Protected health information exists in many parts of your computer network. File shares on servers are the most common places that people store data files like Microsoft Word, Excel, and PowerPoint documents. Protected health information (PHI) can exist in any of these and other formats. You may have custom web or legacy client/server applications that store PHI in a variety of file formats and data in those applications needs to be protected as well. Those files need to be identified and a plan of action should be put in place to protect those files.

The proliferation of low cost disk space has enabled people to purchase low cost storage devices like external USB drives, network attached storage (NAS), direct attached storage connected to servers, and even USB memory sticks. All these devices could contain protected health information today. Unprotected, these documents can be easily copied to unsecure media. This could happen by people authorized or not authorized to take possession of these files. In either case, portable devices containing PHI could easily be lost or misused.

Encryption technology should meet or exceed NIST Special Publication 800-111, "Guide to Storage Encryption Technologies for End User Devices"

The HITECH Act, as part of the American Recovery and Reinvestment Act (ARRA), encourages the mitigation of threats to data in file systems by requiring various levels of notification following a breach of unsecured protected health information (PHI). If PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals then such information is not unsecured PHI, and therefore may not be subject to breach notifications directed by the HITECH Act. Encryption solutions by our partners like PGP can implement encryption necessary to mitigate the risks to PHI security.

ExperiorData Solution: Encrypt files and documents using network share encryption technologies. Deploy endpoint solutions that enforce encryption policies for removable media.