Data breach vulnerabilities overlooked when PHI data disclosed to hospital “Business Associates”
Las Vegas, NV – HIMSS 2012 Conference and Expo (Booth # 13521) – DriveSavers Data Recovery, the worldwide leader in data recovery services, announced today risks that healthcare organizations should be aware of when using third-party data recovery service providers that are not HIPAA compliant or not properly vetted for security protocols. As the healthcare industry rapidly becomes digitized, the risks of data breach are unprecedented. In 2011, health data breaches in the US increased 97 percent over the year before, according to a recent report by Redspin, a leading provider of IT security assessments. Data breaches cost the healthcare industry an estimated $6.5 billion last year. Redspin cites insufficient oversight of PHI (protected health information) disclosed to hospital “business associates” (third-party vendors) as one of the main reasons for the increase.
According to HIPAA federal law, the legal burden of protecting patient data while at a business associate, falls on the health organization that contracted the service with that business. Therefore, if a data breach occurs while PHI data is being recovered at a third-party data recovery service provider, the healthcare organization that contracted the service is responsible for what could turn out to be a very costly, reportable data breach.
How Healthcare Organizations may be Vulnerable to Data Breaches Using Data Recovery
There are several areas where a healthcare organization’s PHI records may be vulnerable to data breach when using a data recovery service provider.
- Risk of permanent data loss if software tools are used improperly or the device is not opened in a ISO Class 5 Cleanroom and media platters are exposed to airborne contaminants
- Risk of improper downloading or ID theft of PHI data
- Risk of outside breach from hackers if data is stored on an unprotected network
- Risk of PHI data exposure if damaged drives are not destroyed with a DoD approved degausser or shredder
- Risk of viruses or malware being returned on new drive with recovered data
The consequence of using a data recovery vendor that does not have proper protocols in place to protect PHI can lead to loss or theft of sensitive and confidential information. As a result, the healthcare organization could suffer major disruption in business, huge financial and legal fees, damaged brand name, firing of management, IT staff and IT security involved in data recovery selection process and in some cases, a complete shut down.
NYC Hospital Properly Vets Data Recovery Firm and Safely Recovers 200,000 Patient Records
Healthcare organizations that have policy and guidelines in place for selecting and using data recovery service providers can avoid the risks of a data breach. A large public hospital in New York City had a RAID 5 server fail due to mechanical failure. The server stored the hospital’s database of over 200,000 patient records.
Knowing that healthcare organizations must meet the most stringent data security guidelines by law, the NYC hospital’s IT team thoroughly vetted their prospective business associate, DriveSavers, to ensure that the company adhered to HIPAA Data Security Guidelines before sending PHI data to their facilities. DriveSavers has achieved compliance with the data security standards outlined in the Health Insurance Portability and Accountability Act (HIPAA).
DriveSavers successfully recovered the hospital’s PHI data in a Certified ISO Class 5 Cleanroom that has been audited and certified to meet ISO 14644-1 standards. Engineers and employees at DriveSavers have all undergone background checks. The data recovered was stored on the company’s certified secure network, which is audited annually as part of a SOC 2 Type II certification process. The hospital’s IT team received the restored data on a new storage device; the old, damaged drive was permanently and securely degaussed following HIPAA guidelines for destroying hard drives.
DriveSavers is leading the data recovery market by investing in technology, research, equipment, new facilities and training so that it meets the rigorous security demands of the healthcare industry. In addition to being compliant with HIPAA Data Security Guidelines and undergoing annual SOC 2 Type II audits, the company also adheres to U.S. Government security protocols, the Gramm-Leach-Bliley Act Data Security Rule (GLBA), the Data at Rest mandate (DAR) and the Sarbanes-Oxley Act (SOX). DriveSavers engineers have received certifications for completing extensive training programs from leading encryption software vendors, including GuardianEdge, PGP, Pointsec (Check Point Software Technology) and Utimaco.
DriveSavers can successfully recover lost data from encrypted hardware, software, email, network files, wireless device data and all storage/backup devices. Companies that have trusted DriveSavers with their critical data include: CompuCom Systems, Inc., eBay, NASA, Weill Cornell Medical Center and UCLA Medical Center.
DriveSavers Data Recovery, the worldwide leader in data recovery services, provides the fastest, most reliable and only certified secure data recovery service in the industry. DriveSavers is the only data recovery company to post proof of annual company-wide SOC 2 Type II Audit, the Corporate Industry’s standard for an overall control structure. DriveSavers High Security Service adheres to U.S. Government security protocols to ensure that no data is ever compromised during the data recovery process. DriveSavers maintains the most technologically advanced Certified ISO Class 5 (Class 100) Cleanroom in the industry and is authorized to open drives by all major storage device manufacturers without voiding the warranty. DriveSavers engineers recover lost data from all storage devices and all operating systems and are trained and certified in all leading encryption and forensic technologies. Satisfied customers include: Bank of America, Google, Lucasfilm, NASA, Harvard University, Salvation Army and The Rolling Stones.