Achieve HIPAA compliance while keeping data secure

bexxandbrain - Fotolia


Hospital data protection policy must bond storage and mobile

The secure handling of mobile data -- and related information protection requirements from HIPAA -- leads to the need for examining a healthcare organization's storage technology.

On the surface, the subjects of mobile device use, security and its effect on patient care would seem to be far removed from a discussion of storage, but in reality the topics are tightly intertwined within a data protection policy.

In fact, the storage-related challenges posed by mobile device use are really two-fold. First and foremost, IT professionals must work to ensure the security of a healthcare organization's data. Second, they must guard against data loss.

Generally, hospitals dealing with mobile data should strive for two broad storage technologies:

  • Software that replicates mobile data to the back end.
  • Data deduplication capabilities to reduce the amount of storage needed.

Sync and dedupe data

From a data protection policy perspective, back-end systems must have the capacity to centrally store most, if not all, of the organization's data. The storage devices must also offer a sufficient level of input/output operations per second (IOPS) to provide access to the data with acceptable responsiveness. IOPS is a common way to gauge storage performance.

Healthcare organizations should work to prevent data from being stored on mobile devices whenever possible.

The bigger challenge for health IT professionals is to protect data that is created or stored on mobile devices. Many organizations achieve such protection through the use of enterprise file sync-and-share software. Such software automatically replicates data that is stored on a mobile device to a back-end file server.

Given the native storage capacity of commonly used mobile devices and the sheer number of these devices in use in healthcare, the amount of space required on back-end systems can be significant. As such, it is best practice to use storage deduplication in an attempt to reduce the data's storage footprint.

HIPAA-compliant storage

HIPAA imposes severe penalties for data leaks, accidental or otherwise. This is especially concerning when it comes to mobile device use, because smartphones and similar items can have huge internal storage capacities. If such a device stores data and someone loses or steals the device, then the data is at risk of being compromised.

As part of their data protection policy, healthcare organizations should work to prevent data from being stored on mobile devices whenever possible. Ideally, data should be saved to a back-end server rather than being stored internally.

However, imposing such a rule on everyone in the organization might not always be practical. Imagine, for example, a doctor who works in different facilities on different days and who doesn't always have connectivity to the back-end systems. In such situations, a physician may need to temporarily store patient records on a mobile device and may even use the device for data creation.

Creating data on a mobile device brings its own concerns. If a physician uses a mobile device for data creation and then accidentally drops the device on the floor before the information has been backed up, then the data could be gone for good. As such, the ongoing backups of mobile devices that contain data must be a priority for healthcare IT departments.

Nuances between storage and protection

HIPAA doesn't require healthcare organizations to secure all data. Uniquely identifiable patient data is protected under HIPAA, while more generalized data is not.

Also, if a device contains data protected under HIPAA, the loss of such a device is not a data breach so long as the device is encrypted.

Given these guidelines, healthcare IT professionals must establish acceptable use policies and security policies for mobile devices, and these strategies tie into storage.

For example, acceptable use policies must govern which users are allowed to store sensitive data on their devices. Conversely, security policies should address automated mechanisms that apply security settings to any device that falls under the organization's jurisdiction.

Next Steps

How to develop a HIPAA-compliant storage plan

Hospitals work to protect mobile devices

Data storage options in healthcare

Dig Deeper on Health records storage management and systems