Healthcare Technology Featured Article

August 28, 2019

Old Is Still Gold: Securing Dormant Health Data

With cyberattacks on hospitals, healthcare providers, insurance companies and other healthcare-related organizations on the rise and cybercriminals developing increasingly effective tools and methods to attack healthcare organizations, effective healthcare data security has never been more critical. This is particularly true regarding the secure retention and archiving (warehousing) of dormant yet still sensitive data and records that are stored for future use because their utility is no longer critical and isn’t being utilized on a regular basis. 

Key issues in protecting dormant data
Controlling costs, complying with HIPPA, GDPR and HITECH and individual state mandates, assuring patient data security, and the rapid changes of medical and information technology are stressing already limited resources and have resulted in a more complex life-cycle for healthcare data. Continuous advances in technology, from diagnostic imaging to payer-provider tracking and analytics software, make the development of storage systems now leverage newer, faster technologies that yield larger capacities with a smaller physical footprint. 

         Harsha Gummadavell

Despite these ongoing developments, a significant number of healthcare organizations continue to store their dormant ePHI/PHI data on in-house servers which house essential programs that are used across the healthcare organization. As a centralized, single-target repository of programs and data, they are an attractive target for hackers. Once access has been gained, data can be viewed, copied, altered, or deleted, systems can be sabotaged, and healthcare organizations can be subjected to extortion using ransomware.

According to a recent report published by the U.S. Department of Health and Human Services, attacks on servers have accounted for more than half, some 54 percent, of all healthcare data breaches over the last 12 months and have proved to be the weakest link in the systems built to protect data, both live and dormant, from cyberattack.

One of the most common server vulnerabilities has been shown to be the failure to keep on top of user account management. When employees leave the company, their accounts must be deleted.

Dormant accounts are a major risk and are often used by malicious actors to access systems and mask their activities. Research shows that the risk increases with the number of accounts that are left dormant. The longer those accounts are left open, the greater the likelihood that at least one will be used for illicit or malicious purposes.

As a central repository of programs and data, servers present an attractive target for hackers. Once access has been gained, data can be viewed, copied, altered, or deleted, systems can be sabotaged, and healthcare organizations can be subjected to extortion using ransomware.

To address this risk, security controls should be implemented that automatically disable or delete data and information that is no longer considered sensitive. At the same time, system activity logs should also be routinely checked to determine whether dormant accounts have been accessed without authorization, used inappropriately or compromised. Periodic, unscheduled reviews of dormant data should also be conducted to ensure all unused accounts are either disabled or purged to improve future performance and accessibility.

Better solutions
Healthcare organizations need to proactively replace, or at a minimum, upgrade, legacy technologies that are unable to meet currently mandated standards, particularly if they endanger sensitive patient data, as the security and maintenance of dormant data is equally as critical as that of ‘live’ data.

  • Internal storage: If an organization develops data and stores dormant sensitive data internally, it is important to define a core set of rules for implementing its history (e.g., data modeling rules, history updates, etc.) and standardize conventions. Each data set, application data store, or data repository should also have specific historical data requirements.
  • Cloud storage: As an alternative to storing sensitive data on in-house or off-site servers, many healthcare providers are looking to implement cloud data storage options as organizations adopt mobile applications and store clinical data in the cloud to give them improved access to stored information. Cloud data storage also saves organizations money by allowing them to purchase more storage space as needed, rather than investing in additional on-premises servers. In addition, it melds more effectively with more advanced, continually developing infrastructure technology as it gives users a more flexible way to access data.
  • Hybrid Storage: While several different types of cloud deployments are available to healthcare organizations, data managers need to decide how much control over their data these deployments require. The answer lies in the creation of hybrid cloud solutions to host different parts of their data centers or multi-cloud storage models, which are similar to hybrid data storage, but utilize multiple cloud service models to perform different tasks. Most organizations choose a form of hybrid data storage when scaling up or implementing a more advanced storage solution. They may choose to store more bandwidth intensive data, such as images, on an on-site server so they can be accessed quickly.

Updating systems, processes and equipment allows providers to shift their focus to deploying advanced security technologies. These include such innovations as micro-segmentation, software-defined perimeter tools, security and analytics platform architecture, and Artificial Intelligence (AI).

Training and education
The bottom line is data protection at all levels takes planning. It requires healthcare data managers to be proactive and educate their employees and coworkers about company policies for the secure storage and use of dormant data in either cloud or hybrid depositories, and, at the same time, enforce those mandates without inhibiting the implementation of new security technologies or stifling employee productivity.

About the Author: Harsha Gummadavelli is a senior architect at a leading cloud data management company, specializing in implementing data protection software for organizations across the globe. He has worked with a number of Fortune 500 companies and has garnered vast experience specifically working with healthcare clients to enhance their data protection programs. He can be reached at [email protected].

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
By Special Guest
Harsha Gummadavelli, senior architect ,


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]