With new regulations in play more and more companies are considering backup HIPAA data offsite solutions. In some cases it's the law and in other's our health records are one thing most of us want to keep private. The reason for this consideration involves the HIPAA legislation, its effects on the health care industry, what those effects mean for data storage, and what medical offices need to consider. By reviewing this information on backup HIPAA data offsite storage, you may be better prepared to make choices about your storage solutions.
To understand the issue, you may need background on the HIPAA legislation. HIPAA, or the Health Insurance Portability and Accountability Act, became law in 1996. The purpose of the law was to ensure people would maintain health care coverage if they changed jobs. However, Title II of the law dealt with Administrative Simplification, specifically how to deal with electronic data about health care. Obviously, the passage of the law had a drastic effect on the health care industry. And probably more importantly paved the way for an increase in backup HIPAA data offsite providers.
Because of the Administrative Simplification portion of the law, medical facilities today must take great care when dealing with a patient's electronic files. For example, HIPAA required a hierarchical approach to data access. Physicians might be able to access patient information that would not be available to the nurse. Protecting the data from unauthorized access became crucial. As a result, the law has affected the way data storage backups are handled in the medical field. As a consequence backup HIPAA data offsite services have had to adjust there service offerings.
Today, data storage for these facilities must be carefully controlled. HIPAA requires that all of the data be backed up and that data must be secured with 100% reliability. The government wants to make sure no one gets into your personal medical records. That means, however, that backup HIPAA data offsite storage facilities must take special precautions to ensure the service they provide meets these requirements.
If you're looking for offsite-backup for HIPAA data storage, you should look for a few factors. Make sure to find out if the storage service specializes in this type of data storage. There are many that do. You should also ask about the back up process, security, and storage to make sure you are comfortable with how the data will be handled.
Overall, the HIPAA law has changed the way medical facilities deal with patients' electronic medical information. Remember to do careful research on any storage service before trusting them with your data, especially when you're dealing with this sensitive data. Armed with this knowledge, hopefully, you'll feel confident to make a wise storage decision.
In the IT business, one frequently see businesses and government entities fielding contracts to provide wireless capabilities for their facilities and personnel. As a security professional, the first question is always: "Why?" experience has shown that, businesses and government agencies tend to undervalue the sensitivity of their data-even their mundane, everyday data. They also tend to underestimate the vulnerabilities introduced by wireless connections points, even if secured, and their potential risk to expensive systems and business operations.
Recently, there has been a virtual explosion in the use of Cloud Computing to decrease security costs and increase accessibility to data. Once again, businesses and government entities are jumping on the bandwagon to place volume upon volume of proprietary and potentially sensitive data into the great wide open of "The Cloud." In this process, data owners are yielding broad powers of control over their data to external service providers for which an appropriate trust relationship may not be fully established, nor understood. Once again, I the basic question is, "Why?"
The Attraction of Cloud Computing
Cloud Computing utilizes internet web services from external vendors to provide companies an attractively-priced and scalable means to outsource infrastructure, software, and even technical expertise. The vendor provides these services en-masse, leveraging the efficiencies inherent in economies of scale to provide IT capabilities that would be more expensive, or even prohibitive, to build and maintain independently.
A company or government agency of virtually any size can invariably find some aspect of their operation, or even a total solution, that would realize reduced financial costs in moving internal systems and capabilities into the Cloud. In fact, ventures with limited or non-existent internal information security resources to begin with may greatly improve their security posture simply by making the move.
It all sounds so new, wonderful, and exciting; and to a certain extent it is. But even in an economy dominated by the bottom line, it is easy to overlook a simple truth: The real value of a piece of data to its owner cannot be fully captured by a dollar sign, alone. In fact, that data may be priceless.
The Element of Trust
Often times, the true value of a piece of data is not realized until it is compromised. We work with volumes of data every day, and it is easy to take it for granted. It is also easy to take commercial services for granted. So, let the buyer beware: When considering outsourcing resources into the Cloud, it is imperative to understand the value of data and capabilities being entrusted to the vendor, as well as the nature of the trust relationship-with both the vendor and their third-party business partners! After all, you may be giving them the keys to the kingdom. As a starting point, some simple questions to consider should be:
Where will the data be located, both physically and logically? Different states within the U.S., and certainly different countries, have widely varying laws regarding second-party responsibility-and liability-for handling of data.
Ironically, the U.S. has come under scrutiny from other countries due to the post-9/11 ease with which the federal government can gain access to foreign data. Logically speaking, is the data stored on single or multiple servers? Does it share space with data from other sources? Is it housed at one site or multiple, geographically separate sites?
Who will have access to the data, and how are they vetted and monitored? How does one control and gain access to your own Cloud data? How are vendor employees, contractors, and third parties restricted and monitored with regards to access to your data? What security policies are in place?
How will the data be secured on the server, and how is it backed up and/or replicated? Is the data encrypted on the server and/or in transit? How will encryption (or lack thereof) affect performance? How often is the data replicated, and to where? How long are backups maintained? What is the procedure and timeframe for gaining access to backups?
Is the vendor, and the storage site(s), controlling the data in compliance with applicable laws, regulations, governance, and best practices? Have they been cited or had unacceptable incidences in the past? What are the Terms of Service, contractually? What is the fine print, and what information is missing entirely regarding vendor responsibility and liability for data stewardship, loss, and compromise?
The answers to these questions, along with others particular to an individual situation, will define the level of trust required in a relationship with a potential vendor.
Evaluating Risk in Establishing Cost vs. Benefit
Once potential vendors' offerings are understood, there are a few industry-standard security topics to consider in establishing the level of risk involved in outsourcing data and capabilities. Once the risk is quantified, the cost of moving to the cloud can be considered not only in terms of monthly savings, but also in terms of expected fiscal expense over time due to loss or compromise of data or capabilities. These macro-security topics are:
Confidentiality: What is the potential for disclosure of data with each vendor, and what degree of damage would be experienced to revenue, ongoing or future business efforts, company image, operations, or security if data were disclosed inappropriately?
Integrity: What is the potential for data corruption or loss with each vendor, and the degree of damage (per above) if data were corrupted or lost?
Availability: What is the speed of data access and degree of system reliability for each vendor? What is their system availability rate; and how will change management procedures, system upgrades, and potential disasters affect accessibility to data or capabilities?
Accountability: What is the detection and forensic capability for each vendor if data is lost or stolen? Can unauthorized access, inappropriate disclosure, or loss be tracked so that potential damage can be prevented or mitigated?
Choosing a Solution
In making a decision whether to utilize Cloud Computing, and to what degree, the primary focus should be the criticality of the data and capabilities in question. Considering all cost and risk factors, internal secured data systems may offer higher value for critical data than entrusting an outside party with its control.
While service providers and various consortiums are beginning to address some of the security concerns inherent in Cloud Computing, uniform legal and industry standards are still many years off. Furthermore, security comes with a price: Higher degrees of security and performance than what is currently the norm will necessarily reduce the margin of savings and the overall value to business.
When the decision is made to utilize Cloud Computing resources, consider the following as "must-haves" in choosing a vendor:
1. Demand openness from the vendor on security-relevant details of their employees, systems, and operations.
2. Ensure control is not lost for access to sensitive information: Protect proprietary and intellectual property, privacy information of employees and customers, as well as financial data.
3. Ensure applicable laws and governance mandates are not violated by your use of a vendor, nor by the vendor's practices in handling your data (for example: FISMA, HIPAA, Sarbanes-Oxley...).
4. Ensure that the criticality of the data, and your liability for it, is not such that loss or release could severely damage or destroy yourself or others.
Virtual and "Cloud" computing are popular concepts in the search to better manage data storage and improve computing efficiency. But there is real and potential risk associated with these new concepts.
As a result care and planning is required to avoid the negative impact of a security breach.
What is the Cloud?
Cloud computing is a broadly used term and there are many definitions floating around as to what it is.
The cloud is generally meant to represent the internet: the connectivity of and access to information via the world wide web. In terms of cloud computing for business, it refers to multiple external customers being able to access scalable IT infrastructure as a service using internet technology and paying based usage.
In short, cloud computing means a business can access not only required IT infrastructure--but also support--via the internet. The days of having to buy and maintain network infrastructure on premise are becoming a thing of the past.
This changes the relationship between vendors and users of IT services, allowing businesses to focus on the strategic advantages of technology without having to worry about implementation, updates, and maintenance.
What is happening in IT today is conceptually similar to utility services like electricity. Service has become centralized and cost is based on usage.
In the same way your business can access electricity from a central power plant, you can now access IT from centralized data centers where conductivity and security and maintained, 24x7.
Moving From Capital Cost to Operational Expense
From the SMB budget perspective, cloud computing represents a major change. Your organization can, for all intents and purposes, rent IT infrastructure rather than buy it. You simply access and pay for the capacity you require with limited capital investment required.
There are several advantages to consider here. First, this frees smaller businesses from the cycle of having to purchase new technology in short intervals in order to maintain up-to-date equipment. The process of tech refresh can become frustrating and expensive, and return on investment (ROI) can hardly be realized before gear needs to be replaced. When accessing a data center, this is not a concern; hardware and software are updated and maintained through a process separate from each individual consumer (again, like a utility).
In many cases, staffing costs are also changed. Cloud computing becomes a component of IT Managed Services where infrastructure, user support, and proactive maintenance are all provided with remote technology from a data center. As a result, IT staff becomes just another part of the combined operational expense.
In the end, cloud computing is another aspect of how the Internet is changing the way people interface with and use technology--the "cloud" can be seen as a metaphor for the world wide web. It is ubiquitous technology, and the biggest gains will be made by those that best apply IT changes to strategic business goals and leverage new cost structures.
Rather than purchase IT hardware and license software, businesses can access infrastructure via the internet and pay based on specific needs.
Cloud computing is a broadly defined concept that is slowly changing the way organizations operate and the way IT thinks about itself. A recent insightful piece by The Associated Press discusses the concept in great detail.
The writer says Genentech, a biotechnology company with 16,300 employees, is the largest company that so far has opted for Google's cloud for desktop applications. It still will use Microsoft software for some functions and the piece notes that the company's CEO is on Google's board.
The article provides a good description of the concept and major players such as Salesforce.com and NetSuite. Those who stand to lose the most - Microsoft, SAP, Oracle - also are discussed. The bottom line clearly is that cloud computing is here to stay, but that legacy approaches are far from dead.
Another look at cloud computing positions 2008 as a year of transition. It condenses the important announcements that were made. Microsoft, which obviously sees that cloud computing is a big threat to its desktop productivity software empire, launched Windows Azure. The program enables developers to write for a Microsoft cloud. Announcements also were made by AT&T, VMware and IBM. Collectively, these announcements make it clear that the cloud is moving into the corporate area.
Big concepts - and cloud computing is a very big concept - generally are introduced in a generic and generalized manner. As time goes by, the overall idea is refined and subdivided into a number of different approaches and categories. A recent commentary, which refers to the executive summary of a Forrester report on which it is partially based, suggests that there are two types of clouds. One seeks to replace device-based applications and the other to concentrate a great amount of computing power.
In the first case, a company might replace its individual versions of a word processing program with one stored in the cloud. In the latter case, a pharmaceutical firm might amass huge lots of number-crunching CPUs to research a drug. The obvious point is that these are very different uses and, thus, different skills will be needed from vendors, consultants and others to make each work.
Here is more good detail on the cloud ecosystem [http://www.xchangemag.com/articles/clearing-the-air-on-cloud-computing.html#]. The first part of the story reiterates the point that the emerging platform is extremely broadly defined. It also has not come from out of the blue: There are many elements that have been kicking around for a while. The piece discusses Azure, XO Communications' Concentric, AT&T, Verizon and Cisco. The feature is followed by a sidebar that discusses the challenges in cloud implementation. These include laws in some places that mandate that user information doesn't leave the country; the difficulty of integrating multiple services and multiple clouds; how to guarantee accessibility and the need for standards.
A video from rPath is perfect for IT to send to an executive who is curious about cloud computing. It is short - about 4 1/2 minutes - and sums up the antecedents and possible future of cloud computing. It also is entertaining. The piece says that several elements coalesced to give cloud computing life, including inexpensive broadband, virtualization, software-as-a-service and utility computing.
There is general agreement on the state of cloud computing: It is a big deal and still in its formative stages. It appears that 2009 will be a pivotal year as vendors and service providers refine their plans.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, mandates that all covered entities fulfill certain requirements for data backup, storage, and recovery; the Sarbanes-Oxley Act (SOX) holds many publicly held companies and all Registered Public Accounting Firms to a rigorous set of standards. These rules set guidelines for how data should be stored, accessed, and retrieved.
In response to an explosion of major corporate benefits and accounting scandals in recent years, Congress passed two laws regulating the storage and reporting of internal data.
The first impact was felt in corporate America by the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The Administrative Simplification (AS) provisions of HIPAA mandated national standards for electronic health care transactions and identifiers for providers, health insurance plans, and employers.
Under HIPAA, an IT audit most often is performed in conjunction with a financial statement audit or an internal audit. Evidence is collected and evaluated concerning an organization's information systems, practices, and operations to determine whether those systems record and maintain accurate, reliable data.
An IT audit doesn't focus on internal controls in the way a financial audit does. Rather, it seeks to determine risks relevant to information assets, and to assess whatever controls are in place to eliminate or reduce those risks. The focus of an IT audit is on evaluating a system's availability, confidentiality and integrity.
The Sarbanes-Oxley Act of 2002 created (among other oversight regulations) the Public Company Accounting Oversight Board (PCAOB), which addresses the role IT plays in a company's internal controls. The PCAOB's "Auditing Standard 2" states: "The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting," and its provisions are targeted toward seeing that those controls and reporting are legitimate and accurate.
Under this law, auditors audit key and general controls, with "key" controls being those that are key to ensuring that numbers shown on the company's balance sheet are authentic. (For instance, there might be a trigger on a database table to ensure that adding any entry into the accounts receivable table automatically creates an entry into the general ledger.) The person held accountable for seeing that these regulations are met is the company's Chief Information Officer (CIO).
Given the breadth and complexity of current federal law governing storage and maintenance of IT data, prudent business owners will take whatever steps necessary to assure their IT systems and controls meet or exceed regulations. Taking the time today to ascertain that your online offsite backup system complies with federal regulations will save you countless intrusive and costly auditing headaches, down the road.