Preparing your healthcare organization for the high stakes game of data security

Topics: Healthcare IT Management

Security breaches are one of those things that no healthcare IT professional wants to think about. Even so, it is critical for healthcare organizations of all sizes to take every reasonable precaution to prevent the exposure of patient data.



Although there can be significant costs associated with properly securing an organization’s data, the cost of a security breach can potentially be much higher.


HIPAA requires healthcare organizations to report security breaches that result in the exposure of patient data. When such a breach occurs, the organization can be subject to very stiff penalties. Prior to the implementation of the HITECH Act, a HIPAA violation could result in a fine of up to $250,000. Today however, the maximum penalty has been raised to $1.5 million as a direct result of the HITECH Act. Furthermore, HIPAA violations that lead to a security breach can result in criminal charges being filed.

As if the penalties imposed by HIPAA weren’t enough, additional penalties may be imposed at the state level. Most states also require that individuals are notified if their personally identifiable information has been compromised. Not only are there costs associated with the notification process, but patients may choose to pursue litigation in response to the breach. It has also become customary for organizations to provide identity theft insurance to those whose personal information was exposed.

The aftermath of a security breach can be devastating to a healthcare organization. The total cost of an incident varies widely depending upon the nature of the incident, the size of the organization, the data that was exposed, and on actions taken by the government for patients. Even so, there have been many recorded incidents of healthcare organizations receiving fines in excess of $1 million.

No healthcare organization can afford to have inadequate security. The fines, reporting costs, legal defenses, and the potential for criminal charges have caused data security to become a very high stakes game in the world of healthcare. Of course this raises the question of what organizations should be doing today in order to ensure that they do not suffer a security breach and its aftereffects.

Perform your own compliance audit

One of the first steps that organizations should take to prevent security breaches is to perform their own internal compliance audit. A HIPAA compliant organization maintains a set of documentation detailing how data is to be handled and secured within the organization. The goal behind an internal security audit is to compare this documentation against the configurations and practices that are actually being used in the organization today.

The goal of the internal audit is to track down security deficiencies and correct them so that the organization’s practices match the procedures outlined in the organization’s HIPAA compliance documentation. For example, your IT staff should be checking to make sure that any disks containing patient health data are encrypted and that the concept of lowest user access is in use when granting users access to sensitive data.

It’s also important to note that HIPAA regulations have been extended to third-party vendors (business associates).  Hospitals or other covered entities must make sure their partners meet HIPAA privacy and security obligations as well.


Take steps to limit data loss

Security breach prevention is about keeping the bad guys out of the network, but it is also about keeping sensitive data from walking out the front door. There have been documented incidents in which healthcare organizations have been heavily fined because an employee lost a USB flash drive containing patient health data.

Even if an organization does not allow the use of USB flash drives or similar removable media devices, they need to make sure that any data that leaves a facility is properly protected, or - they run the risk of it being misplaced, lost or even stolen. And should that happen, an organization could be exposed to numerous consequences.

Companies that back up to tape will want to make sure that their process leverages a secure chain-of-custody to minimize the risk of being compromised– with associated fines and penalties – or an inadvertent disclosure of sensitive information.

Iron Mountain offers an Offsite Tape Vaulting service that uses the industry’s tightest security protocols for media in transit.  A well-vetted, rigorously trained Iron Mountain driver will be the only individual who handles a customer’s media as it moves between the health facility and Iron Mountain’s location. Media is scanned and the company is notified at every transition point, so they’ll always know the location and status of their tapes when they are outside of the company’s walls.

Develop a secure backup and archival strategy

With some studies citing 80% of IT managers planning to use cloud services for backups in the next five years (if they are not already using it), many analysts have predicted the demise of tape-based backups. In reality however, Healthcare IT pros have begun to realize that tape and cloud are complementary solutions rather than being an either/ or choice for backups.

Tape based backups offer low costs, a long shelf life, and the advantage of offline storage, which protects data against malware and security breaches. Cloud based storage has advantages of its own, including immediate access to backups and the ability to retrieve data from anywhere in the world.

Because cloud based data is so readily accessible, the importance of cloud security cannot be overstated. Sensitive data must be encrypted while it is in transit to or from the cloud provider, and it must also be encrypted at the storage level.  This encryption is not only necessary for keeping sensitive data safe, but is also a requirement for maintaining HIPAA compliance.

HIPAA does allow healthcare providers to use cloud storage, but data that is stored in the cloud is subject to the same security mandates as on-premise data. As such, it is essential to choose a cloud service provider that has a proven track record for maintaining data security and adhering to HIPAA standards. Iron Mountain provides secure cloud backup and archival solutions, and can also assist organizations with striking a balance between tape and cloud to help leverage both technologies in a way that delivers the greatest benefit to an organization.

Don’t go it alone

Even though there are some simple things that healthcare organizations can do to prevent security breaches and accidental data exposure, establishing comprehensive security in a regulated healthcare environment is anything but simple. One of the most effective ways to maintain security and prevent costly breaches is to work with a partner who has a track record in protecting and securing healthcare information.

Iron Mountain combines a deep understanding of the HIPAA rules, and its own experience in delivering solutions at leading healthcare institutions, to provide a highly compliant approach to archiving, backup and disaster recovery of medical information.  By employing best-practice procedures and technologies that ensure the protection of electronic patient information, Iron Mountain can provide the solutions healthcare organizations need to prepare for the “worst-case scenario” and eliminate the variety of threats faced in this digital era, with the increasing awareness and requirements surrounding the protection of health information. The company offers best practices for keeping up with ever-evolving regulations, while providing secure and compliant media management.  Find out more about Iron Mountain Healthcare Solutions.


Do you have more questions about your current Health Information and Management strategy? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your information management challenges.

Related News:

Evaluating a hybrid approach to offsite data storage

Healthcare Solutions: Five Steps to Optimal HIPAA Compliance