Storing Member PHI Securely on External Storage
Using External Hard Drives
One option for storing member protected health information (PHI) is to use an external hard drive. There are some advantages to this approach:
Physical Security
With an external hard drive, you have a physical device that can be locked up and secured when not in use. This prevents unauthorized access to the drive and the PHI stored on it. The drive can be kept in a locked drawer or safe when not needed.
Portability
External drives are portable so you can transport the PHI to different locations as needed. This allows you to access the data from multiple computers if required. You can use the drive to transfer data between office locations securely.
Backup
Storing member PHI on an external drive provides a backup if the internal computer drive fails or data is accidentally deleted. The data can easily be restored from the external drive backup. This protects against data loss incidents.
However, there are also risks to consider:
Unauthorized Access
If the external drive is lost or stolen, unauthorized individuals could access the sensitive data. Strong encryption must be used to secure the data.
Damage
External hard drives can fail or become physically damaged, leading to data loss if backups are not available. So the data must be backed up to a second external drive or cloud storage.
Using Cloud Storage Services
Another approach is to store member PHI using a cloud storage service such as Google Drive or Apple iCloud. There are advantages to this method:
Accessibility
Cloud data can be accessed conveniently from many locations and devices using a secure internet connection. This enables access to the data when needed for patient care.
Collaboration
Most cloud services enable file sharing and editing by multiple authorized users. This facilitates collaboration when needed for serving members.
Security
Reputable cloud providers have robust security controls to protect data and prevent unauthorized access. Data encryption, user authentication and access logging help safeguard PHI in the cloud.
But cloud storage also carries potential risks:
Internet Dependence
You must have an internet connection to access cloud data. If the internet connection fails, the data may not be accessible when needed for patient care.
Third-Party Control
The cloud provider manages and controls the storage infrastructure. This places your member data in another entity’s hands. Cloud services have suffered outages that block access to data for periods of time.
Conclusion
In summary, external hard drives and cloud storage services both offer secure options for storing member protected health information. When configured and managed properly, each method can provide the portability, accessibility and data protection required for safeguarding sensitive PHI. Careful planning is needed to ensure regulatory compliance and that member confidentiality and privacy are maintained regardless of the storage approach used.
Additional Safeguards for External and Cloud Storage
While external hard drives and cloud services provide secure PHI storage options, additional safeguards should be implemented to further protect member data.
Access Controls
Robust access controls should be implemented for both external and cloud storage. PHI access should be restricted based on user roles and job functions. Authentication via strong passwords or multifactor authentication adds another layer of security. API keys should be rotated regularly for third party cloud services.
Network Security
When transmitting PHI to external or cloud storage, use virtual private networks (VPNs) or encryption to secure data in transit over networks. Restrict outbound ports on firewalls and disable insecure connections. Network monitoring helps detect suspicious activity.
Vendor Due Diligence
Conduct thorough due diligence when selecting cloud service providers for PHI storage. Examine their information security controls, access policies, encryption methods, and liability terms. Obtain contractual guarantees for privacy and security.
Ongoing Audits
Regularly audit the security controls, user access logs, backup systems, and authorization procedures for external and cloud storage. Verify that only authorized users are accessing the PHI and that failed access attempts are logged.
Contingency Planning
Develop contingency plans to ensure PHI remains available if something happens to external drives or cloud services. This includes backups, alternative storage methods, and emergency procedures. Test contingency plans regularly.
Storage Device Disposal
When disposing of old external storage devices, use secure methods to destroy the devices or wipe the PHI completely. This prevents data leakage when equipment is discarded. Cloud PHI should also be deleted as required when no longer needed.
Compliance Reviews
Conduct periodic compliance reviews of the PHI storage methods, including auditing security controls, updating risk assessments, and identifying new regulatory requirements. Ensure storage procedures comply with evolving legal and compliance obligations.
User Training
Train staff on proper security protocols for accessing, transmitting, storing, and working with PHI on external and cloud platforms. Educate them on data privacy principles, access controls, and incident reporting. Test their understanding.
Incident Response Plan
Have a response plan in place in case PHI is compromised or exposed on external or cloud storage. The plan should outline containment, investigation, and notification procedures for such an incident.
Key Considerations for Protecting PHI
Following best practices for access controls, multi-factor authentication, encryption, auditing, training, and contingency planning are essential for properly securing PHI on external hard drives or the cloud. Staying current on regulations, continuously monitoring storage safeguards, and preparing incident response plans also help reinforce PHI protections for patients.