Digitizing records is crucial for efficient information management, but it’s essential to prioritize the security and confidentiality of your data during this process. By addressing digital and physical security measures, and carefully selecting your scanning partner, you can ensure a seamless and secure transition from physical to digital records.
What Physical Security Measures Are Necessary During Digitization?
Protecting the physical records during a digital conversion project is the first step. Before getting to the actual scanning and turning your analog documents into an electronic format, the physical records have to be received, handled, and then sent to the scanning process. So while those records are out of your possession and with a scanning partner, you want to know what kind of physical security measures are in place to protect them.
Here are a couple of physical security measures you can consider when choosing your partner and then ask them about how they accomplish this:
First is camera monitoring. This means the facility is constantly monitored by cameras. This is important so you know who is going in and out of the building, which areas are accessed, and so on.
Employee entry protocols are important because they limit who can access the building and certain parts of the facility where records are stored. In many cases, employees have a personalized PIN code and an ID card, both of which are required to gain access to the facility. If you don’t have both, you won’t be able to get in.
Segmented work areas based on record sensitivity can be essential to a project. So, not only is there specific access to get into the building, but within the building, various parts are compartmentalized so only certain people can go in them. For example, visitors cannot go into the production area without an escort. In the lobby area, they’re allowed to be unescorted, but to get to the production area, you need your badge to gain access. In other circumstances, there are particular rooms in a facility that may be cordoned off even to employees because of the project that’s being handled in that room.
Visitor escorts are also important. As we mentioned above, certain areas are segmented off from others, but if there are visitors in the building (non-employees), they are escorted at all times if they go into a sensitive area. They are not allowed to wander in the production area without an employee from the scanning partner company with them. This is important to ensure that they are not handling records or going to areas they are not supposed to, and an employee can keep an eye on them while they are in that area with project materials.
How Does Digital Security Play A Role In The Digitization Process?
Digital security is essential to scanning and digitization projects because once those records are in electronic format, they need to be protected in a different way than physical records. Here are a couple of different ways that BMI protects records in the digital realm:
Permission-based access to projects means that our people are assigned to projects based on the scope of work and what’s needed for that particular a project. If project doesn’t require all employees of the company, then we will not be assigning all employees to that project. Only those that are needed for specific skill sets and parts of that project will be assigned. This ensures that even once the records are digitized, only the fewest number of people required are accessing those records.
Encrypted storage is important for digital security, and after we’ve scanned your materials, they’re in our digital vault, which we encrypt with drives using 256 AES. Encrypted storage is crucial because even after they’re done scanning, if something happens, such as a hack or an attempted hack to get to the records, encryption protects your data and images beyond non-encrypted drives.
We also provide encrypted delivery when the product is complete, depending on the project. Most of our products contain sensitive records, so encrypted delivery is a common aspect of our project deliveries. This can be via FTP (File Transfer Protocol), an electronic transfer of files and images, or it might be something like an encrypted hard drive. Either way, if there’s sensitive data in the digital files that we’re delivering for your project, we will encrypt it so that they are protected even in transit before they get to you.
Penetration testing is when an outside agency attempts to “hack” into our systems. This is an essential part of digital security because using a company to act as a bad guy, they will try to reach our systems, our defenses, and get into our networks and data. By doing this, we either know that (a) we are protecting the data properly and (b) if there are any gaps or places we can improve our security, we’re doing it with people that are not actually trying to damage the company or our clients. They’re trying to help us find areas where we can shore up and make it even better.
Common Security Risks During Record Digitization
In digitization projects, security risks exist for both physical and digital data.
Starting with the physical risks, it might be improper storage or handling of materials. What that means is, if you have, let’s say, sensitive records that are only supposed to be accessed by certain people, are they being put in the proper storage area? Not just at the facility but within the facility so that only assigned people can access them. This can be essential if there are visitors to the facility, and they’re walking around and see material they’re not supposed to see. So, physically having records stored properly is essential as an example.
The common security risk for digital security is during the indexing the electronic files. Indexing is basically digitally naming the files once they’ve been scanned so you have the digital images and files, such as a PDF, but it needs to be named. During that naming process, if a subcontractor is used, is your partner fragmenting the data properly so sensitive data isn’t sent together to identify somebody? For example, if it’s a student record on an image, is the image being broken up so that the subcontractors cannot see other parts of the data they’re not supposed to see, or they don’t have two pieces of information, such as a name and a social security number, that they can tie back to the person. These digital security measures are essential for sensitive data projects and protecting the data of the client.
Hosted data is, of course, a concern for many people. A common security risk can actually be on the clients themselves, which is sharing passwords, which is a big no-no and something we constantly recommend against. To combat that, you can have designated usernames and passwords, but also, even if someone does gain access to a hosted data set that they’re not supposed to, having permissions-based access within that data set can be essential. What that means is that only certain people can get into certain parts of your hosted records. This segments the data so not everybody can see everything but only see what they need to see. So even if there is an issue with someone losing their password or getting it stolen, the risk is mitigated.
Monitoring And Auditing: Keeping An Eye On Security
Talking about digital security, physical security, and protecting records is great, but how do you know that it’s actually taking place with a company you might be working with? The way to verify this is through audits.
In our case, we have two types of audits: internal audits and external audits.
First, for internal audits, this is an annual, BMI-executed security audit in which our own employees and team members are reviewing our processes, methods, policies, and so on to ensure that our organization is run properly, data is protected, client materials are digitized, stored, and transferred properly, and overall, our security is as robust as we believe it should be.
We have a security audit team that includes a security officer, a compliance officer, a facilities manager, human resources personnel, and IT staff. All of us join in and accomplish various tasks and verify them among each other to make sure that the tasks are being executed within the company properly.
Categories of what’s audited include privacy, system operations, vendor security, physical and logical access controls, among others. Basically, we’re taking aspects of data security, breaking them down into distinct pieces, and having individuals review those processes and policies. Then we get verification from another team member that the audit check was carried out properly.
This internal audit is essential because we can say that we are checking our own work. We’re checking how we run our operations, and we can provide the information to clients or prospective clients if they ask about our security procedures.
As much as we value our own security audit where we take care of it internally, that may not be enough for some people. We don’t think it should be. In that case, it’s important to have a third-party unbiased organization also checking our work. That’s why we complete our SOC 2 Type II audit, which is based on the security, availability, and privacy of our operations and how we protect data. This audit is conducted by another unbiased agency that comes in and asks us to verify what we’re doing. They ask for our policies, inquire about how we run our operations, and require proof and verification that when we say we do something, we can prove that we actually did it or that we do it.
We not only conduct our own internal audit but also have another organization come and check our work to ensure that we are doing things properly. The best part about this is that we always learn something new about how to improve our operations and security.
Certifications And Qualifications: Vetting Your Scanning Partner
It’s hard to find the right partner and understand who will be best for your project, especially when it comes to security and how they operate. A quick way to understand if the company you’re planning to work with is following good life procedures is to ask for their certifications and qualifications.
Some items you may look for are HIPAA compliance if you’re in the healthcare industry or have records that include healthcare information.
If you’re in the law enforcement world, you may be interested in a CJIS-listed vendor (Criminal Justice Information Services), which is someone who will be following the FBI CJIS Security Policy when handling criminal justice information.
As mentioned above, you may be looking for companies that are SOC 2 Type II audited. This ensures that they’ve been vetted by a third party and proves that they are protecting the data properly.
These are just a few examples of what you can look for, but it comes down to the specifics of what you need for your project.
In Conclusion
By prioritizing digital security, maintaining stringent physical security measures, and carefully vetting your scanning partner, you can ensure the confidentiality and integrity of your records throughout the digitization process. Remember, the initial efforts you put into safeguarding your data not only protect sensitive information but also contribute to a seamless and positive experience as you transition to digital. Taking these steps now sets the stage for a future where your information remains secure and accessible.
Next Steps
Reach out to us today! Click the “Get Your Quote” button below, fill out the form, and we’ll quickly reply to you to discuss your project.
Further Reading
Material Security Classification Levels & Digital Scanning
Different projects require different security methods. Learn about our Material Security Classification Levels and how we properly handle your records and run your project.
Striking The Balance Between Efficiency & Security In Digitization Projects
Explore the advantages of efficiency and security in digitization projects, how they intersect, and strategies to balance them when you decide to digitize.
Understanding A SOC 2 Type II Audit For A Scanning Company
SOC 2 audits, which stand for System and Organization Controls, are not just procedural formalities; they are comprehensive evaluations that ensure organizations operate with the highest standards of security, integrity, and confidentiality.