Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Review of Considerations for Both Cloud and Local Backup 775-329-5139 x 107 The New 48TB RAIDFrame Plus NAS (with.

Similar presentations

Presentation on theme: "A Review of Considerations for Both Cloud and Local Backup 775-329-5139 x 107 The New 48TB RAIDFrame Plus NAS (with."— Presentation transcript:

1 A Review of Considerations for Both Cloud and Local Backup 775-329-5139 x 107 The New 48TB RAIDFrame Plus NAS (with RAID 10) Email me for this slide deck

2 There is no such thing as “HIPAA certified” backup solution – at least from the government’s perspective. Each expert may have a different opinion on whether local or cloud backup does or doesn’t comply. Either way encryption of data both “in motion” and “at rest” is mentioned by HIPAA and should be addressed.

3 HIPAA refers to NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices for guidance. Which refers to… NIST SP 800-57, "Recommendation for Key Management," Section 5.6.2 makes recommendations for key sizes and length…..

4 2007.pdf While no particular level of encryption is mandated the “Safe harbor” approach is to use Advanced Encryption Standard - AES-256

5 HIPAA Backup Checklist Policies are in place prescribing backup and recovery procedures. All staff understand the recovery plan and their duties during recovery. System restore procedures are known to at least one trusted party outside the practice. A copy of the recovery plan is safely stored off-site. Files identified as critical are documented and listed in the backup configuration. Backup schedule is timely and regular.

6 HIPAA Backup Checklist Every backup run is tested for its ability to restore the data accurately. Backup media are physically secured. Backup media stored offsite are encrypted. Backup media are made unreadable before disposal. Multiple backups are retained as a failsafe. Data is retained for extended period of time per HIPAA and State requirements


8 Encrypting Data in motion It goes without saying HIPAA expects data to be encrypted while traveling through a public network. Most HTML browser based Cloud software should use some form of encryption – at least HTTPS or perhaps even a VPN. Backup should use encryption per NIST standards mentioned earlier.

9 Questions for the Data center Where the data is physically stored? How many copies of the data have been made? Is data encrypted everywhere? Tapes, Drives etc. Any chance data will be backed up elsewhere – including outside the country? Is data deleted and securely wiped when requested?

10 Questions for the Data center Do they have audit controls? (HIPAA requires you to be able to prove who accessed files at all times) Are there physical security measures in place? Measures to consider include servers in cages, encrypted hard drives, redundant power supplies, alternate recovery sites, security, fire suppression systems, etc.

11 HIPAA and U.S. Jurisdiction You must ensure that the data never leaves US soil. If the data is physically moved to another country, it will be out of US jurisdiction. When this data is stored abroad, it may be subject to international laws which would force your cloud provider to take actions that would put you out of compliance.

12 HIPAA and the Cloud – CAN you Ever be Compliant? Under the Patriot Act, the government may make a request to access patient information which is stored on the cloud provider’s server. Additionally, a gag order may be issued to prevent the cloud provider from disclosing this breach to the healthcare provider. In this case, the healthcare provider would be unable to notify the patient, as required under HIPAA. Under HIPAA, patients have a right to access any information stored about them, and to correct any inaccuracies. Verifying the integrity of patient data may be a challenge when relying on third-party systems.

13 Summary of HIPAA and the Cloud Ultimately, somebody else holds the keys to the data. Lack of information from the data center can make it very difficult to document your compliance.

14 A few slides about us before I discuss local backup…

15 We’re a “Data at Rest” Kind of Backup Company If I had to describe what our company does in 3 words it would be: Removable Drive Backup. If you google that, we’re in the #1 position (In Sept of 2012 – which is remarkable. Solutions start under $500. We’re an alternative (or supplement) to Cloud Backup.

16 Key Value Propositions We make a variety of NAS and DAS devices Besides Removable drives our other key value propositions include: Automatic Mirroring of removable media (2 backup copies) and large removable media (up to 12TB). From our Website ……….>


18 \ \

19 The Cloud HIPAA Best Practice – “Multiple Backups are Retained as Failsafe”

20 4 Approaches for Encrypting Data at Rest With local hard drive backup its important to protect the data from theft. Same issues exist for laptops and portable devices. 1. Encrypt the “Wad” file created by the backup program (BackupExec, Shadowprotect, etc) 2. Send the data to an encrypted folder (Microsoft EFS, Truecrypt) 3. Use whole disk encryption (Bitlocker, TrueCrypt, WinMagic, PGP 4. Use Self Encrypting Hard Drives.

21 1. Encrypting With Backup Software Screen shot from ShadowProtect. Advantage is no Additional cost. Encryption DOES slow down backup/restore. As far as I know Backup software is slow to adopt Intel’s AES instruction sets Either fast CPU or Support for Intel AES instructions help.

22 Backup Software may not use CPU instruction set, but some do use AES (appropriate for HIPAA) For example 3 levels used by ShadowProtect RC4 128-bit: This encryption option is the fastest, but least secure, of the algorithms. AES 128-bit: This encryption option strikes a balance between speed and security. AES 256-bit: This encryption option is the most secure, but slowest, of the algorithms.

23 2. Encrypting Folders Microsoft EFS is older and focused on files and folders Bitlocker is newer and does the entire drive. Or use TrueCrypt or other 3 rd party folder encryption.

24 3. Whole Disk Encryption Considered more secure because temp files, cache files, etc – everything is encrypted. BitLocker TrueCrypt WinMagic PGP The later two have “enterprise management” that allows you to manage multiple machine encryption keys across the network. Be aware that some encryption applications like TrueCrypt and backup software like Shadowprotect don’t work together (Shadowprotect won’t backup to the volume because the software doesn’t see it as a valid destination)

25 Whole disk encryption Performance Microsoft says “single-digit percentage performance overhead” But on weak processors like the Atom 260 1.6Ghz (netbooks) the hit can easily be 33%. Laptops are important to encrypt performance/

26 CPUs with built in AES assistance Advanced Encryption Standard (AES) Instruction Set is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008. The purpose of the instruction set is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES). Intel i5, i7 Sandy Bridge, Ivy Bridge, and most modern server CPUs have this. Many i3’s do not.

27 Some Software with AES instruction support (Where are backup vendors?) 7-Zip 9.1 [16] [17] BitLocker Bloombase Cryptographic Module Citrix XenClient 1.0 and on Cryptographic Development Kit (CDK) 7.0 from Information Security Corp.[18] Cryptography API: Next Generation (CNG) (requires Windows 7)[19] Crypto++ 5.6.1 CyaSSL - an open source SSL/TLS implementation supporting AES DiskCryptor 0.9 DiskSec 1.85 Crypto API (Linux) (used by dm-crypt for full-disk encryption and by other software on Linux) FileVault version 2 (Mac OS X Lion) AES full disk encryption [20] IAIK-JCE version 5.0 Integrated Performance Primitives (IPP) Libgcrypt 1.5.0-beta1 McAfee Endpoint Encryption for PC 6.x FreeBSD's OpenCrypto API (aesni(4) driver)[21] OpenSSL from version 1.0.1[22] Oracle Database 11g Release 2 Patchset 1 ( Transparent Data Encryption[23] PGP Whole Disk Encryption 10.1.0+ (Only on Windows, The Mac OS X version since 10.2.0+)[citation needed] SafeGuard Enterprise 6.0 by Sophos (Utimaco) SecretAgent 6.1.1 and above from Information Security Corp.[24] SecureDoc 5.2 by WinMagic[25] Solaris (starting with Solaris 10 8/10) through the Solaris Cryptographic Framework[26] and all software using that framework. TRESOR TrueCrypt 7.0 Vormetric Encryption 5

28 Self Encrypting Drives (SED) Story Recent ASCII member had 3 Dell Optiplex 790 USFF desktops running Windows 7 that will be working and all of a sudden every program goes to not responding, if you try to open task manager it literally will take 20 minutes to open. 8 other 790’s and 5 780’s had no issue – only the 3 ordered together We replaced the SED drives in all the computers with non-SED drives. No complaints for a month now, seems to have fixed the issue.


30 Summary of Encryption For HIPAA Use Beefy notebooks with AES instructions and Bitlocker Or enterprise encryption like PGP that can be better managed. Or SED drives that can be managed with WinMagic For Backup to removable disk use fast Server CPU to minimize performance hit of backup software that doesn’t leverage AES instructions


32 Data Retention HIPAA does not mandate how long a patient's records must be retained. Each state's laws govern the retention period for medical records. There is a 6 year retention period for HIPAA policies and procedures. (Not medical Records) Medicare requires 5 years and State Laws often require retention of medical records of considerably longer. This might include x-rays, images, voice recordings that take considerable storage.

33 State Data Retention Summary Before you get past Alabama you see that data might be retained for 26 years (So for a newborn – retain data until age of Majority of 19 plus 7 years) Email me or Mike Semel for a copy of this document.

34 So the Question is – How long will your customer want to pay for that in the cloud? Let’s assume $.25/Gig/Month (Anyone charging $1?) Dentist practice with 300GB of data (Is that a lot?) 300GB*$.25*12 Months*7 years = $6300 1TB for 26 years is $78,000 at 25 cents per Gig/Month That’s assuming data size stays constant. As X-rays and photos increase resolution things grow. 1 TB hard drive? A Few hundred bucks. Of course putting it on tapes or hard drives still has the issue – will it be readable in 7 years? Probably have to commit to re-write every few years.

35 Data Destruction HIPAA does require you to destroy PHI (Protected Health Information) The rumors of requiring 35 overwrites are greatly exaggerated. One to three is probably enough. Google for my article entitled Multiple pass wiping of hard drives is unnecessary. Can’t hurt to make sure by doing 2 or 3 though.

36 A Review of Considerations for Both Cloud and Local Backup 775-329-5139 x 107 The New 48TB RAIDFrame Plus NAS (with RAID 10) Email me for this slide deck

37 SSD certainly costs too much for large backup Jury is still out on reliability – Without rotating mechanical parts some people claim that SLC enterprise SSDs are definitely more reliable But certain brands of consumer SSDs using MLC have worse track record than drives Certainly SSD aren’t good for shelf life. Refer to Toms Hardware article Is Your SSD More Reliable Than A Hard Drive?,2923.html

Download ppt "A Review of Considerations for Both Cloud and Local Backup 775-329-5139 x 107 The New 48TB RAIDFrame Plus NAS (with."

Similar presentations

Ads by Google