Email archiving protocols in healthcare

Archiving protocols are the rules and procedures for storing and managing data, such as patient records. Weak archiving protocols open healthcare organizations to unfortunate data breaches and the unwelcome consequences that come with them.

By the numbers:

• 35% of healthcare organizations have experienced security breaches or unauthorized access to data due to weak archiving protocols¹.
• Approximately 45% of healthcare institutions experience data loss or corruption due to insufficient archiving solutions².
• According to Veris, 35% of healthcare organizations have experienced security breaches or unauthorized access to patient data due to weak archiving protocols.

HIPAA and archiving protocols 

While HIPAA does not explicitly mention archiving protocols, Section 164.310(d)(2)(iv) creates the need for "...a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.". HIPAA also sets standards for handling documentation that help guide healthcare organizations in archiving data. These standards ensure patient information is securely stored, easily accessible when needed, and protected from unauthorized access. When read together, these standards provide guidance for the archiving protocols in healthcare organizations of any size. 

These include: 

The Privacy Rule: 

Section 164.530(j)(2) provides that "A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later." 

In other words, covered entities need a reliable system to store and manage these documents securely for the specified period before archiving. 

The Security Rule

The requirements for a contingency plan specific in Section 164.308(a)(7)(i) specifically states, "Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information."

This provision creates a need for backup systems and data recovery plans. With archiving protocols, ePHI is preserved during events like fires and theft and can be restored quickly.

A Technical Safeguard that ties into the elements of an effective archiving protocol is Section 164.312(c)(1), which states, "Implement policies and procedures to protect electronic protected health information from improper alteration or destruction."

By making sure that data is not corrupted in its archival storage, information is reliable and can be trusted for future use, audits, and compliance purposes.

See also: What are administrative, physical, and technical safeguards?

The real-world consequences of weak archiving protocols 

There have been multiple instances of insufficient archiving protocols having devastating real-world consequences on the security of sensitive data. For example, a SOCRadar article exposed the 2023 Pentagon incident where a misconfigured server leaked three terabytes of internal military emails to the open internet. 

The same article mentioned that in September 2022, Microsoft's misconfiguration allowed unauthorized access to business transaction data, including names, email addresses, and phone numbers. These cases brought to attention how poor archiving protocols can lead to avoidable security breaches. 

Statista reported 15 million data breaches globally in the third quarter of 2022, a 37% increase from the previous quarter. The financial implications are also immense, with a WJARR study offering that cybercrimes are projected to cost $10.5 trillion annually worldwide by 2025. 

How to know if your archiving protocols are weak

1. Untracked data storage: If employees are using unauthorized cloud services or personal storage devices for archiving data, this indicates weak protocols. 
2. Sparse or incomplete logs: Examine system logs for archiving activities for sparse, incomplete, or missing events. 
3. Inconsistent retention periods: Check if the data retention periods are consistent and aligned with regulatory requirements. Inconsistent or undefined retention periods can lead to data being deleted prematurely.
4. Obsolete media: Assess the types of media used for data archiving for outdated or insecure media. 
5. Lack of integrity verification: Verify if regular checksums or hash functions are used to ensure data integrity.
6. Single point of failure: If archived data is stored in a single location without redundancy, it's vulnerable to physical damage or localized incidents. Ensure data is redundantly stored across multiple distributed locations.
7. Unusual access patterns: Analyze access logs for archived data for frequent access by unauthorized users or unusual access patterns
8. Unlabeled data: Review how archived data is labeled and classified. 
9. Vendor security gaps: Evaluate the security practices of third-party vendors involved in data archiving. 
10. Over-retention of data: Examine whether the organization practices data minimization, retaining only necessary data. Excessive retention of unnecessary data can expose the organization to greater risks.

The solution 

Paubox, as a HIPAA compliant email solution, offers advanced protection against various threats, such as ransomware, phishing attacks, and spam. The archiving feature simplifies and strengthens archiving protocols by securely preserving copies of all inbound and outbound emails and attachments in the cloud. 

Compliance with regulatory and policy requirements is assured while also retaining easy access for administrators to search and view archived emails. The Paubox Admin Panel allows for the management of these archives, reducing the complexity often associated with traditional archiving methods and taking the hassle out of extensive archiving protocols. 

Here is how Paubox can be integrated into any organization's archiving protocols: 

1. Review current archiving practices: Conduct an assessment of the existing archiving processes, tools, and policies.
2. Backup existing data: Ensure all current email archives are backed up to prevent data loss during the transition.
3. Email platform configuration: Configure the organization's email platform (Google Workspace, Microsoft 365, or Microsoft Exchange) to route emails through Paubox's secure servers.
4. Setup Paubox Admin Panel: Establish the Paubox Admin Panel, where administrators can configure archiving settings and manage access controls.
5. Retention policies: Set up retention policies that align with regulatory requirements and business needs. Determine how long emails and attachments should be stored.
6. Import existing archives: Migrate current email archives to Paubox's secure cloud storage. Validate the integrity of migrated data to ensure all emails are intact.
7. Enable advanced features: Activate features such as ExecProtect to prevent display name spoofing and DomainAge to quarantine emails from suspicious domains.

FAQs

What is protected health information (PHI)?

Protected health information needs to be protected in all mediums: electronic, paper, and oral. PHI isn’t just confined to medical records and test results. In fact, any information that can identify a patient and is used or disclosed during the course of care is considered PHI. Even if the information by itself doesn’t reveal a patient’s medical history, it is still considered PHI.

A related term is ePHI, which stands for electronic protected health information. The terms can be used interchangeably when referring to HIPAA compliant email.

Go deeper:

• What are the 18 PHI identifiers?

Who does HIPAA apply to?

HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

What is the difference between protected health information and electronic protected health information?

Protected health information (PHI) is any health-related information that can identify an individual, while electronic protected health information (ePHI) is PHI that is created, stored, transmitted, or received electronically.