The HIPAA requires that data backup providers and healthcare professionals share responsibility for data security.

Responsibility for patient data backup is shared under HIPAA

Stephen Perkins

The rush to beat the pending Health Insurance Portability and Accountability Act compliance deadline has many healthcare providers looking for answers to how they can ensure that their data backup solution will be secure, Kamal Shah wrote in Infosecurity Magazine.

The updated law takes effect on Sept. 23 and requires business associates providing cloud backup to assume shared responsibility for protecting their clients' personal health information and liability if data backup security is violated. Even though the designated data storage provider shares responsibility for data security, part of the burden still remains on the shoulders of healthcare providers. The law's requirements that healthcare data be readily available to professionals on the cloud is intended to improve patient care, but the possibility of data storage breaches leaves companies liable to being cited for compliance violations.

"At the same time, healthcare organizations have an obligation to make sure that their use of cloud services is secure and that personal health information is fully protected," Shah wrote. "The risks are huge if they don't get this right. Any exposure of PHI is deemed a violation of HIPAA compliance, which can lead to steep fines and other costs for the healthcare service provider, not to mention the loss of trust and confidence of its patients."

Healthcare providers can protect themselves from compliance issues by determining whether they already use offsite backup services in any capacity and what risks those might entail. Shah recommended that they also analyze cloud usage to ensure that policies are being followed and that they establish access controls limiting who can access information and what devices they can use.

The Cost of Recovery
Many healthcare providers do not fully grasp the process for disaster recovery in the event of a crash, data backup specialist Neal Bradbury wrote in MSPmentor. Recovery is often a costly and time-consuming process requiring multiple staff members to get a system up and running again, and excessive downtime can have a negative impact on patient confidence.

"Some will be surprised to learn that even though their data may be safely stored on a tape or in the cloud, it could take several days for them to recover from a server failure after adding up all the time necessary to order a new appliance, convert the data, load drivers, an operating system and other files onto the new appliance," Bradbury wrote.

Categories: Cloud Backup, Data Protection