The most frequent cause of health data breach accidents is an insider. About half of these accidents are a result of an error by insiders while the other half are a result of wrongdoing. Obviously, we should prevent accidents by both causes. (Read: Insiders: the Most Frequent Reason for HIPAA Data Breach)
First, health data should not be stored in scattered PCs, but should be stored separately from other data in a securely reinforced storage computer. This has a decided advantage to keep not only confidentiality but also integrity and availability, which are required in the security rules of HIPAA.
A file server could be a good option, after it is reinforced with some actions, as follows. Access to and permission to edit the data should be controlled. File versioning is needed to keep data integrity against intentional alteration or deletion of the data. The data should be backed up in real time or regularly to keep data availability. And finally, the network for storage should be separated physically/logically and encrypted to protect against attack from outsiders.
Secudrive File Server makes it possible to manage users’ rights of copying, printing, screen capturing and network transferring to use files in the file server. File activity logs are monitored at a glance and stored in real time so that they could be very helpful for audits. When data is transmitted to the outside, it provides encrypted data transfer under approval by the authority. In addition, whitelisting to enable specific applications to be used in the server can protect the data against attack by ransomware.
When data needs to be taken outside using a USB flash drive, Secudrive USB could be used to prevent users from unauthorized copying, printing, screen capture or network transfer of data on the USB flash drive to others, even in an ‘out of sight’ environment. Usage logs are gathered and monitored in real time through the network. When offline, the logs are gathered in the secure zone of the USB flash drive. When it comes back to the office, an administrator can view what the user had done with the USB flash drive. If the USB flash drive is stolen or lost, the data on it can be destroyed remotely. Of course, the USB flash drive is hardware encrypted, requiring a password to see the data. Secudrive USB Management Server provides a central management environment to manage the security policy of scattered USB flash drives and to monitor their real-time usage.
Because external hard drives, USB flash drives, and smartphones can be connected to PCs through USB ports, they could be used to take data from a PC. Secudrive Device Control can block the USB ports, ensuring that only secure USB Flash drives like the Secudrive USB flash drive can be used. For a coworker off site, an access-controlled account can be made for him/her in the file server to share files. This is much more secure than using email or public cloud service to share data.
Finally, educating insiders about security should be a top priority to prevent health data breaches by insiders. Data should be classified to be kept secure and access and rights to classified data should be allocated to the right persons. Administrative works should be done and updated regularly. In the ongoing administrative process, Secudrive could be an easy and cost-effective solution for small and medium healthcare organizations to mitigate the risk of a data breach by insiders in accordance with the technical safeguards of the security rules of HIPAA.
Blogs relating to HIPAA
Data Destruction for HIPAA Compliance
Insiders: the Most Frequent Reason for HIPAA Data Breach
the Costs of Data Breaches and Violation against HIPAA
The Primary Threats to Data Breaches of Protected Healthcare Information(PHI)
The Three Safeguards of the HIPAA Security Rule Summarized