Is Your Backup Data Secured?


In January 2017, a HIPAA-covered Texas clinic learned that someone had stolen an unencrypted external hard drive. The thief took it from a locked closet inside the clinic. The clinic used that hard drive to back up patients’ protected health information (PHI). Consequently, the drive contained seven years’ worth of data, including names, dates of birth, driver’s license numbers, SSNs, medical record numbers, diagnoses, lab test results, and medications.

Where did the clinic go wrong? They had locked the hard drive inside the clinic, but they had not protected it from insiders. That’s why you must examine where you keep your data. You may use a cloud service, a local server, or a physical hard drive. Regardless of where you keep it, HIPAA requires you to protect the confidentiality, integrity, and availability of all PHI in your possession, including backup data.

The best defense against inappropriate data access is to encrypt all devices/systems that house PHI. However, Encryption/decryption is addressable. This means you get to decide if you will use encryption to restrict access to PHI. Is it reasonable and appropriate to use encryption? Most likely, it is. If not, is there an alternative? You will answer these questions during your security risk analysis.

Contact us to learn how the HIPAAtrek platform can help you manage security at your organization, or request a demo.

Read more: How to Safely Manage Your Mobile Media

Need More Guidance? Grab Our PHI Decision Tree!

This simple cheat sheet makes it easy to recognize every time you’re interacting with protected health information.

Decision Tree Preview

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »