Many organizations are still using tapes to backup data. Those organizations that are still using backup tapes need to ensure that the tapes utilize encryption. Without encryption, a lost or stolen backup tape could result in a very large data breach.
Best network practices call for performing a backup on all systems at least daily. If tapes are used for the backups, the tapes should be transferred out of the building and stored in a safe location. Some organizations take tapes offsite daily or weekly.
Let’s take a look at an example to drive home the point that backup tapes should be encrypted.
Say you have been using an EMR for 3 years. You have over 1,000 patient records in your EMR. Your IT company / department performs a nightly tape backup of all your systems including the EMR. The weekly backup tape is taken offsite by the practice administrator every Friday. The backup tape contains all the records that are in your EMR. If that backup tape is lost of stolen, you are looking at a breach of 1,000 patient records. This could have significant financial impact to your organization.
If the backup tape was encrypted and the encryption password is not written on the tape (or written on a sticky note on the tape) then if the tape is lost of stolen is would not be considered a data breach.
Backup tapes are very valuable in the event data has been deleted, modified or lost and needs to be restored. But backup tapes can also be a huge liability if they are lost or stolen. By using encryption, you can lower the associated risk.
Ask you IT company or department if your backup tapes are encrypted. If they say no but the format is difficult to read, let them know that if the tape is lost or stolen it is still a data breach regardless of how difficult it is to read. And insist that they implement encryption on all tape backups.