In astronomy terms, the exact nature of dark matter is not well understood, but it may be largely composed of varieties of particles that have not yet been discovered, in addition to missing mass. Astronomers estimate dark matter makes up approximately 23 percent of the total mass and energy of the universe. In regards to health information storage, digital dark matter refers to those parts of your electronic protected health information (ePHI) that are most susceptible to impermissible access or disclosure. Digital dark matter may be poorly managed or the least controlled portions of your ePHI.
What percentage of your digital dark matter is protected? Do you have digital dark matter that has not yet been discovered? Do you have missing digital dark matter?
When performing a HIPAA Walkthrough and a Security Risk Analysis (SRA) one of the risk areas you should assess is long term storage of protected health information (PHI). PHI that is poorly managed is as dangerous as a dark matter in space – you are susceptible to that information being sucked into a black hole (hacked, stolen etc.). Poorly managed or lost PHI may result in breaches, fines and more. You should determine how your medical records are being stored, for how long, and what safeguards are in place. If you have moved away from paper, what about ePHI? Are your records stored locally? Or is information stored on the cloud? Are there any dark matter black holes in your health information storage?
Copiers, Fax Machines and Other Connected Office Equipment
It’s common for health care organizations to lease copiers, fax machines and other connected office equipment that have hard drives that store or potentially store information. Just over a year ago, Affinity Health Plan was required to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. Affinity disclosed PHI of up to 344,579 individuals “when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives.”
The storage of data on copiers, fax machines and other connected office equipment are potential dark matter black holes in health information storage that must be included in your risk analysis, and must include sufficient policies and procedures for the removal or destruction of data when returning the hard drives to leasing agents.
Jump Drives and Removable Disk Drives
Another potential dark matter black hole is unencrypted mobile storage devices such as jump drives and mobile devices. Just this year, multiple entities reported losing or misplacing unencrypted jump drives, while others reported the theft of these and similar devices. For example, Alaska Department of Health and Human Services (DHHS) agreed to pay $1.7 million to settle “potential violations.” A portable electronic storage device “possibly containing ePHI” was stolen from a vehicle. According to the OCR investigation DHHS did not have adequate policies and procedures in place to safeguard ePHI. In addition, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
If PHI is to be on a jump drive or other portable storage devices, we recommend the use of encryption. You should implement policies and procedures for the use of these devices including clearly stating what information can be stored and how the information can be stored.
Assess all Potential Dark Matter Black Holes
It is important to look at every corner of every department of each location that stores, acquires, creates, or processes PHI. Whether hard copy or electronic, it’s important to know where all PHI is at all times. If PHI was written on notes or in meeting minutes, it should be securely stored or destroyed. If a device is to be taken out of service, ensure the hard drive has been destroyed or securely stored. We recommend encryption for long term storage of hard drives. Think about all health information storage:
- Do you know what information is stored?
- Where is the information stored?
- Is there paper PHI that may be forgotten?
- Are there devices that may have PHI on them?
Copiers, fax machines, connected office equipment, jump drives and removable hard drives are common digital dark matter black holes; however, they are not the only areas to evaluate during your HIPAA Walkthrough or while performing a SRA. If there is storage of health information that is forgotten, is not accounted for, or information that is lost, these are potential black holes that could lead to a breach. During a HIPAA Walkthrough and a SRA it is a good idea to evaluate these and any other potential dark matter black holes.