HIPAA doesn't imply that you can trust those in control, now does it?

12 October 2007

Joseph Nathaniel Harris, a former branch manager at the San Jose Medical Group in California was sentenced to 21 months in prison and fines in excess of $145kus for stealing medical data. When Harris left his position after allegations that he'd been stealing money and medication from the facility, he is said to have stolen two computers and a DVD-ROM disk containing sensitive information about 187,000 patients, including Social Security numbers, medical histories, and diagnoses. The computers were found to have been sold for cash, but kept the disk containing the patient data. Thankfully none of that data got out...

Okay. A quick lesson for everyone reading this: First of all, back up your data. Then back it up again to different media. This isn't terribly hard, people.... tapes are slow and expensive, but there are other ways, such as DVD-ROM disks and USB hard drives. Put one in a lockbox or safe on-site, and have someone take the other offsite - safe deposit boxes are good for storing backups.

Next, verify both sets of backups to make sure that they work before they're put into storage. The only way you'll know if a backup worked or not is to try to read from the tape to see what's on it. If your backups don't work, you may as well have not tried to back up your data at all, and you're right back to where you started.

Third, use the encryption function of your backup software so that if someone does steal the backup media, it won't be worth their time to guess the passphrase. That's the whole point of building crypto into backup software - so that rogue elements in the organization can't monkey with backup media that no one will look at for weeks on end.

This might not be a threat that you can avoid entirely, because people will be people, but you can certainly mitigate the impact of such a thing happening.

UPDATE: There is an excellent article on data backups over at the Internet Storm Center.