You want to scan your hard copy documents to digital, but you’ve got this nagging feeling that something’s not quite right … that your records aren’t safe once they leave your hands. 

If this sounds like you, you’re not alone. But that doesn’t mean record scanning services aren’t safe – it’s just that you need some information to understand how your materials will be handled and the procedures and your scanning partner has in place to protect your data. 

In this article we’ll briefly compare do-it-yourself scanning with outsourcing (hiring a company as a scanning partner), give you some security considerations that relate to digitization, and cover a handful of security certifications and compliance standards that can help guide your decision.

Record Scanning –  DIY vs. Outsource

Record scanning comes in two flavors—do-it-yourself (DIY) or outsourcing. In the DIY model, you invest in scanners, either purchasing them or using ones already in your possession. You employ your own staff for the hands-on tasks, such as physically handling and scanning the records, processing them, and possibly storing and maintaining the digital images on your local servers and networks.

Outsourcing, on the other hand, involves subcontracting your scanning requirements to a scanning company. When most people envision record scanning services, this is what comes to mind. It involves researching companies and finding one that aligns with your needs, working with them to create your scope of work, and entrusting them to transform your hard-copy records to digital.

One businessman hands off the baton to the next

Whichever method you choose, security is an essential consideration. Both DIY and outsourcing come with their own security concerns, including data protection, physical security of records, chain of custody of documents, and access controls, among others.

 As such, it’s crucial to weigh the security implications of handling the records internally versus outsourcing. This decision will determine the direction of your project. In this article, we’ll focus on the outsourcing option and delve into some specifics of that path.

What’s Considered “Safe”?

Safety and security are subjective concepts that are primarily defined by you. Yes, you can base them on “industry best practices” and expert recommendations, but interpreting exactly what these terms mean can be challenging.

The best starting point for ensuring the safety of your scanned records is to comply with industry standards and audits. However, your security measures don’t have to end there. Never underestimate your gut feeling. If you’re uncomfortable with something, it’s hard to overcome that feeling, irrespective of the certifications and assurances you receive. Gut feelings do hold significant weight.

Businessman holding a cybersecurity shield image

It’s important to remember that there will always be some level of risk, such as during the transportation phase, during the scanning process at the partner’s facility, or even post-digitization when the records are stored electronically on a network or hosting platform.

However, the key here is risk mitigation –  you decide if the juice is worth the squeeze to move the project forward. It’s impossible to eliminate all risk, but the goal is to find a scanning partner who has mitigated the risks to a degree that you’re comfortable with.

Security Considerations For Record Scanning

Although it’s ultimately up to you to decide what ‘secure’ means for your scanning application, the following considerations can be helpful in choosing a scanning partner.

Physical Security

Do non-employees require an escort when visiting the facility? Are there areas with unescorted access? Does an escort stay with them at all times in secure parts of the building?

Is the facility monitored by cameras? Which areas are under surveillance, and is this monitoring conducted 24/7? Are there blind spots in the camera coverage?

How do employees get into the building? Are multi-factor authentication methods used? If an employee loses a key card or other access device, can someone else get in with just that item?

How are records stored within the facility? Are all records treated the same, or are different security levels applied to maintain separation? Are there distinct storage areas for materials of varying security levels?

How is the workspace organized? Is it a single open area, or are there compartmentalized sections where access is restricted to authorized employees only?

Employee using security key card with pin pad to open a secure building door

Digital Security

Is sensitive data delivered in an encrypted format upon project completion?

How do employees access projects? Is access unrestricted, or are permissions granted on a project-specific basis?

Does a third party regularly conduct penetration testing on your scanning partner’s operations?

How are digital files stored once they’re digitized and before they’re delivered? Are these storage methods encrypted?

If you’re using a hosted application provided by your scanning partner, how is access granted and managed? How are permissions established, and how are files segmented for user-approved access only? Is your data backed up and colocated for disaster recovery?

Security Certifications & Compliance 

While they are not the ultimate indicators of security, certifications and compliance measures can provide valuable insight into how seriously a company takes its security responsibilities. Here are some things to look for:

Objective third-party verification is essential. Having an impartial party confirm the company’s security practices adds more credibility than simply taking the company’s word for it.

SOC 2 Type II is among the more rigorous audits a company can undertake, demonstrating a serious commitment to their security posture. For a digital conversion partner, look for a SOC 2 audit that emphasizes security, availability, and confidentiality.

CJIS compliance pertains to criminal information. If you’re a law enforcement agency dealing with criminal files, it’s vital to partner with a company that’s capable of compliant CJIS digitization.

NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) is a set of recommended security and privacy controls for federal information systems and organizations to help meet the Federal Information Security Management Act (FISMA) requirements.

HIPAA Regulations don’t have a “test”  that proves you either are or are not compliant.   However, there are guidelines to be HIPAA compliant and one of the ways that a company can comply with  HIPAA regulations is to self audit. Although self auditing sounds kind of like grading your own test, by incorporating some of the other methodologies for compliance and certification – such as a third-party audit – you can verify that your scanning partner is doing what they say they’re doing.

Third-party audits are crucial, since you’re getting an objective opinion about a company’s capabilities. Still, an internal security audit demonstrates a company’s commitment to exceeding the minimum requirements. Even in the presence of third-party audits, an internal audit indicates ongoing improvements and a proactive approach to protecting both their own and their clients’ data.

Green shield circuit board with check mark

In the end, the decision on who to work with rests with you. The aim is to mitigate as much risk as possible while getting your project completed and getting your records digitized.

Next Steps

Reach out to us today! Click the “Get Your Quote” button below, fill out the form, and we’ll quickly reply to you to discuss your project.

Further Reading

Digitization & The Chain Of Custody
The chain of custody of your records is a critical component during a digital conversion project. Learn what to ask about and how to evaluate a company’s chain of custody methods.

Material Security Classification Levels & Digital Scanning
Different projects require different security methods. Learn about our Material Security Classification Levels and how we properly handle your records and run your project.

Subcontractors & Digitization Projects
Subcontractors are partners who execute critical digitization tasks, at scale, to help successfully complete projects. Learn about how they’re involved in digital conversion projects and what you can expect.