Storing Member PHI Securely on External Storage

Using External Hard Drives

One option for storing member protected health information (PHI) is to use an external hard drive. There are some advantages to this approach:

Physical Security

With an external hard drive, you have a physical device that can be locked up and secured when not in use. This prevents unauthorized access to the drive and the PHI stored on it. The drive can be kept in a locked drawer or safe when not needed.

Portability

External drives are portable so you can transport the PHI to different locations as needed. This allows you to access the data from multiple computers if required. You can use the drive to transfer data between office locations securely.

Backup

Storing member PHI on an external drive provides a backup if the internal computer drive fails or data is accidentally deleted. The data can easily be restored from the external drive backup. This protects against data loss incidents.

However, there are also risks to consider:

Unauthorized Access

If the external drive is lost or stolen, unauthorized individuals could access the sensitive data. Strong encryption must be used to secure the data.

Damage

External hard drives can fail or become physically damaged, leading to data loss if backups are not available. So the data must be backed up to a second external drive or cloud storage.

Using Cloud Storage Services

Another approach is to store member PHI using a cloud storage service such as Google Drive or Apple iCloud. There are advantages to this method:

Accessibility

Cloud data can be accessed conveniently from many locations and devices using a secure internet connection. This enables access to the data when needed for patient care.

Collaboration

Most cloud services enable file sharing and editing by multiple authorized users. This facilitates collaboration when needed for serving members.

Security

Reputable cloud providers have robust security controls to protect data and prevent unauthorized access. Data encryption, user authentication and access logging help safeguard PHI in the cloud.

But cloud storage also carries potential risks:

Internet Dependence

You must have an internet connection to access cloud data. If the internet connection fails, the data may not be accessible when needed for patient care.

Third-Party Control

The cloud provider manages and controls the storage infrastructure. This places your member data in another entity’s hands. Cloud services have suffered outages that block access to data for periods of time.

Conclusion

In summary, external hard drives and cloud storage services both offer secure options for storing member protected health information. When configured and managed properly, each method can provide the portability, accessibility and data protection required for safeguarding sensitive PHI. Careful planning is needed to ensure regulatory compliance and that member confidentiality and privacy are maintained regardless of the storage approach used.

Additional Safeguards for External and Cloud Storage

While external hard drives and cloud services provide secure PHI storage options, additional safeguards should be implemented to further protect member data.

Access Controls

Robust access controls should be implemented for both external and cloud storage. PHI access should be restricted based on user roles and job functions. Authentication via strong passwords or multifactor authentication adds another layer of security. API keys should be rotated regularly for third party cloud services.

Network Security

When transmitting PHI to external or cloud storage, use virtual private networks (VPNs) or encryption to secure data in transit over networks. Restrict outbound ports on firewalls and disable insecure connections. Network monitoring helps detect suspicious activity.

Vendor Due Diligence

Conduct thorough due diligence when selecting cloud service providers for PHI storage. Examine their information security controls, access policies, encryption methods, and liability terms. Obtain contractual guarantees for privacy and security.

Ongoing Audits

Regularly audit the security controls, user access logs, backup systems, and authorization procedures for external and cloud storage. Verify that only authorized users are accessing the PHI and that failed access attempts are logged.

Contingency Planning

Develop contingency plans to ensure PHI remains available if something happens to external drives or cloud services. This includes backups, alternative storage methods, and emergency procedures. Test contingency plans regularly.

Storage Device Disposal

When disposing of old external storage devices, use secure methods to destroy the devices or wipe the PHI completely. This prevents data leakage when equipment is discarded. Cloud PHI should also be deleted as required when no longer needed.

Compliance Reviews

Conduct periodic compliance reviews of the PHI storage methods, including auditing security controls, updating risk assessments, and identifying new regulatory requirements. Ensure storage procedures comply with evolving legal and compliance obligations.

User Training

Train staff on proper security protocols for accessing, transmitting, storing, and working with PHI on external and cloud platforms. Educate them on data privacy principles, access controls, and incident reporting. Test their understanding.

Incident Response Plan

Have a response plan in place in case PHI is compromised or exposed on external or cloud storage. The plan should outline containment, investigation, and notification procedures for such an incident.

Key Considerations for Protecting PHI

Following best practices for access controls, multi-factor authentication, encryption, auditing, training, and contingency planning are essential for properly securing PHI on external hard drives or the cloud. Staying current on regulations, continuously monitoring storage safeguards, and preparing incident response plans also help reinforce PHI protections for patients.