Thursday, April 5, 2012

Cloud Backup HIPAA Style

With the advent of cloud computing, there has been an explosion of internet-based software and software solutions. One of the specific areas of development is cloud-based storage. The importance of data backup has always been at the forefront of any smart company’s technology needs. That need has moved from tape drives to external drives to DVDs and, now, online solutions.

It is imperative that companies look to offsite backup for their data. The protection it provides is second-to-none when considering the impact a loss of data can have on your company. This need has been capitalized on by dozens of competitors. There are big business and personal solutions, regular constant backup and weekly backups, small file storage and complete drive backup.

While all of these different solutions can be overwhelming, it is important to first focus on security. This is your company data and there needs to be proper protection in place. Now this blog may get a bit technical. A great read if you are setting up your solutions. But if time is a concern, Kardon Technology can offer relief.

Recent changes in health care legislation have put in place several compliance issues that are required for the storage and protection of electronic patient health information. If your company deals with private patient data, then your backup must be HIPAA compliant. That is a tall task for some backup solutions and is something businesses need to be aware of when they back up their computers.

Covered entities are required to follow HIPAA standards and, in regards to data and data security, the Security rule standards used to protect an individual’s electronic personal health information. The security rule can be found here. It is a pretty dry read. And, to be honest, the plot drags along and the character development is awful. For a quick summary that provides a good bulleted set of information, check here. Or better yet, contact Kardon Technology. We have already done the research and offer a variety of back-up solutions. But...

According to the Security Rule (45 C.F.R. §164.306), covered entities that maintain or transmit protected health information are required to do the following:
  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated threats to the security or integrity of the information;
  • Ensure compliance by their workforce.

When deciding on a solution, covered entities are allowed to consider (a) its size, complexity, and capabilities, (b) its technical, hardware, and software infrastructure, (c) the costs of security measures and, (d) the likelihood and possible impact of potential risks to ePHI.

Now, that is a lot of information. It can also be tough to get a handle on just what you need to expect from a solution. Again, at Kardon Technology, we've done the research. It may be easier to just let us know what you need. However, there are a few checks to look for to know if your potential backup solution is HIPAA compliant.

Cloud backup solutions should do all of the following:
  • Allow personal creation of a private encryption key without transmitting it to storage servers
  • Encrypt secure data before data transmission
  • Transmit data in a secure and encrypted format
  • Store data in the encrypted format
  • Storage of data in redundant secure restricted access data centers
  • Archive data for failsafe recovery, data management, and audit issues

Many backup companies can provide extensive security whitepapers and information that will allow you to research and choose the solution that is right for you.

Carbonite is an industry leader in online backup. The software is easy to install and setup and they have a consistent track record of competitive pricing and top-notch security. Considering HIPAA compliance, they use respected Blowfish encryption and fulfill the ideas of encrypted data in-transit and at-rest. Their data centers are guarded with restricted access while providing redundant data storage.  However, and most importantly, they do not currently fulfill all compliance issues in their business solution. Carbonite does not support private encryption key management with their Carbonite Business product.

SOS Online Backup and Intronis both provide backup designed to be HIPAA compliant from the outset. Information about their compliance can be found here for SOS Online Backup and here for Intronis. Now , these are not the only solutions out there, but it is important to remember the list of checks you need to look out for when deciding. Both of the above solutions provide information discussing their compliance with the above checks.

Additionally, remember that you are not in this process alone. Considering the client list of Kardon Technology and Kardon Group, HIPAA compliance is one of our major concerns, as well. With that in mind, we have spent time developing solutions that work for us and can work for you. Be sure to bring up your concerns and issues or check out our compliance services to help protect your company.

No comments:

Post a Comment