More than four years removed from the end of the beginning of the national Health Insurance Portability and Accountability Act (HIPAA) experience, the legislation’s requirements regarding data security continue to baffle clinicians in thrilling new ways from month to month. To describe recent progress in this area as “glacial” would be a gross insult to glaciers. A recent poll by Phoenix Health Care Systems
, found that 44% of providers are still not compliant with the HIPAA Security Rule finalized in February 2003—a stirring improvement of 1% since January 2006. Because failure to protect sensitive patient data may have practical and ethical implications quite apart from those associated with HIPAA, the issue of data protection has never been more critical. Changing interpretations of HIPAA guidelines, and the continuing evolution of the technology used by and against would-be data thieves, means that constant attention is necessary; a practice that is airtight today may be vulnerable tomorrow. Among the key issues of the moment:Continuous Data Protection
By now, most practices are aware that the creation of backup copies of important data is a critical defense against data theft, destruction, or corruption. Generally, backups are created at pre-specified intervals; a typical practice might backup data once every 24 hours. Unfortunately, the eight-hour workday is fast becoming an outmoded concept; physicians may work at any time, and it is often the most recent data that is the most valuable. If a periodic backup is scheduled for 5:00pm, and data corruption occurs at 3:15pm, all changes entered in the 20+ hours since the last backup may be lost.
Continuous data protection (CDP) is a concept designed to deal with this problem. CDP solutions create a real-time record of all changes made to every file by automatically saving a fresh backup copy to a secure independent location after each change. In practical terms, this means that the user can instantly restore a file to any point in time— be it minutes, days, or weeks earlier. Because CDP systems save only the changes to a given file instead of saving the entire file each time
(if a user changes only three bytes of a 500GB file, CDP will save only three bytes), this approach will also save disk space. CDP is different from other data protection strategies, such as the Redundant Array of Independent Drives (RAID) concept or replication/mirroring, which create copies of the most recent changes only. Whereas CDP can restore data to a point prior to corruption or damage, these other approaches can only restore the corrupted or damaged data.
Until fairly recently, the market leader in the area of CDP was EMC
; an outstanding EMC white paper
exploring CDP in more detail may be found. In 2005, Goliath entered the ring with the launch of IBM’s Tivoli solution
. Some products marketed as CDP allow only restoration to pre-specified time-points; users interested in the ability of CDP to restore to any point in time should be sure that any product they purchase actually has this ability.Removable Media
Data theft is a significant concern for business in general. A 2005 Computer Security Institute/FBI report estimated that approximately one-quarter of all information security-related financial damages derived from the theft of proprietary information. In a simpler time, when storage devices were larger and limited in capacity, actual physical theft of computerized data was extremely difficult (imagine having to transfer a huge sensitive file onto dozens of 51/4" floppy disks). The recent proliferation of fl ash drives and other inconspicuous devices capable of storing very large amounts of information—a typical 51/4" fl oppy could store about 100KB of information, while the iPhone boasts internal fl ash memory of up to 8GB, or nearly one million times as much storage space—and interacting with a wide range of other devices has made it much easier for would-be information thieves.
In its Guidance on the subject
, the Department of Health and Human Services suggests that “covered entities should be extremely cautious about allowing the off site use of, or access to, electronic protected health information (EPHI).” However, completely outlawing the use of removable media may be counterproductive—a flash drive may allow a physician to legitimately review a series of case files out-of-office, or allow for quick sharing of relevant data among treatment team members—so providers must develop policies and procedures for managing this kind of risk, including restricting use of removable media not justifiable from a work standpoint. In some cases, providers may wish to institute an IT system in which an administrator controls and monitors all access to removable hardware.The Minimum Necessary Standard