How we carry $10,000 cash versus patient data backup tapes worth much, much more

I just read another data theft article. The Seattle Times reported Patients’ information stolen in 3 thefts. This time backup tapes (which I warned about in an earlier post) were left in a personal vehicle which was broken into. I can’t tell you how many times I’ve walked around in a hospital or provider parking lot and seen medical record folders sitting in physicans’ cars. That’s bad, but thieves (if they broke in) could only get a few records at a time. Breaking in and grabbing backup tapes, though, nets thousands of records with very little effort. The Providence example (from the Seattle Times story) is neither new nor unique — backup tapes are carried in personal vehicles by IT people thousands of times a week all over the country.

In case you’re not already aware, I thought it might be illustrative to show how businesses send $10,000 in cash versus some hospitals send potentially hundreds of thousands or millions of dollars worth of patients’ medical and financial data backup tapes. Here’s the difference:

Cash versus medical information

Cash is carried in an armored truck.

Medical data and customer financial backup tapes are carried in the same vehicles as flowers and candies!

Is it just me or is something not right here?

I’ve worked for many years in DoD research centers dealing with classified information and it worries me that many businesses and hospitals don’t treat their customer, patient, and financial data just like we used to treat classified information: as extrememly valuable with the appropriate checkin/checkout/hand off procedures. Law enforcement treats evidence using a “chain of custody” model where everything is tracked as information and evidence moves from one person to antother.

Is there any reason why we in healthcare can’t use tried and true methods like intelligence and law enforcement agencies use to protect backup tapes? Only if we don’t care.

At some point our patients will wake up and starting asking us about our policies. I’d suggest we get our act together before then 🙂

Newsletter Sign Up


2 thoughts on “How we carry $10,000 cash versus patient data backup tapes worth much, much more

  1. Ouch. What a great comment. I’m still working on a remote backup site that I can connect to remotely and transfer my data. I don’t think I want anyone to have the responsibility of the tape. Encrypt it and send it across the line. That’s a better security risk in my mind than carrying the backup.

    I loved the image comparison. You should just have the guard shown with a gun in hand.

  2. Thanks, I thought it might be clearer to people when they see the difference visually 🙂 The gun idea is good.

    By the way, I wrote a new article last night on some details for “key practices” in tape backup policies. If you’ve got any more information when you setup your policies please drop me a note in the new article, too.

Add Comment