It’s not a question of will you lose your data – It’s only when. We all need protection against loss of documents, files, photos, financial information, diaries, emails or whatever we find worth preserving for ourselves or others (including our government).
- Water: Flooding or, more likely, plumbing problems, sewer backups or beverage spills.
- Hardware failures such as disk crashes: These can occur in dozens of ways. Disk recovery services usually are costly and rarely return data in usable form.
- The software that operates the hard disk and writes and reads the record can fail too as can the operating system itself. (Google “blue screen of death” and “kernel panic.”)
- Burglary: Thieves are usually after what they can sell and will take your computer and any hard drives connected to it.
- Cats on keyboards, loss of electric power or surges (even quite small ones) and all manner of unknowable threats and “accidents.” (Citations: hundreds of YouTube videos.)
- Ourselves. PEBCAC is tech support’s term for our errors and ignorance – Problem Exists Between Computer And Chair. We lose our stuff and break it. We are forgetful and distractible and lose our stuff to mistyping, mis-clicking, misunderstanding and simple ignorance of poorly designed interfaces.
Perhaps the biggest threats to our data are forgetfulness and procrastination. If you work on a file for three weeks you will put a lot of effort into it but if your backups are done only monthly you may lose the whole thing half the time. The answer has two parts: off-site backups and automating the process.
How do online backup programs work?
After signing up for free trials (which offer the whole program, no crippled versions here because sellers want you to see how the features all work together) a small but multifunctional program with a usually simple interface is downloaded to you. It finds the files appropriate for backup (documents, photos, music, financial records etc.) and ignores those inappropriate (the operating system, applications – which you would restore from their DVDs or other resources and which are copyrighted and copy-protected).
You can usually edit what it will save to reduce the space on servers, which you will pay for, or to save time/bandwidth of your Internet connection. A good program schedules the backups (for times when you are not using your Internet connection) and assures their frequency. It encrypts a version that no one can read either on your machine, in transit or at the servers of the company on which they are stored.
When they arrive at those servers they are often re-encrypted at a higher level and stored in multiple servers in multiple locations for assured availability. In addition, those servers are kept much more physically secure than anything we could do at home or at the office. When you want to recover a file or folder, the program displays your backups on the servers. Your selections are resent to your computer, which then decrypts them.
Securely maintaining the privacy of our records is crucial for clinicians but complex. Secure from which threats?
Files stored in the cloud are all but immune to physical threats and all providers use very good encryption methods, making our files almost immune to theft or destruction. Therefore, the most important threat is unauthorized access, and so strong methods of authentication of identity – that the person seeking the file is indeed a person who has legal access – are needed.
Passphrases, two-factor authentication, chain-of-trust certificates and randomly-generated passwords are the current standards for protection.
There are, however, technologically sophisticated attacks such as man in the middle, zero day vulnerabilities and data mining that are beyond this discussion to which these files are somewhat vulnerable. There are also “social engineering” approaches that try to trick people into revealing passwords. Before panic and immobility sets in, common sense offers some reassuring points:
1. HIPAA states that Covered Entities must do a “risk analysis” for potential losses of privacy, i.e., unauthorized disclosures,” and then develop “safeguards against foreseeable threats.” Note that this does not mean all possible threats.
2. HIPAA is “technologically neutral,” meaning it sets out goals but does not specify methods. For example, encryption is required by HITECH but the methods and levels are no specified.
3. What level of protection does the kind of information we record need? How dangerous would the loss of its confidentiality be? We clinicians have always been more protective of privacy than any other profession and this continues to be one of our great assets. We take our notes with confidentiality in mind. As a result, I think, usually although perhaps embarrassing, most such disclosures would not be highly damaging.
4. What might hackers who might break into our files be seeking? Most hackers are not interested in our clients’ secrets; they search records to obtain financial and identity information to use or sell to others for financial gain such as opening credit card accounts. I think a hacker would know hospital records are a much richer source of this kind of data.
5. If the CIA wants to see your files they, or any law enforcement officer (due to the Patriot Act), can get them. And, in a legal proceeding you must surrender your passwords. For those clinicians who collect extremely sensitive information, the use of backup programs and servers outside the United States provides much better privacy protection. There is little we can do as clinicians but our political action may change these abuses and threats.
6. We must, as professionals, perform at the “standards of care” level but this does not require perfection or invulnerability. We must do perhaps a little more than our peers are doing. There are guidelines from our national organizations and governmental and non-governmental bodies about record keeping. If we do what is expected and meet the standards in this area we should be safe.
7. The question often arises, “Is this online storage company HIPPA-compliant?” The question does not have a “Yes” or “No” answer because:
a. These companies are not Covered Entities and so don’t need to “comply with” HIPAA.
b. They do accept our Protected Health Information and do something with it for us and so may be our “Business Associates” (BAs) under HIPAA rules. I say “may” because they do not see our Protected Health Information in unencrypted form. If it is encrypted on our machines before it is sent to them I believe it is no longer Protected Health Information.
Also, they do not need to read it in order to perform the services we contract them to do. The Postal Service, UPS, and Fed Ex and phone and Internet companies are not required to be Covered Entities and comply with the protections of HIPAA because they do not read/access the information in the letter, package, faxed or emailed documents. They are simply conduits.
c. HIPAA requires us to obtain agreements with our BAs essentially requiring a BA to agree to protect the PHI as we do. Most storage companies refuse to sign. I can understand the reluctance of many companies to become involved in an area of law that is unfamiliar, complex and risky. Should we avoid companies that are unwilling to sign? I don’t think so.
For the few companies that do advertise HIPAA-level protections, none (I believe) addresses only HIPAA concerns. They lump HIPAA in with the other federal privacy and records laws such as Sarbanes-Oxley and Dodd-Frank. Here is my perspective: Any company that complies with these much more demanding regulations and mentions HIPAA is almost certainly performing at the level we need to be an acceptable and safe BA. I think we can trust them even if they are unwilling to sign a BA Agreement.
Ed Zuckerman, Ph.D., is the author of The Paper Office: Forms, Guidelines, and Resources To Make Your Practice Work Ethically, Legally and Profitably. He may be reached through his website: www.TheCliniciansToolBox.com or by email at email@example.com.
Online backup image available from Shutterstock