We deal with this situation more often than I would like to admit and it takes many forms. Some examples are:
– The IT staff performs regular backups of the server on which the EMR is installed. These backups are then taken off site on a regular basis
– IT staff take a backup of the data and ship it to a vendor for extraction/conversion
– Old data is stored on external drives to save space
There are various other situations, but they all have the same issue – patient identifiable data is stored on removable storage that is easily transported or stolen without any encryption. This is simply illegal. It does not matter that it is part of a nightly backup, it doesn’t matter that it will only be on the drive for a short period of time, it doesn’t matter that it is ‘old’ data. All that matters is that it is encrypted and that the patient data is protected.
We have two great examples of the above situations. The first was a clinic in Nova Scotia that had a locally installed EMR and they faithfully backed up their server every night – and even had a five drive backup rotation schedule for the best protection. Each night a drive was taken home by a staff member and the next day they brought back a drive. So – there was always at least one drive off site at the home of a staff member. This is a decent IT practice to help protect the clinic from data loss. The clinic had even hired an IT Consultant to set it up for them – the same company that took care of all their IT needs. The problem was that none of the drives where encrypted and the ‘backup’ was a clear copy of the data drive on the server. So – each drive contained easily accessible (dBase files) that contained all the patient information in the clinic. And to make matters worse – it was being taken out of the business environment to the home of one of the staff. What would have happened if that staff member’s home had been broken into? I would not want to be the doctor making the report to the RCMP about exposing all his medical data because someone stole a drive from the home of a staff member.
Just like the first example this next one shows how, even with good intentions, you can expose yourself when you are simply trying to protect the data. Another clinic had data from an older EMR that they wanted to hold onto. They got the data scanned into PDFs and held it on a special external hard drive device. This device contained four hard drives in what is called a Raid 5 configuration – which really just means that if one drive fails, you don’t lose your data. The problem was that, like many smaller doctors’ offices, the spouse did the accounting from home – and this drive constantly went back and forth between the doctor’s office and their home. They had purchased it to protect the data, but had not thought to encrypt it. The problem they ran into was that they could not just simply move the data to a new drive, encrypt the old drive and copy it back. The information on the old drive would first need to be purged in a secure fashion using a program like Eraser (see Recommended Tools in another post below) – in order to meet legal requirements. As this was a fairly large drive – it was going to take time and effort to solve their problem correctly and reduce their liability moving forward.
1. Never put data on removable media, unless it is encrypted with a minimum of 256 Bit encryption.
2. Make sure your backups are encrypted and well protected.
3. When you destroy the data, take special care to make sure you have done it properly.