What would happen if YOUR tapes were lost or stolen

If you are a healthcare facility that suffers a data breach, then you will be added to this list. (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html). I think this highlights an often overlooked issue with offsite tape archiving. Humans. If you put a human being into a workflow, you are also introducing the capability for human error.

These errors can be accidental loss, or damage. In my travels, I have talked with folks that are taking tapes home to their house every night as their offsite strategy. Or there are stories of folks that drive around collecting tapes from a number of remote sites. What happens if they have a car accident during these trips? What happens if they are robbed and those tapes are taken from their house? What happens if a natural disaster occurs and those tapes are destroyed? In most cases, this would constitute a data breach. Is your firm prepared to handle that?

These errors can be malicious as well. You let your backup admin go, and he has a bunch of these tapes at home which are now available to the next highest bidder. Or, someone at your office gets snubbed and wants to get even. Nothing better then a data center full of tapes that are pulled out of their cartridges. How many of your company assets are at home with your employees today? Are you tracking them? It’s a difficult job to ensure that all of your data is safe and secure, especially on something as portable as a tape cartridge.

To highlight the impact of this in healthcare, see the article outlined below. There are financial aspects, reputation aspects, and new capital and operational costs related to fixing the problems. Plan ahead and avoid all of this by properly protecting your data. Disk based, purpose-built backup appliances eliminate tape, and therefore can eliminate most of the human errors associated with handling the cartridges. Additionally, PBBAs are faster, more efficient, simple, and require minimal change to your infrastructure.

New York Breach Affects 1.7 Million
Largest Incident Reported So Far Under HITECH Rule February 14, 2011 – Howard Anderson, Executive Editor, HealthcareInfoSecurity.com
Some 1.7 million individuals are being notified of a health information breach incident involving data from The New York City Health and Hospitals Corp<http://www.nyc.gov/html/hhc/html/pressroom/pr-20110211-data-theft.shtml>. It’s the largest breach reported so far under the HITECH Act breach notification rule<http://www.healthcareinfosecurity.com/regulations.php?reg_id=1857>, which went into effect in September 2009.
Computer backup tapes from the New York provider were stolen on Dec. 23, 2010, from a truck that was transporting them to a secure storage location, according to a website statement from the NYC organization and its letter to those affected. The unencrypted tapes included information on patients and hospital staff from the North Bronx Healthcare Network, a unit of the NYC Health and Hospitals Corp. That network includes Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center and Gunhill Health Center. Also on the tapes was information the hospitals’ occupational health services collected about employees of vendors and contractors.
The information lost, which was collected during the past 20 years, includes: names, addresses, Social Security numbers, patient medical histories and the occupational/employee health information of staff, vendors, contractors and others, according to the statement.
All those affected are being offered one year of free credit protection services.
Breach Incident Details
The tapes were stolen from a truck operated by GRM Information Management Services while the files were being transported to a secure storage location, according to the provider organization. “The incident was reported by GRM to both North Bronx officials and the police the same day, and an investigation was launched immediately,” the letter to those affected stated. “To date, these tapes have not been recovered.”
In its website statement, the organization noted, “The theft occurred while the GRM van was left unattended and unlocked while the driver made other pickups. GRM reported the incident to the police and dismissed the driver of the vehicle.”
The statement also noted: “The data in the stolen files is not readily accessible without highly specialized technical expertise and data mining tools, and there is no evidence to indicate that the information has been accessed and misused.”
NYC Health and Hospitals said the loss of the data “occurred through the negligence of a contracted firm that specialized in the secure transport and storage of sensitive data, but HHC is taking responsibility for providing information and credit monitoring services to any affected individual who may be worried about the possibility of identity theft.”
Breach Prevention Steps
The provider organization said it has “taken immediate measures to prevent a similar situation from reoccurring; has terminated the contract with the vendor responsible for the loss; and has filed a lawsuit against the vendor to hold it responsible for covering all of the costs associated with notifying all affected individuals and to pay for other damages related to the loss of the data.”
A spokesman for NYC Health and Hospitals told HealthcareInfoSecurity that while the organization has encrypted most of its backup files, the tapes that were stolen, unfortunately, had not yet been encrypted.
“HHC has been undergoing a multi-year data center consolidation project, which requires the careful transition and transfer of all data backup systems to the new center for storage,” the spokesman said. “As part of this process, HHC had to standardize data systems across the hospitals and encrypt all clinical systems backups. HHC has already encrypted more than 80 percent of the data. The Jacobi and NCB hospital system files were scheduled for the necessary migration and encryption in March 2011.”
Despite the lack of encryption, the stolen files will be difficult to decipher, the spokesman contended. “Although the data were not encrypted, it exists in a proprietary program that scrambles the records and would make it difficult for individuals without specialized technical expertise and access to the right software and computer hardware to view the private information.”
As a result of the breach incident, the organization has suspended the transport of unencrypted backup files to off-site storage “and will expedite its plan to upgrade critical data to the 256-bit advanced encryption standard, considered by the federal government as the highest level of protection against tampering,” the spokesman said. “At the time of the theft, HHC had already upgraded and encrypted nearly 80 percent of the 1,568 systems applications used throughout the corporation. The upgrade is expected to be completed by the fall of 2011.”
The spokesman also said the organization will hire a new vendor to handle offsite backup data, which will be “stored in highly protected facilities that have climate-controlled, dedicated tape vaults, secure keycard access, video surveillance and trained personnel.”
Thefts Lead to Breaches
All of the three largest health information breaches<http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html> reported so far under the HITECH Act breach notification rule have involved thefts.
The other two largest breaches reported to the Department of Health and Human Services’ Office for Civil Rights are:
An incident at AvMed Health Plan, which alerted more than 1.2 million about a breach related to the theft<http://www.healthcareinfosecurity.com/articles.php?art_id=2606> of a laptop.
*       An incident at BlueCross BlueShield of Tennessee, which informed nearly 1 million individuals about a breach stemming from the theft<http://www.healthcareinfosecurity.com/articles.php?art_id=2409> of 57 hard drives from a closed call center.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.