Security, Privacy, HIPAA, HITECH and Compliance in choosing a Vendor

Every scanning customer cares about their files and information.  And no one ever designs a web site, a process or any other customer facing secure system thinking that being hacked or losing customer data is going to be “Ok”!  So how come there are so many examples of major companies being hacked or of companies having to report data breaches to their customers?  The answers are simpler than you would expect.

 

How Security Works

I am going to try and share how I think of this whole process and give some recommendations on what anyone talking to a vendor should ask and look for as red flags or as reassuring signs.  Let’s start out with what security is all about.  The bottom line to security is letting the people who need to see stuff see it, and to keep people who are not supposed to see it from seeing it.  When we are dealing with paper records their security is mostly about physical security.  You want to be able to lock the doors/drawers/cabinets and keep people from being able to see (get to) the paper that you do not want them to see.  Paper also has a built in limit on theft.  Stealing hundreds of thousands of records would take trucks and hours of labor of a group of people boxing and stealing your paper.  And the loss of those records is very easy to notice.  But once we have converted these records to an electronic format, it is much easier for bad guys to copy all of your records and in most cases walk away with something smaller than a sandwich… and if you are connected to the internet, they may never have even needed to come into your office.

 

What are Security Standards?

While electronic records dramatically improve most business processes, they also add risks that need to be mitigated by well-designed systems and processes.  HIPAA and HITECH are meant to be the Government trying to help protect us as consumers.  They are a set of guidelines that are designed to protect our private information from being disclosed to the wrong parties.  But as guidelines, they are very much like the safety standards imposed on the car industry.  They are a set of minimum guidelines that everyone is supposed to follow.  And while all new cars meet or exceed those guidelines that does not make every car on the road equally safe!  In the automotive world Consumer Reports® and other sources do independent reviews of the safety, comfort and price of a car.  So when a manufacturer says they are safe, you have an independent way to verify and compare their answer to your other choices.   In the scanning world it is not quite that simple, but there are ways to find out how well a vendor compares to others without having to be capable of doing those in depth technical comparisons yourself.

 

Take Advantage of the Work Other People Have Done!

The simplest way to track down the answer to security, is to let someone else do it for you, and to do it for free!  When you talk to a vendor, they will all have lists of references.  And a reference is an easy way to find many of these answers.  The bigger a reference company is, the more likely they have done their own security audit of the vendor.  When you call the reference, ask them that exact question: “Did you do and do you keep doing security audits of the vendor”.  If none of their references have done an audit that should be a Red Flag.  Also ask questions to make sure that how you will use the vendor’s services reasonably compare to how the reference uses their services.  And as you already know, if they do not have references, that is a huge Red Flag.  The equivalent of a customer audit is an independent external audit of a vendor by a professional auditing agency.  There are many large auditing companies that will come in and review if the vendor is meeting a set of security guidelines (like HIPAA and HITECH).  Do not confuse an external audit with an internal audit.  An internal audit is the vendor looking over their own process and deciding they comply.  An external audit by a non-qualified source also should carry very little weight.  If I paid my mom to audit our company, she is both biased and unqualified to do the audit (sorry mom).  Make sure you look up the agency having performed an audit to make sure they are a valid opinion for you to trust.

 

How Security Breaches Happen

If security is something that can be accomplished, how come so many people have failed?  It is probably most helpful to think about how breaches happen, and then to see how to identify those risks as a customer.  I like to think of risks in 2 broad areas: human error and poor implementation/design.  The question to start this is asking a vendor “how long they have been in business and if they have ever had a breach”.  The longer they have been doing business successfully protecting information is a very positive sign.  Poor design and implementation are normally caught by audits and/or by time.  If they are failing this area, it is going to catch up to them, and most good audits will expose that weakness.  The hardest security risk to detect is human error.  Human error is a combination of management style, employee attention to detail and training and culminates when an employee does or does not do something that has unintended consequences.  It can be as simple as copying a file to the wrong place or setting the wrong security parameter and as complicated as implementing a patch incorrectly.  There is never a way to completely prevent human error.  But staffing is the easiest way to spot this challenge.  How much staff turnover happens at the vendor?  Does the vendor use temp labor?  How big is the staff at the vendor?  When you ask these questions, look for answers that do not fit with your job.  If you are shipping them 1,000 boxes of paper to be scanned and stored and they have a staff of 4… where are the other 30 people they will need to process your job in a timely manner?  How a vendor handles the challenges of staffing variables will speak clearly to the types and numbers of employees.  Mismatches between staffing and the vendor’s day-to-day needs should be Red Flags.

 

List of Questions to Ask Vendors:

  1. How long has the vendor been in business?
  2. Is the vendor HIPAA/HITECH (insert your industry standard here) compliant?
  3. Have they ever had a security/privacy breach either electronically or physically?
  4. Do they have a list of customers?
  5. Do they have a list of references you can contact?
    1. Ask the references what services they use from the vendor and how long they have been using them for that service.
    2. Ask the references if they do and continue to do security audits of the vendor.
  6. Does the Vendor have an external security audit completed annually?
    1. Can you get a copy of the audit certificate?
    2. Is the Auditing agency a good, well-known choice to perform this type of audit?
  7. What does the vendor’s staffing look like?
    1. Can the existing staffing handle your workload and time frame for delivery?
    2. Does the vendor use temp laborers?
    3. What does management turnover look like (how long has the average manager been with the vendor’s company)?
    4. What does employee turnover look like (how long has the average employee been with the vendor’s company)?

 

Outside Links

These are a few other sources to help you with these processes and to understand the risks that are out there:

 

The federal government breach notification listing

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

 

The federal government summary of HIPAA

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

 

The federal government HITECH rulemaking and Implementation update.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html

 

The Better Business Bureau’s® guide to Security and Privacy

http://www.bbb.org/us/storage/16/documents/SecurityPrivacyMadeSimpler.pdf

Archiving to Optical Discs

One of the common requests we get is to deliver scanned customer files on encrypted CD/DVDs.  For this post I am going to assume that the data in question is valuable and the opportunity cost for its loss is high.

CD/DVDs are a reasonable delivery and storage mechanism if you are willing to follow some simple guidelines.  The general wisdom for the practical life expectancy of disc media is 2 to 5 years.  It is possible for failures to occur much sooner or for the discs to last significantly longer, but average is usually still in a period where loss of the data is not an acceptable outcome.  When a disc fails, the common result is that none of the files on the disc are readable or can be recovered.

So how can you mitigate the risk while keeping this simple to use storage mechanism?  The risks fall into two big categories: security and availability. 

 

Security:

Discs need to be stored in a place where the people who need the data can get to the disc.  Physical storage ties into data encryption.  If your data is strongly encrypted, then you can store the physical discs in a more accessible location.  If the data is unencrypted, you need to store the discs in a location which provides physical security and makes sure that unwanted access does not occur.  Many people make the mistake of associating the risks of discs with the risks of keeping paper records.  While this is generally true from the access perspective, a DVD can reasonably hold over 100,000 scanned pages and fit easily into a pocket or bag.  Losing one DVD can expose your company to a dramatic security breach.   By encrypting the files on a DVD, you can mitigate many of the physical security issues.  If you lose or have stolen a strongly encrypted disc, the extreme difficulty potentially associated with breaking the password is so unreasonable, that it often times does not actually present a security breach.  This does assume that you do NOT store the encryption passwords with the discs, and that you have used strong passwords with a good system.

 

All encryption systems are not created equal.  For example, while many zip compression programs offer encryption, most of them display the file names of the encrypted files.  If you have HR records that have as their file names the last name, first name and Social Security Number of your employees, then just seeing the file names without ever decrypting the zip file would be a security breach.  There are several ways around this issue.   You can either use a file naming pattern that is generic (e.g. 000000001.pdf) with an index file that shows you that this file is associated with John Doe with an SSN of 123-45-6789.  Or better yet by using an encryption program which will not show the file names.  The next major part of this is the creation of a password which is sufficiently difficult for a non authorized user to ever guess.  It is never recommended to use passwords which are real words or names, even short phrases fail most strong password standards.  Our standard suggestion for passwords is a random string of 25+ mixed letters, numbers, special characters using upper and lower case.  And while this is very secure, the tradeoff is how to remember the password!  The harder a password is to remember, the more likely you will end up finding it on sticky note stuck to the encrypted disc.  Our suggestion is to keep the passwords in one location (a locked fire safe or desk drawer in your office) and the discs in a different location.

 

Availability:

Physically storing the discs is next big issue.  A single disc represents a single point of failure.  If the disc is destroyed (e.g. fire, breaking, loss, theft or media failure) then you have lost all of the data.  Keeping 2 copies of the disc in different locations is a simple solution.  Keeping one in a locked location in your office and the other in a safe deposit box in a different physical location is a reasonable solution.  Which gets us back to how do you protect against media failure of the discs themselves.  There is no way to prevent failures, you need to have a policy that detects and circumvents that issue.  Media failure is very similar to saving your work as you go.  The more frequently you hit save, the more likely if something unexpected happens, your work will still be available.  In the disc world, this translates to checking your discs, and I mean all of them.  The best policy is to check each disc and when a disc fails, because they will given enough time, you use the 2nd disc to make another new copy of your data.  How frequently you check your discs is a policy decision that you need to make based on the value of your files.  In general we suggest checking all of them once a month.  The more quickly you check them, the more likely that both discs will not have failed in the same period of time.  The longer you go between checking, they greater that risk becomes that both copies may have failed.

 

Conclusions:

Having worked with records now for many years, very few customers actually take the time to check their discs with any degree of routine frequency.  Over the years, the phone calls we like least to receive are ones where years after a scanning job, a customer calls us hoping that we still have their password or a copy of their records.  Unless we have been contracted otherwise, we no longer have their information.  If you are willing to follow a set of reasonable guidelines, then disc media is a reasonable part of your information storage process.  If you are not comfortable that these processes are being followed, then please keep an eye out for the upcoming blog posts on the benefits of an online repository and the challenges of using your network servers for storage.

 

Here are a few useful links:

Guidelines and overview of disc use for records by the federal government:

http://www.archives.gov/records-mgmt/initiatives/temp-opmedia-faq.html

Best Practices in Digital Permanence, July 2013.  Created by State Archive of NC

http://www.ncdcr.gov/Portals/26/PDF/guidelines/digital_permanence.pdf

 Guidelines for Digital Imaging Systems, created by the NC Dept. of Cultural Resources

http://www.ncdcr.gov/Portals/26/PDF/guidelines/NCDigitalPhase3.pdf

Could You Use 1,000 Square Feet of More Room?

As a provider of a comprehensive list of products and services, we get to work with a variety of different local and national businesses. In a throw-back to the days of trapper keepers and lockers, we’ve included a “case study” of our work with a graduate university that gives perspective on the ways your company could benefit from electronic document storage.

The Problem:

A few years back, the Office of Business Affairs for a highly regarded medical graduate school contacted us with a problem: 30 years’ worth of records were piling up – employee files, financial documents, student records filled four large rooms with 80 filing cabinets. It was becoming increasingly difficult for the office staff to locate and retrieve files, never mind the severe space shortage the document storage was causing! Their main concern was the distinct possibility that important, and often confidential, files could be misplaced or lost.

The Solution:

With over 2.5 million sheets of paper needing to be digitized, the Office of Business Affairs turned to Professional Systems, USA Inc. We imaged and safely discarded a majority of their paper files, the department reclaimed over 1,000 square feet of space, which conservatively translates to $20,000 per year worth of office space that was able to be put to more productive use.

How did we do it?

Digitized records are stored on our secure and password-protected servers using the sophisticated K-Docs document management software. The servers are held in a secured site with redundant power generators and 24 hour physical security. Scanning allowed the university to eliminate vulnerability to disaster, possible tampering of records, and unauthorized access to confidential information.