Are external hard drives HIPAA compliant?

by
Are external hard drives HIPAA compliant

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that provides data privacy and security provisions for safeguarding medical information (Centers for Disease Control and Prevention, 2022).

HIPAA establishes national standards to protect individuals’ medical records and other personal health information. It applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically (U.S. Department of Health and Human Services, 2022).

The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This is called protected health information (PHI). The HIPAA Security Rule specifies safeguards that covered entities and their business associates must implement to protect the confidentiality, integrity, and security of electronic protected health information (ePHI) (U.S. Department of Health and Human Services, 2022).

What data does HIPAA cover?

HIPAA applies specifically to protected health information (PHI). According to the HHS, PHI is any information in a medical record or designated record set that can be used to identify an individual and relates to:

  • Past, present or future physical or mental health conditions
  • Healthcare provision
  • Past, present or future payment for healthcare

PHI includes demographic data relating to an individual’s healthcare, such as age, address, email address, and relatives’ names. Common examples of PHI include:

  • Names
  • Geographical information
  • Dates relating to healthcare
  • Phone numbers
  • FAX numbers
  • Email addresses
  • Social security numbers
  • Medical record numbers
  • Health insurance details
  • Device identifiers
  • Web URLs
  • IP addresses
  • Full face photos

Any information that can potentially identify an individual patient constitutes PHI under HIPAA. Healthcare organizations and their associates must protect the confidentiality, integrity and availability of all PHI according to HIPAA regulations.

HIPAA Compliance for Storage Devices

The Health Insurance Portability and Accountability Act (HIPAA) has specific requirements for protecting Protected Health Information (PHI) on storage devices like external hard drives. HIPAA’s Physical Safeguards rules state that PHI must be stored securely and protected from unauthorized access, theft, and disclosure.

Any external hard drive used to store PHI must have sufficient administrative, physical and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) as per the HIPAA Security Rule. Safeguards may include encryption, access controls, audit logs, and physical security measures.

Entities like healthcare providers and business associates that handle PHI data are obligated to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they store. This risk analysis must specifically consider risks to ePHI stored on external hard drives and other removable media.

Per HIPAA regulations, external hard drives used for PHI require restricted physical access to prevent theft and unauthorized access. Drives must be kept secure via locked rooms, cabinets or safes when not in use. Strict encryption and access control policies are also mandated.

While external hard drives can comply with HIPAA regulations if properly secured and encrypted, they inherently pose more risks than secured internal network storage. Entities must weigh these risks before using external drives for PHI data.

Source: https://www.cru-inc.com/data-protection-topics/hipaa-compliance/

Requirements for HIPAA Compliant External Drives

For external drives to be considered HIPAA compliant, they must implement safeguards to protect patient health information (PHI) as required by the HIPAA Security Rule. The main requirements relate to encryption, access controls, and audit logging.

Encryption is essential for securing PHI on external drives. The HIPAA Security Rule states that encryption must be implemented for data security if reasonable and appropriate (see source). For external drives, encryption should be used to protect any PHI at rest. The encryption standard must meet the minimum requirements set out by the National Institute of Standards and Technology (NIST). Currently, this means using an approved symmetric or asymmetric encryption method with at least 256-bit encryption keys (see source).

Access controls are also necessary on HIPAA compliant drives. This ensures that only authorized individuals can access and view PHI. Secure password protection and user authentication protocols should be implemented. PHI encryption keys should also be protected by access controls.

Finally, HIPAA compliant external drives should maintain detailed audit logs. The audit logs record activity on the drive like data access, modification, and transmission. Audit logs assist in detecting security breaches and policy violations.

By implementing these safeguards, external hard drives can achieve HIPAA compliance and securely protect sensitive patient health data. The requirements help mitigate security risks and unauthorized PHI access.

Benefits of HIPAA compliant drives

There are several key benefits to using external drives that are designed to be HIPAA compliant compared to standard consumer-grade drives:

Enhanced security – HIPAA compliant drives utilize encryption and access controls to prevent unauthorized access to protected health information (PHI). This protects patient data even if a drive is lost or stolen. Devices like the IronKey encrypted flash drive use military-grade 256-bit hardware encryption.

Improved portability – External hard drives allow providers to securely transport large volumes of PHI between facilities. HIPAA compliant portable drives have built-in security features to maintain protection on the go.

Scalable storage – As medical practices gather more digital patient records over time, HIPAA compliant external drives offer easily expandable storage space. Large multi-terabyte external drives can securely store entire patient databases.

By investing in proper HIPAA compliant storage solutions, healthcare organizations can better safeguard confidential patient information from data breaches while gaining transportable and scalable storage capacity.

Top HIPAA compliant external drives

Many external hard drives can be made HIPAA compliant with proper encryption and access controls. Some drives come with built-in HIPAA compliance features like hardware encryption and rugged, tamper-proof designs.

One popular option is Apricorn drives like the Aegis Padlock or Aegis Fortress. These feature AES-XTS 256-bit hardware encryption to secure data as well as a pinpad for access control 1. The encrypted drives are designed to be easy to use while meeting HIPAA requirements.

Other top HIPAA compliant external drive options include:

  • Kanguru Defender Elite30 – Features AES-256 hardware encryption and is FIPS 140-2 Level 3 certified for data security 2.
  • IronKey H350 – Rugged encrypted USB drive with antivirus scanning and malware protection.
  • iStorage diskAshur DT2 – PIN authenticated 256-bit AES hardware encrypted desktop drive.

When selecting a HIPAA compliant external drive, key features to look for include tamper-proofing, hardware-based encryption, and options for access controls like PINs or passwords.

Using non-compliant drives

While external hard drives that are not specifically designed to be HIPAA compliant may seem like an affordable option, their use carries significant risks and may result in HIPAA violations. According to the HHS, failing to properly encrypt and protect patient data on storage devices is considered non-compliance and can result in penalties (cite: HIPAA Security).

Some key risks of using non-compliant external hard drives include:

  • Data breaches if drives are lost or stolen – without encryption, patient data is accessible
  • Accidental data leaks if drives are reused or disposed of unsafely
  • Fines up to $50,000 per HIPAA violation
  • Reputational damage and loss of patient trust

It is best practice to only use HIPAA-compliant encrypted external drives designed specifically for storing protected health information. The risks of non-compliance simply outweigh any potential cost savings. Healthcare organizations must take reasonable steps to safeguard patient data.

Steps to make drives HIPAA compliant

There are several key steps organizations can take to make external hard drives HIPAA compliant:

Implement encryption – Encrypting data storage devices is a core requirement for HIPAA compliance. Encryption converts data into unreadable code that requires a decryption key to access. This protects patient data if a drive is lost or stolen. Many external hard drives come with built-in hardware encryption. Encryption software can also be used if needed.

Enable access controls – HIPAA requires limiting access to protected health information only to authorized users. This can be done by setting up user accounts and passwords on external drives so that only authorized personnel can access patient data. Strong password policies should be enforced.

Maintain audit trails – Organizations must have audit controls that record and log activity on digital files containing protected health information. External hard drives should have the ability to track user access, file modifications, deletions, etc.

Develop and enforce policies – Comprehensive policies need to be implemented for the use and security of external drives used to store protected health information. Policies should dictate encryption requirements, access controls, physical security, acceptable use, etc. All personnel should receive training on HIPAA compliant use of external drives.

By implementing encryption, access controls, audit trails, and well-developed policies, organizations can ensure external hard drives meet HIPAA requirements for securely handling sensitive patient data. For more details, see these HIPAA compliance guides: https://www.cmsproducts.com/cesecure-healthcare/, https://www.cru-inc.com/data-protection-topics/hipaa-compliance/

HIPAA compliance for backup drives

HIPAA has strict requirements for ensuring the compliance of backup drives and services, whether cloud-based or physical. Critical patient health information (PHI) must remain confidential and secure at all times.

For physical backup drives, HIPAA requires drive encryption to prevent unauthorized access if stolen or lost. Drives should be tracked with an inventory log and securely destroyed when retired. Access should be limited to necessary personnel. Records of backup drive use, location, and personnel access must be maintained.

For cloud backups, HIPAA requires that the provider sign a Business Associate Agreement ensuring they will safeguard PHI. Transmission of PHI must be encrypted end-to-end. Cloud storage must also be fully encrypted, with stringent access controls. Compliant services include SpiderOak One Backup, ArcServe, and Backblaze.

In summary, both physical and cloud backup solutions must fully secure PHI according to HIPAA’s encryption, access control, auditing, and data destruction standards.

Maintaining HIPAA Compliance

Maintaining HIPAA compliance for external hard drives requires ongoing diligence. Healthcare organizations must conduct regular audits to ensure proper security controls are in place and functioning as intended. Strict access controls should limit data access to only authorized users. Organizations must also have procedures for secure disposal of drives containing protected health information (PHI). Some best practices include:

Ongoing Audits – Covered entities should frequently audit their HIPAA security policies, controls, and systems to uncover any gaps or vulnerabilities. Both technical and physical safeguards should be evaluated. Regular risk analyses help identify new threats that may require updated security measures.

Access Controls – Role-based access controls limit data access to only those users who need it for their job. Authentication requirements like passwords or multi-factor authentication also help control access. Drives containing PHI should utilize encryption to render data unreadable if devices are ever lost or stolen.

Device Disposal – Proper disposal procedures like degaussing, cryptographic erasure, or physical destruction ensure drives are fully wiped before redeployment or disposal. This prevents any PHI from being compromised after the device leaves the organization’s control.[1]

Staying compliant requires constant vigilance and keeping security tight across physical, administrative, and technical safeguards. But the peace of mind of protecting sensitive patient data makes the effort worthwhile.