Presentation on theme: "A Review of Considerations for Both Cloud and Local Backup"— Presentation transcript:
1 A Review of Considerations for Both Cloud and Local Backup HIPAA and BackupA Review of Considerations for Both Cloud and Local Backupx 107me for this slide deckThe New 48TB RAIDFrame Plus NAS (with RAID 10)
2 There is no such thing as “HIPAA certified” backup solution – at least from the government’s perspective.Each expert may have a different opinion on whether local or cloud backup does or doesn’t comply.Either way encryption of data both “in motion” and “at rest” is mentioned by HIPAA and should be addressed.
3 HIPAA refers to NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices for guidance.Which refers to…NIST SP , "Recommendation for Key Management," Section makes recommendations for key sizes and length…..
4 While no particular level of encryption is mandated the “Safe harbor” approach is to use Advanced Encryption Standard - AES-256
5 HIPAA Backup Checklist Policies are in place prescribing backup and recovery procedures.All staff understand the recovery plan and their duties during recovery.System restore procedures are known to at least one trusted party outside the practice.A copy of the recovery plan is safely stored off-site.Files identified as critical are documented and listed in the backup configuration.Backup schedule is timely and regular.
6 HIPAA Backup Checklist Every backup run is tested for its ability to restore the data accurately.Backup media are physically secured.Backup media stored offsite are encrypted.Backup media are made unreadable before disposal.Multiple backups are retained as a failsafe.Data is retained for extended period of time per HIPAA and State requirements
8 Encrypting Data in motion It goes without saying HIPAA expects data to be encrypted while traveling through a public network.Most HTML browser based Cloud software should use some form of encryption – at least HTTPS or perhaps even a VPN.Backup should use encryption per NIST standards mentioned earlier.
9 Questions for the Data center Where the data is physically stored?How many copies of the data have been made?Is data encrypted everywhere? Tapes, Drives etc.Any chance data will be backed up elsewhere – including outside the country?Is data deleted and securely wiped when requested?
10 Questions for the Data center Do they have audit controls? (HIPAA requires you to be able to prove who accessed files at all times)Are there physical security measures in place?Measures to consider include servers in cages, encrypted hard drives, redundant power supplies, alternate recovery sites, security, fire suppression systems, etc.
11 HIPAA and U.S. Jurisdiction You must ensure that the data never leaves US soil.If the data is physically moved to another country, it will be out of US jurisdiction.When this data is stored abroad, it may be subject to international laws which would force your cloud provider to take actions that would put you out of compliance.
12 HIPAA and the Cloud – CAN you Ever be Compliant? Under the Patriot Act, the government may make a request to access patient information which is stored on the cloud provider’s server.Additionally, a gag order may be issued to prevent the cloud provider from disclosing this breach to the healthcare provider. In this case, the healthcare provider would be unable to notify the patient, as required under HIPAA.Under HIPAA, patients have a right to access any information stored about them, and to correct any inaccuracies. Verifying the integrity of patient data may be a challenge when relying on third-party systems.
13 Summary of HIPAA and the Cloud Ultimately, somebody else holds the keys to the data.Lack of information from the data center can make it very difficult to document your compliance .
14 HIPAA and Local BackupA few slides about us before I discuss local backup…
15 We’re a “Data at Rest” Kind of Backup Company We’re an alternative (or supplement) to Cloud Backup.If I had to describe what our company does in 3 words it would be:Removable Drive Backup.If you google that, we’re in the #1 position (In Sept of 2012 – which is remarkable. Solutions start under $500.
16 Key Value Propositions We make a variety of NAS and DAS devicesBesides Removable drives our other key value propositions include: Automatic Mirroring of removable media (2 backup copies) and large removable media (up to 12TB).From our Website ……….>
19 HIPAA Best Practice – “Multiple Backups are Retained as Failsafe” The Cloud
20 4 Approaches for Encrypting Data at Rest With local hard drive backup its important to protect the data from theft.Same issues exist for laptops and portable devices.Encrypt the “Wad” file created by the backup program (BackupExec, Shadowprotect, etc)Send the data to an encrypted folder (Microsoft EFS, Truecrypt)Use whole disk encryption (Bitlocker, TrueCrypt, WinMagic, PGPUse Self Encrypting Hard Drives.
21 1. Encrypting With Backup Software Screen shot from ShadowProtect. Advantage is no Additional cost.Encryption DOES slow down backup/restore. As far as I know Backup software is slow to adopt Intel’s AES instruction setsEither fast CPU or Support for Intel AES instructions help.
22 Backup Software may not use CPU instruction set, but some do use AES (appropriate for HIPAA) For example 3 levels used by ShadowProtectRC4 128-bit: This encryption option is the fastest, but least secure, of the algorithms.AES 128-bit: This encryption option strikes a balance between speed and security.AES 256-bit: This encryption option is the most secure, but slowest, of the algorithms.
23 2. Encrypting FoldersMicrosoft EFS is older and focused on files and foldersBitlocker is newer and does the entire drive.Or use TrueCrypt or other 3rd party folder encryption.
24 3. Whole Disk EncryptionConsidered more secure because temp files, cache files, etc – everything is encrypted.BitLockerTrueCryptWinMagicPGPThe later two have “enterprise management” that allows you to manage multiple machine encryption keys across the network.Be aware that some encryption applications like TrueCrypt and backup software like Shadowprotect don’t work together (Shadowprotect won’t backup to the volume because the software doesn’t see it as a valid destination)
25 Whole disk encryption Performance Microsoft says “single-digit percentage performance overhead”But on weak processors like the Atom Ghz (netbooks) the hit can easily be 33%. Laptops are important to encrypt
26 CPUs with built in AES assistance Advanced Encryption Standard (AES) Instruction Set is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008.The purpose of the instruction set is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES).Intel i5, i7 Sandy Bridge, Ivy Bridge, and most modern server CPUs have this. Many i3’s do not.
27 Some Software with AES instruction support (Where are backup vendors?) 7-Zip 9.1  BitLockerBloombase Cryptographic ModuleCitrix XenClient 1.0 and onCryptographic Development Kit (CDK) 7.0 from Information Security Corp.Cryptography API: Next Generation (CNG) (requires Windows 7)CryptoCyaSSL - an open source SSL/TLS implementation supporting AESDiskCryptor 0.9DiskSec 1.85Crypto API (Linux) (used by dm-crypt for full-disk encryption and by other software on Linux)FileVault version 2 (Mac OS X Lion) AES full disk encryption IAIK-JCE version 5.0Integrated Performance Primitives (IPP)Libgcrypt beta1McAfee Endpoint Encryption for PC 6.xFreeBSD's OpenCrypto API (aesni(4) driver)OpenSSL from version 1.0.1Oracle Database 11g Release 2 Patchset 1 ( ) Transparent Data EncryptionPGP Whole Disk Encryption (Only on Windows, The Mac OS X version since )SafeGuard Enterprise 6.0 by Sophos (Utimaco)SecretAgent and above from Information Security Corp.SecureDoc 5.2 by WinMagicSolaris (starting with Solaris 10 8/10) through the Solaris Cryptographic Framework and all software using that framework.TRESORTrueCrypt 7.0Vormetric Encryption 5
28 Self Encrypting Drives (SED) Story Recent ASCII member had 3 Dell Optiplex 790 USFF desktops running Windows 7 that will be working and all of a sudden every program goes to not responding, if you try to open task manager it literally will take 20 minutes to open. 8 other 790’s and 5 780’s had no issue – only the 3 ordered togetherWe replaced the SED drives in all the computers with non-SED drives. No complaints for a month now, seems to have fixed the issue.
30 Summary of EncryptionFor HIPAA Use Beefy notebooks with AES instructions and BitlockerOr enterprise encryption like PGP that can be better managed.Or SED drives that can be managed with WinMagicFor Backup to removable disk use fast Server CPU to minimize performance hit of backup software that doesn’t leverage AES instructions
32 Data RetentionHIPAA does not mandate how long a patient's records must be retained.Each state's laws govern the retention period for medical records.There is a 6 year retention period for HIPAA policies and procedures. (Not medical Records)Medicare requires 5 years and State Laws often require retention of medical records of considerably longer.This might include x-rays, images, voice recordings that take considerable storage.
33 State Data Retention Summary Before you get past Alabama you see that data might be retained for 26 years (So for a newborn – retain data until age of Majority of 19 plus 7 years)me or Mike Semel for a copy of this document.
34 So the Question is – How long will your customer want to pay for that in the cloud? Let’s assume $.25/Gig/Month (Anyone charging $1?)Dentist practice with 300GB of data (Is that a lot?)300GB*$.25*12 Months*7 years = $63001TB for 26 years is $78,000 at 25 cents per Gig/MonthThat’s assuming data size stays constant. As X-rays and photos increase resolution things grow.1 TB hard drive? A Few hundred bucks.Of course putting it on tapes or hard drives still has the issue – will it be readable in 7 years?Probably have to commit to re-write every few years.
35 Data DestructionHIPAA does require you to destroy PHI (Protected Health Information)The rumors of requiring 35 overwrites are greatly exaggerated.One to three is probably enough. Google for my article entitled Multiple pass wiping of hard drives is unnecessary.Can’t hurt to make sure by doing 2 or 3 though.
36 A Review of Considerations for Both Cloud and Local Backup HIPAA and BackupA Review of Considerations for Both Cloud and Local Backupx 107me for this slide deckThe New 48TB RAIDFrame Plus NAS (with RAID 10)
37 Are SSD’s more reliable than Rotating Media? SSD certainly costs too much for large backupJury is still out on reliability – Without rotating mechanical parts some people claim that SLC enterprise SSDs are definitely more reliableBut certain brands of consumer SSDs using MLC have worse track record than drivesCertainly SSD aren’t good for shelf life.Refer to Toms Hardware article Is Your SSD More Reliable Than A Hard Drive?