Healthcare organizations using data recovery providers may be vulnerable to data breaches

DriveSavers Data Recovery, the worldwide leader in data recovery services, announced today the risks that healthcare organizations should be aware of with using third party data recovery service providers that are not compliant with HIPAA Data Security Guidelines or properly vetted for security protocols. As the healthcare industry rapidly becomes digitized, the risks of data breach are unprecedented. In 2011, health data breaches in the US increased 97 percent over the year before, according to a recent report by Redspin, a leading provider of IT security assessments. Data breaches cost the healthcare industry an estimated $6.5 billion last year. Redspin cites insufficient oversight of PHI (protected health information) disclosed to hospital "business associates" (third party vendors) as one of the main reasons for the increase.

According to HIPAA federal law, the legal burden of protecting patient data while at a business associate, falls on the health organization that contracted the service with that business. Therefore, if a data breach occurs while PHI data is being recovered at a third party data recovery service provider, the healthcare organization that contracted the service is responsible for what could turn out to be a very costly, reportable data breach.

How Healthcare Organizations may be Vulnerable to Data Breaches Using Data Recovery

There are several areas where a healthcare organization's PHI records may be vulnerable to data breach when using a data recovery service provider.

• Risk of permanent data loss if software tools are used improperly or the device is not opened in a ISO-5 cleanroom and media platters are exposed to airborne contaminants
• Risk of improper downloading or ID theft of PHI data
• Risk of outside breach from hackers if data is stored on an unprotected network
• Risk of PHI data exposure if damaged drives are not destroyed with a DOD approved degausser or shredder
• Risk of viruses or malware being returned on new drive with recovered data

The consequence of using a data recovery vendor that does not have proper protocols in place to protect PHI can lead to loss or theft of sensitive and confidential information. As a result, the healthcare organization could suffer major disruption in business, huge financial and legal fees, damaged brand name, firing of management, IT staff and IT security involved in data recovery selection process and in some cases, a complete shut down.

NYC Hospital Properly Vets Data Recovery Firm and Safely Recovers 200,000 Patient Records

Healthcare organizations that have policy and guidelines in place for selecting and using data recovery service providers can avoid the risks of a data breach. A large public hospital in New York City had a RAID 5 server fail due to mechanical failure. The server stored the hospital's database of over 200,000 patient records.

Knowing that healthcare organizations must meet the most stringent data security guidelines by law, the NYC hospital's IT team thoroughly vetted their prospective business associate, DriveSavers, to ensure that the company adhered to HIPAA security compliance HIPAA Data Security Guidelines before sending PHI data to their facilities. DriveSavers has achieved compliance with forty-two data security standards outlined in the Health Insurance Portability and Accountability Act (HIPAA).

DriveSavers successfully recovered the hospital's PHI data in a Certified ISO 5 cleanroom that has been audited and certified to meet ISO 14644-1 standards. Engineers and employees at DriveSavers have all undergone background checks. The data recovered was stored on the company's certified secure network, which is audited annually as part of a SAS 70 Type II certification process. The hospital's IT team received the restored data on a new storage device; the old, damaged drive was permanently and securely degaussed following HIPAA guidelines for destroying hard drives.

DriveSavers is leading the data recovery market by investing in technology, research, equipment, new facilities and training so that it meets the rigorous security demands of the healthcare industry. In addition to being compliant with HIPAA Data Security Guidelines and undergoing annual SAS 70 Type II audits, the company also adheres to US Government security protocols, the Gramm-Leach-Bliley Act Data Security Rule (GLBA), the Data-At-Rest mandate (DAR) and the Sarbanes-Oxley Act (SOX). DriveSavers engineers have received certifications for completing extensive training programs from leading encryption software vendors, including GuardianEdge, PGP, Pointsec (Check Point Software Technology) and Utimaco.

DriveSavers can successfully recover lost data from encrypted hardware, software, email, network files, wireless device data and all storage/backup devices. Companies that have trusted DriveSavers with their critical data include: CompuCom Systems, Inc., eBay, NASA, Weill Cornell Medical Center and UCLA Medical Center.