physical access to the major data centers that host its technology infrastructure. These data centers maintain limited access controls for different users as well as device and media controls. In some cases, individuals must be escorted onto the premises and into the data center. “Access is largely managed by a roles-based access controls, governed by what you do in service to the organization as a care provider,” Waters says.
Like Providence, Alyeska Family Medicine takes a multifaceted approach to backing up and securing patient data. In addition to backing up data in three different places, “When it’s here on our server, it requires two passwords for someone to access it,” Lanza says.
Protecting Data During Transmission
Providence has implemented a number of technical security measures to safeguard EPHI against unauthorized access while it is being transmitted over an electronic communications network. For instance, there are integrity controls to help ensure that in-transit EPHI is not improperly modified without detection.
A primary method for protecting the integrity of EPHI being transmitted is through the use of network communications protocols as well as data encryption. Encryption is a method of converting an original message of regular text into encoded or unreadable text that is eventually decrypted into plain comprehensible text. “In general, these protocols, among other things, ensure not only the security of the data but also the data integrity while being transmitted from one location to another,” Waters says.
Any time data is transmitted offsite, it should be encrypted, Clark says. Different manufacturers have their own type of encryption technology. But, in general, encryption involves securing data in transit and at rest (in databases and file systems). In a normal situation, data is encrypted by the backup software at the healthcare facility, and this encrypted backup is sent over the wire to a data center that is in compliance with HIPAA. “Typically, we would have a business associates’ agreement with that data center so that they are in agreement with the HIPAA privacy rules.”
Backup Trends and Tips
A number of trends are emerging in the areas of data backup and data security. For instance, Waters is seeing a significant increase in cloud security application across the technology industry, with many startups focusing on cloud threat detection.
Also, the cloud is an integral part of the backup and recovery market in different industries, Waters says. The global cloud backup and recovery market is expected to grow 14 percent from 2018 to 2022, according to research by Gartner Inc.
Clark has noticed a significant increase in ransomware, which is a huge threat to healthcare organizations. “Not only can ransomware bring a business to its knees, but there’s a good chance they can’t get their data back if it’s not on backup,” he says. “And there’s no guarantee they can get their data back even if they pay the ransom.”
As a word of advice, Clark encourages healthcare organizations to evaluate backups around the 3-2-1 rule. They also should make sure backups are working effectively, check their logs daily, and run a test restore monthly. It’s also important to have an advanced antivirus solution running on every computer, ensure all operating systems are patched to the current levels, and have an up-to-date and well-maintained fire wall.
And as an often-overlooked area, organizations must train all employees on cyber security awareness. Security breaches can easily occur if an unsuspecting employee visits a website infected with malware, falls for a phishing email scam, or installs a malware-infected thumb drive. “It’s impossible to fortify a system well enough that an employee making a mistake online or otherwise couldn’t circumvent all of the security controls,” Clarks says. “User training is an important part of a security plan.”
Tracy Barbour has been an Alaska Business contributor since 1999. As a former Alaskan, she is uniquely positioned to offer in-depth insight and enjoys writing about a variety of topics.