written by Simon

The most frequent cause for health data breach accidents is an insider. About half of these accidents are a result of error by insiders while the other half are a result of wrongdoing. Obviously, we should prevent accidents by both causes. (Read: Insiders: the Most Frequent Reason for HIPAA Data Breach)

First, health data should not be stored in scattered PCs, but should be stored separate from other data in a securely reinforced storage computer. This has a decided advantage to keep not only confidentiality but also integrity and availability, which are required in the security rules of HIPAA.

A file server could be a good option, after it is reinforced with some actions, as follows. Access to and permission to edit the data should be controlled. File versioning is needed to keep data integrity against intentional alteration or deletion of the data. The data should be backed up in real time or regularly to keep data availability. And finally, the network for storage should be separated physically/logically and encrypted to protect against attack from outsiders.

Secudrive File Server makes it possible to manage users’ rights of copying, printing, screen capturing and network transferring to use files in the file server. File activity logs are monitored at a glance and stored in real time so that they could be very helpful for audits. When data is transmitted to the outside, it provides encrypted data transfer under approval by authority. In addition, whitelisting to enable specific applications to be used in the server can protect the data against attack by ransomeware.

When data needs to be taken outside using a USB flash drive, Secudrive USB could be used to prevent users from unauthorized copying, printing, screen capture or network transfer of data on the USB flash drive to others, even in an ‘out of sight’ environment. Usage logs are gathered and monitored in real time through the network. When offline, the logs are gathered in the secure zone of the USB flash drive. When it comes back to the office, an administrator can view what the user had done with the USB flash drive. If the USB flash drive is stolen or lost, the data on it can be destroyed remotely. Of course, the USB flash drive is hardware encrypted, requiring a password to see the data. Secudrive UMS provides a central management environment to manage the security policy of scattered USB flash drives and to monitor their real-time usage.

Because external hard drives, USB flash drives, and smartphones can be connected to PCs through USB ports, they could be used to take data from a PC. Secudrive Device Control can block the USB ports, ensuring that only secure USB Flash drives like the Secudrive USB flash drive can be used. For a coworker off site, an access-controlled account can be made for him/her in the file server to share files. This is much more secure than using email or public cloud service to share data.

Finally, educating insiders about security should be a top priority to prevent health data breaches by insiders. Data should be classified to be kept secure and access and rights to classified data should be allocated to the right persons. Administrative works should be done and updated regularly. In the ongoing administrative process, Secudrive could be an easy and cost-effective solution for small and medium healthcare organizations to mitigate risk of data breach by insiders in accordance with the technical safeguards of the security rules of HIPAA.