How to secure central storage devices

Organizations must secure any vulnerabilities in central storage devices. Security requirements may depend on the device and the organization, as healthcare practices use many different tools. Healthcare organizations that need to protect protected health information (PHI) must adhere to the security requirements set by HIPAA’s Security Rule. 

What are central storage devices? 

Central storage devices are hardware components designed to store data and make it accessible for retrieval by computers and other devices. The idea behind central storage sources aligns with the idea discussed in a PLOS Computational Biology study, “Best practices for data storage often begin and end with this statement: 'Deposit your data in a community standard repository.' This is good advice, especially considering your data is most likely to be reused if it is available on a community site.”

Examples of these devices include hard drives, solid-state drives, and network-attached storage. Their function is a necessary part of computing, allowing information to remain readily available at all times. When selecting a central storage device, organizations are faced with the need to balance performance and reliability with the inevitable matter of cost. 

A logical choice is to select a device that aligns with the needs of the organization. For example, healthcare organizations need to ensure devices have the necessary security measures to align with HIPAA or can be secured to align with security protocols geared towards compliance. 

The methods of securing central storage devices

Encryption (Technical Safeguard)

• Organizations should use full disk encryption on central storage devices like servers and network-attached storage (NAS) when it is stored and transmitted. 
• An accessible and foolproof method of securing data during transmission is using HIPAA compliant email and text messaging platforms like Paubox. 
• Encryption keys with centralized key management systems) should be managed with only authorized personnel accessing these keys. 

Access controls (Technical Safeguard)

• Strict role-based access controls ensure that only staff with legitimate needs have access to specific sets of PHI. 
• Systems should be used to log and monitor user access to central storage. 

Data integrity (Technical Safeguard)

• Cryptographic hashing algorithms can assist in ensuring the integrity of PHI stored on central devices. These algorithms generate unique hashes for data files which can be checked regularly. 
• File versioning systems maintain previous versions of files which allows for the recovery of PHI accidentally altered or corrupted. 

Physical security (Physical Safeguard)

• Store central storage devices in locked, access-controlled areas with physical security measures like biometric scans and key cards. 
• Environmental controls in storage facilities like temperature and humidity monitoring benefit devices by preventing possible damage. 

Automatic data wiping (Physical and Technical Safeguards)

• When devices containing PHI are decommissioned, they can be securely wiped using standards like NIST SP 800-88 (Guidelines for Media Sanitization). 
• For storage devices no longer in use, perform secure overwriting of the storage media before disposal.

Backup and disaster recovery (Physical and Technical Safeguards)

• Backup and recovery is a necessary step in the protection of PHI. In preparation for disasters, organizations should also develop comprehensive disaster recovery plans to keep PHI safe even if it encounters a cyberattack or hardware failure.  

FAQs

What is the function behind data centralization? 

It is the process of storing all of an organization’s data in one central location or system. The main purpose is to improve the management of data by keeping a single controlled environment so organizations can more easily manage and back up information.

How do ISPs work?

A company that provides individuals or organizations with access to the internet. 

When are backup and disaster recovery protocols triggered?

Backup and disaster recovery protocols are triggered when an unexpected event or failure occurs that threatens data or system integrity. It includes: 

• Hardware failure
• Data corruption
• Cyber attacks 
• Natural disasters 
• Power outages or system crashes