Since 2020, healthcare organizations have had to deal not only with a global pandemic but also a sharp increase in cybersecurity threats. From 2018 to 2021, attacks on the healthcare industry increased by 84%, impacting 14 million individuals in 2018 compared to 44.9 million in 2021.
Data storage and management in the healthcare industry keeps sensitive protected health information (PHI) safe from cyber threats. Storage and management practices are subject to a variety of legal and regulatory requirements, including the Health Insurance Portability and Accountability Act (HIPAA).
As cyberattacks increase in frequency and complexity, healthcare organizations must manage and store health information securely and in compliance with industry standards. In this article, we will explore the top five best practices for healthcare data storage to overcome the challenges in today’s increasingly digital environment.
Challenges with healthcare data storage and management
From 2009 to 2021, data breaches impacted almost 315 million healthcare records. Healthcare data is highly sensitive and more valuable to hackers and other cybercriminals than other types of personal information. For example, credit card numbers sell for around $5 each on the dark web, but medical records can sell for $250–1,000 each.
While a compromised credit card can be canceled, the perceived value of medical records stems from their unalterable data points. This is because a single medical record can contain an array of personal information, such as the individual’s social security number, health insurance coverage, payment data, and more. The information gained from compromised healthcare records can be sold or used for personal gain.
With the current threat landscape and the ramifications of improper data storage, healthcare organizations should consider implementing the following five best practices for data storage and management.
1. Implement file-level encryption
Encryption scrambles the contents of the data file so that only authorized individuals can receive and understand it. To encrypt the information, a user needs the correct encryption key. By encrypting sensitive files, healthcare organizations limit the impact of data breaches, prevent unauthorized access, and comply with applicable regulations.
For example, HIPAA, PCI-DSS, and GLBA rules all require encryption at rest and in transit to ensure the privacy of sensitive data. Data at rest is inactive, which means it is stored on a server, database, flash drive, mobile device, backup storage, or other designated location. Data in transit is traveling between systems or devices. Encrypting both ensures comprehensive data security.
2. Manage the business associate relationship
Healthcare organizations often rely on third parties to manage various aspects of day-to-day operations. Like the organization itself, any third party that handles PHI is subject to HIPAA rules. When it comes to the security of PHI, the responsibilities held by the covered entity and its business associates are detailed in a business associate agreement (BAA).
It’s important to assess potential and current third-party vendors to keep data secure. This includes conducting risk assessments, which are required by HIPAA to help organizations identify data vulnerabilities in their current operations. Should a data breach occur, both parties can be held financially liable.
However, penalties for HIPAA violations are tiered based on factors that contributed to the breach. In essence, unknown/unavoidable violations are treated less harshly than those that constitute willful neglect of HIPAA rules. This makes it vital to have comprehensive BAAs with reputable third-party providers.
3. Protect data backups
Backing up organizational data is an integral part of information management. Organizations that back up their data will be protected if the original dataset is lost or compromised. When developing a comprehensive backup strategy, healthcare entities should ensure that file backups are stored in multiple formats and locations. This is known as the 3-2-1 rule, which maintains three copies of your data on two types of storage media, and one data copy stored in an offsite solution. A 3-2-1 backup strategy reduces the negative impact of a single point of failure.
For comprehensive data protection, healthcare organizations should leverage a combination of full, differential, and incremental backup methods. A full backup duplicates all existing files, while a differential backup only copies files that were added or changed after the last full backup. An incremental backup is the fastest option of the three because it only copies data added or changed since the last backup—full or differential.
4. Adhere to data retention requirements
State and federal guidelines inform how long data must be stored and maintained. At the federal level, retention requirements stem from the Centers for Medicare & Medicaid Services (CMS), the Occupational Safety and Health Administration (OSHA), and HIPAA:
CMS requires healthcare providers to maintain medical records for at least five years.
OSHA’s hazardous substance rules require that employee exposure records be kept for 30 years.
HIPAA-associated records must be kept for six years.
A key point of confusion is the retention requirements for medical records versus other HIPAA-associated records. Examples of HIPAA-related documentation include risk assessments, notices of privacy practices, BAAs, and PHI disclosure authorizations, among others.
Data retention requirements vary at the state level and can also be influenced by the type of covered entity. For example, physicians in Texas must retain medical records for seven years following their practice’s last contact with the patient. Hospitals in the same state, however, must keep medical records for 10 years.
5. Secure access and permission
Access control measures and other security permissions ensure that only authorized individuals can store, retrieve, and use healthcare data. Limiting access to computer networks, system files, and organizational data is often based on the principle of least privilege (POLP).
Each user has individual credentials based on permission-based user roles. Defining who can access certain folders and documents ensures that sensitive information doesn’t fall into the wrong hands, even within the company.
Permission-based user roles also make it easy to monitor and audit access controls. Because permissions and access privileges are assigned to a specific individual user, healthcare organizations can track user activity using audit logs. This makes it easy for IT teams to detect and remedy unusual behavior, noncompliance, and other questionable user activity that could lead to data loss.
WinZip Enterprise supports data storage best practices
Secure data storage relies on solutions such as WinZip® Enterprise. A complete set of enterprise-grade tools, WinZip Enterprise empowers IT admins with custom configurations. This enables you to set and enforce security standards for all users based on internal security controls.
WinZip Enterprise protects data at rest and in transit using Advanced Encryption Standard (AES), the industry-standard encryption protocol for data security. According to the National Institute of Standards and Technology (NIST), AES encryption is the best option for meeting HIPAA encryption requirements.
Learn how WinZip Enterprise helps healthcare organizations implement and maintain data storage best practices.