Storing Member PHI Securely
As a healthcare organization, we have a responsibility to protect the sensitive personal health information (PHI) of our members. This includes taking steps to store and transmit PHI securely.
Using External Hard Drives
One option for storing member PHI is to use an external hard drive. External hard drives provide a physical storage location separate from your main computer hard drive.
When using an external hard drive, be sure to take steps to secure the drive:
– Encrypt the external hard drive using a strong encryption method like AES-256. This will scramble the data so only authorized users can access it.
– Store the external hard drive in a secure, locked location when not in use. This prevents unauthorized access.
– Consider using a hard drive with built-in encryption and password protection. Some drives offer this natively.
– Create a strong password for the hard drive, using a mix of letters, numbers and symbols. Don’t use an easy to guess password.
– Limit access to the hard drive by only allowing authorized users. Track who can access it.
– Physically destroy and safely dispose of old external hard drives that contain PHI. Don’t just delete the files.
By taking these precautions, external hard drives can provide a secure way to back up and store PHI offline. Make sure to test that you can reliably access data on the external drive as well.
Using Cloud Storage Services
Cloud storage services like Google Drive, Dropbox, iCloud and OneDrive also allow you to store data securely online. When configured properly, these services offer strong encryption and access controls.
Here are some tips for using cloud storage with PHI:
– Review the cloud provider’s privacy and security policies. Only choose established, reputable providers.
– Select cloud accounts that offer robust encryption, like 256-bit AES. This scrambles data at rest and in transit.
– Enable 2-factor authentication on cloud accounts. This requires a second step like a code or biometric to log in.
– Set permissions on cloud folders housing PHI. Only allow access to authorized personnel.
– Use robust passwords and change them periodically. Don’t reuse passwords between accounts.
– Configure devices to wipe data after a set number of failed login attempts. This protects data on lost or stolen devices.
– Evaluate organizational policies regarding cloud storage. Some don’t allow storing PHI in the cloud.
– Consider using enterprise cloud tools like Google Workspace or Microsoft 365, which offer more control.
With proper configuration and security protocols, cloud storage can offer a flexible and secure way to store PHI and enable remote access. Be sure to weigh the risks and benefits when storing sensitive data in the cloud.
Conclusion
When leveraged properly, external hard drives and cloud storage services enable you to store member PHI securely while also making the data accessible to authorized personnel. The keys are using strong encryption, setting permissions to control access, using strong passwords, enabling 2FA, and physically securing external hard drives. With good security practices, these storage methods can help you protect sensitive data.
Establishing Usage Policies
In addition to implementing technical safeguards like encryption and access controls, it’s important to establish robust usage policies for external drives and cloud services used to store member PHI. Well-defined policies help ensure proper handling of sensitive data.
Usage policies should clearly outline:
– Who is authorized to access PHI stored on external drives or the cloud
– Levels of access (read-only, modify, delete) granted to each role
– Security protocols like never sharing passwords or writing them down
– Procedures for securely transferring PHI to authorized personnel
– Rules against storing PHI on unencrypted personal drives or accounts
– Protocols for regularly auditing access and modifying permissions
– Rules for physically securing external drives when not in use
– Procedures for wiping and destroying old external drives
– Mandatory training for employees on PHI handling policies
– Consequences for violating defined external drive and cloud usage policies
By educating personnel on proper protocols through clear policies, you reinforce secure habits when working with PHI in the cloud or on external drives.
Backing Up Data
Along with day-to-day usage policies, your protocols should cover backups of PHI stored on external or cloud drives. Backups provide redundancy and facilitate restores when data is corrupted or accidentally deleted.
Here are some backup best practices:
– Schedule regular automatic backups to complement manual backups
– Perform backups daily or weekly depending on data sensitivity
– Retain multiple generations of backups (ex. one month, three months, one year)
– Store backup drives or systems securely with the same precautions as primary drives
– Consider using a cloud backup provider for redundancy across locations
– Test restores from backups regularly to verify integrity
– Encrypt backup drives or accounts and protect with strong passwords
– Document backup procedures in case personnel need to perform restores
By incorporating backups into your file storage protocols, you can effectively guard against data loss scenarios. Storing backups away from primary systems provides geographic redundancy.
Conclusion
Storing member PHI on external drives and cloud services calls for comprehensive security and usage policies, employee training, and robust backup procedures. By proactively addressing administrative, technical, and physical safeguards, healthcare organizations can harness the convenience of modern file storage solutions while still upholding their duty to protect sensitive patient data. A multilayer data protection approach is key.
