Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Review of Considerations for Both Cloud and Local Backup

Similar presentations

Presentation on theme: "A Review of Considerations for Both Cloud and Local Backup"— Presentation transcript:

1 A Review of Considerations for Both Cloud and Local Backup
HIPAA and Backup A Review of Considerations for Both Cloud and Local Backup x 107 me for this slide deck The New 48TB RAIDFrame Plus NAS (with RAID 10)

2 There is no such thing as “HIPAA certified” backup solution – at least from the government’s perspective. Each expert may have a different opinion on whether local or cloud backup does or doesn’t comply. Either way encryption of data both “in motion” and “at rest” is mentioned by HIPAA and should be addressed.

3 HIPAA refers to NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices  for guidance. Which refers to… NIST SP , "Recommendation for Key Management," Section makes recommendations for key sizes and length…..

4 While no particular level of encryption is mandated the “Safe harbor” approach is to use Advanced Encryption Standard - AES-256

5 HIPAA Backup Checklist
Policies are in place prescribing backup and recovery procedures. All staff understand the recovery plan and their duties during recovery. System restore procedures are known to at least one trusted party outside the practice. A copy of the recovery plan is safely stored off-site. Files identified as critical are documented and listed in the backup configuration. Backup schedule is timely and regular.

6 HIPAA Backup Checklist
Every backup run is tested for its ability to restore the data accurately. Backup media are physically secured. Backup media stored offsite are encrypted. Backup media are made unreadable before disposal. Multiple backups are retained as a failsafe. Data is retained for extended period of time per HIPAA and State requirements

7 HIPAA and The Cloud

8 Encrypting Data in motion
It goes without saying HIPAA expects data to be encrypted while traveling through a public network. Most HTML browser based Cloud software should use some form of encryption – at least HTTPS or perhaps even a VPN. Backup should use encryption per NIST standards mentioned earlier.

9 Questions for the Data center
Where the data is physically stored? How many copies of the data have been made? Is data encrypted everywhere? Tapes, Drives etc. Any chance data will be backed up elsewhere – including outside the country? Is data deleted and securely wiped when requested?

10 Questions for the Data center
Do they have audit controls? (HIPAA requires you to be able to prove who accessed files at all times) Are there physical security measures in place? Measures to consider include servers in cages, encrypted hard drives, redundant power supplies, alternate recovery sites, security, fire suppression systems, etc.

11 HIPAA and U.S. Jurisdiction
You must ensure that the data never leaves US soil. If the data is physically moved to another country, it will be out of US jurisdiction. When this data is stored abroad, it may be subject to international laws which would force your cloud provider to take actions that would put you out of compliance.

12 HIPAA and the Cloud – CAN you Ever be Compliant?
Under the Patriot Act, the government may make a request to access patient information which is stored on the cloud provider’s server. Additionally, a gag order may be issued to prevent the cloud provider from disclosing this breach to the healthcare provider. In this case, the healthcare provider would be unable to notify the patient, as required under HIPAA. Under HIPAA, patients have a right to access any information stored about them, and to correct any inaccuracies. Verifying the integrity of patient data may be a challenge when relying on third-party systems.

13 Summary of HIPAA and the Cloud
Ultimately, somebody else holds the keys to the data. Lack of information from the data center can make it very difficult to document your compliance .

14 HIPAA and Local Backup A few slides about us before I discuss local backup…

15 We’re a “Data at Rest” Kind of Backup Company
We’re an alternative (or supplement) to Cloud Backup. If I had to describe what our company does in 3 words it would be: Removable Drive Backup. If you google that, we’re in the #1 position (In Sept of 2012 – which is remarkable. Solutions start under $500.

16 Key Value Propositions
We make a variety of NAS and DAS devices Besides Removable drives our other key value propositions include: Automatic Mirroring of removable media (2 backup copies) and large removable media (up to 12TB). From our Website ……….>


18 \ \

19 HIPAA Best Practice – “Multiple Backups are Retained as Failsafe”
The Cloud

20 4 Approaches for Encrypting Data at Rest
With local hard drive backup its important to protect the data from theft. Same issues exist for laptops and portable devices. Encrypt the “Wad” file created by the backup program (BackupExec, Shadowprotect, etc) Send the data to an encrypted folder (Microsoft EFS, Truecrypt) Use whole disk encryption (Bitlocker, TrueCrypt, WinMagic, PGP Use Self Encrypting Hard Drives.

21 1. Encrypting With Backup Software
Screen shot from ShadowProtect. Advantage is no Additional cost. Encryption DOES slow down backup/restore. As far as I know Backup software is slow to adopt Intel’s AES instruction sets Either fast CPU or Support for Intel AES instructions help.

22 Backup Software may not use CPU instruction set, but some do use AES (appropriate for HIPAA)
For example 3 levels used by ShadowProtect RC4 128-bit: This encryption option is the fastest, but least secure, of the algorithms. AES 128-bit: This encryption option strikes a balance between speed and security. AES 256-bit: This encryption option is the most secure, but slowest, of the algorithms.

23 2. Encrypting Folders Microsoft EFS is older and focused on files and folders Bitlocker is newer and does the entire drive. Or use TrueCrypt or other 3rd party folder encryption.

24 3. Whole Disk Encryption Considered more secure because temp files, cache files, etc – everything is encrypted. BitLocker TrueCrypt WinMagic PGP The later two have “enterprise management” that allows you to manage multiple machine encryption keys across the network. Be aware that some encryption applications like TrueCrypt and backup software like Shadowprotect don’t work together (Shadowprotect won’t backup to the volume because the software doesn’t see it as a valid destination)

25 Whole disk encryption Performance
Microsoft says “single-digit percentage performance overhead” But on weak processors like the Atom Ghz (netbooks) the hit can easily be 33%. Laptops are important to encrypt

26 CPUs with built in AES assistance
Advanced Encryption Standard (AES) Instruction Set is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008. The purpose of the instruction set is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES). Intel i5, i7 Sandy Bridge, Ivy Bridge, and most modern server CPUs have this. Many i3’s do not.

27 Some Software with AES instruction support (Where are backup vendors?)
7-Zip 9.1 [16] [17] BitLocker Bloombase Cryptographic Module Citrix XenClient 1.0 and on Cryptographic Development Kit (CDK) 7.0 from Information Security Corp.[18] Cryptography API: Next Generation (CNG) (requires Windows 7)[19] Crypto CyaSSL - an open source SSL/TLS implementation supporting AES DiskCryptor 0.9 DiskSec 1.85 Crypto API (Linux) (used by dm-crypt for full-disk encryption and by other software on Linux) FileVault version 2 (Mac OS X Lion) AES full disk encryption [20] IAIK-JCE version 5.0 Integrated Performance Primitives (IPP) Libgcrypt beta1 McAfee Endpoint Encryption for PC 6.x FreeBSD's OpenCrypto API (aesni(4) driver)[21] OpenSSL from version 1.0.1[22] Oracle Database 11g Release 2 Patchset 1 ( ) Transparent Data Encryption[23] PGP Whole Disk Encryption (Only on Windows, The Mac OS X version since )[citation needed] SafeGuard Enterprise 6.0 by Sophos (Utimaco) SecretAgent and above from Information Security Corp.[24] SecureDoc 5.2 by WinMagic[25] Solaris (starting with Solaris 10 8/10) through the Solaris Cryptographic Framework[26] and all software using that framework. TRESOR TrueCrypt 7.0 Vormetric Encryption 5

28 Self Encrypting Drives (SED) Story
Recent ASCII member had 3 Dell Optiplex 790 USFF desktops running Windows 7 that will be working and all of a sudden every program goes to not responding, if you try to open task manager it literally will take 20 minutes to open. 8 other 790’s and 5 780’s had no issue – only the 3 ordered together We replaced the SED drives in all the computers with non-SED drives. No complaints for a month now, seems to have fixed the issue.


30 Summary of Encryption For HIPAA Use Beefy notebooks with AES instructions and Bitlocker Or enterprise encryption like PGP that can be better managed. Or SED drives that can be managed with WinMagic For Backup to removable disk use fast Server CPU to minimize performance hit of backup software that doesn’t leverage AES instructions

31 Data Retention and Destruction

32 Data Retention HIPAA does not mandate how long a patient's records must be retained. Each state's laws govern the retention period for medical records. There is a 6 year retention period for HIPAA policies and procedures. (Not medical Records) Medicare requires 5 years and State Laws often require retention of medical records of considerably longer. This might include x-rays, images, voice recordings that take considerable storage.

33 State Data Retention Summary
Before you get past Alabama you see that data might be retained for 26 years (So for a newborn – retain data until age of Majority of 19 plus 7 years) me or Mike Semel for a copy of this document.

34 So the Question is – How long will your customer want to pay for that in the cloud?
Let’s assume $.25/Gig/Month (Anyone charging $1?) Dentist practice with 300GB of data (Is that a lot?) 300GB*$.25*12 Months*7 years = $6300 1TB for 26 years is $78,000 at 25 cents per Gig/Month That’s assuming data size stays constant. As X-rays and photos increase resolution things grow. 1 TB hard drive? A Few hundred bucks. Of course putting it on tapes or hard drives still has the issue – will it be readable in 7 years? Probably have to commit to re-write every few years.

35 Data Destruction HIPAA does require you to destroy PHI (Protected Health Information) The rumors of requiring 35 overwrites are greatly exaggerated. One to three is probably enough. Google for my article entitled Multiple pass wiping of hard drives is unnecessary. Can’t hurt to make sure by doing 2 or 3 though.

36 A Review of Considerations for Both Cloud and Local Backup
HIPAA and Backup A Review of Considerations for Both Cloud and Local Backup x 107 me for this slide deck The New 48TB RAIDFrame Plus NAS (with RAID 10)

37 Are SSD’s more reliable than Rotating Media?
SSD certainly costs too much for large backup Jury is still out on reliability – Without rotating mechanical parts some people claim that SLC enterprise SSDs are definitely more reliable But certain brands of consumer SSDs using MLC have worse track record than drives Certainly SSD aren’t good for shelf life. Refer to Toms Hardware article Is Your SSD More Reliable Than A Hard Drive?

Download ppt "A Review of Considerations for Both Cloud and Local Backup"

Similar presentations

Ads by Google