HIPAA and BackupA Review of Considerations for Both

Cloud and Local Backup

darren@high-rely.comwww.high-rely.com775-329-5139 x 107

The New 48TB RAIDFrame Plus NAS (with RAID 10)

Email me for this slide deck

There is no such thing as “HIPAA certified” backup solution – at least from the government’s perspective.

Each expert may have a different opinion on whether local or cloud backup does or doesn’t comply.

Either way encryption of data both “in motion” and “at rest” is mentioned by HIPAA and should be addressed.

HIPAA refers to NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices  for guidance.

Which refers to…NIST SP 800-57, "Recommendation for

Key Management," Section 5.6.2 makes recommendations for key sizes and length…..

http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf

While no particular level of encryption is mandated the “Safe harbor” approach is to use Advanced Encryption Standard - AES-256

HIPAA Backup Checklist Policies are in place prescribing backup and recovery procedures.

All staff understand the recovery plan and their duties during recovery.

System restore procedures are known to at least one trusted party outside the practice.

A copy of the recovery plan is safely stored off-site.

Files identified as critical are documented and listed in the backup configuration.

Backup schedule is timely and regular.

HIPAA Backup Checklist

Every backup run is tested for its ability to restore the data accurately.

Backup media are physically secured.

Backup media stored offsite are encrypted.

Backup media are made unreadable before disposal.

Multiple backups are retained as a failsafe.

Data is retained for extended period of time per HIPAA and State requirements

HIPAA and The Cloud

Encrypting Data in motion

It goes without saying HIPAA expects data to be encrypted while traveling through a public network.

Most HTML browser based Cloud software should use some form of encryption – at least HTTPS or perhaps even a VPN.

Backup should use encryption per NIST standards mentioned earlier.

Questions for the Data center

Where the data is physically stored?How many copies of the data have been

made? Is data encrypted everywhere? Tapes, Drives

etc.Any chance data will be backed up elsewhere

– including outside the country?Is data deleted and securely wiped when

requested?

Questions for the Data centerDo they have audit controls?

(HIPAA requires you to be able to prove who accessed files at all times)

Are there physical security measures in place? Measures to consider include

servers in cages, encrypted hard drives, redundant power supplies, alternate recovery sites, security, fire suppression systems, etc.

HIPAA and U.S. Jurisdiction

You must ensure that the data never leaves US soil.

If the data is physically moved to another country, it will be out of US jurisdiction.

When this data is stored abroad, it may be subject to international laws which would force your cloud provider to take actions that would put you out of compliance.

HIPAA and the Cloud – CAN you Ever be Compliant?

Under the Patriot Act, the government may make a request to access patient information which is stored on the cloud provider’s server.

Additionally, a gag order may be issued to prevent the cloud provider from disclosing this breach to the healthcare provider. In this case, the healthcare provider would be unable to notify the patient, as required under HIPAA.

Under HIPAA, patients have a right to access any information stored about them, and to correct any inaccuracies. Verifying the integrity of patient data may be a challenge when relying on third-party systems.

Summary of HIPAA and the Cloud

Ultimately, somebody else holds the keys to the data.

Lack of information from the data center can make it very difficult to document your compliance .

HIPAA and Local Backup

A few slides about us before I discuss local backup…

We’re a “Data at Rest” Kind of Backup Company

If I had to describe what our company does in 3 words it would be:

Removable Drive Backup.

If you google that, we’re in the #1 position (In Sept of 2012 – which is remarkable. Solutions start under $500.

We’re an alternative (or supplement) to Cloud Backup.

Key Value PropositionsWe make a variety of NAS and DAS

devicesBesides Removable drives our other

key value propositions include: Automatic Mirroring of removable media (2 backup copies) and large removable media (up to 12TB).

From our Website www.tapesucks.com ……….>

\\

The Cloud

HIPAA Best Practice – “Multiple Backups are Retained as Failsafe”

4 Approaches for Encrypting Data at Rest

With local hard drive backup its important to protect the data from theft.

Same issues exist for laptops and portable devices.

1. Encrypt the “Wad” file created by the backup program (BackupExec, Shadowprotect, etc)

2. Send the data to an encrypted folder (Microsoft EFS, Truecrypt)

3. Use whole disk encryption (Bitlocker, TrueCrypt, WinMagic, PGP

4. Use Self Encrypting Hard Drives.

1. Encrypting With Backup Software

Screen shot from ShadowProtect. Advantage is no Additional cost.Encryption DOES slow down backup/restore. As far as I know

Backup software is slow to adopt Intel’s AES instruction setsEither fast CPU or Support for Intel AES instructions help.

Backup Software may not use CPU instruction set, but some do use AES (appropriate for HIPAA)

For example 3 levels used by ShadowProtect

RC4 128-bit: This encryption option is the fastest, but least secure, of the algorithms.

AES 128-bit: This encryption option strikes a balance between speed and security.

AES 256-bit: This encryption option is the most secure, but slowest, of the algorithms.

2. Encrypting FoldersMicrosoft EFS

is older and focused on files and folders

Bitlocker is newer and does the entire drive.

Or use TrueCrypt or other 3rd party folder encryption.

3. Whole Disk EncryptionConsidered more secure because temp files, cache files, etc

– everything is encrypted.BitLockerTrueCryptWinMagicPGPThe later two have “enterprise management” that allows

you to manage multiple machine encryption keys across the network.

Be aware that some encryption applications like TrueCrypt and backup software like Shadowprotect don’t work together (Shadowprotect won’t backup to the volume because the software doesn’t see it as a valid destination)

Whole disk encryption PerformanceMicrosoft says “single-digit percentage performance overhead” But on weak processors like the Atom 260 1.6Ghz (netbooks) the hit can easily be 33%. Laptops are important to encrypthttp://www.ghacks.net/2009/11/26/bitlocker-versus-true-crypt-performance/

CPUs with built in AES assistanceAdvanced Encryption Standard (AES) Instruction Set is an extension to the x86 instruction set architecture for microprocessors from Intel and AMD proposed by Intel in March 2008.

The purpose of the instruction set is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES).

Intel i5, i7 Sandy Bridge, Ivy Bridge, and most modern server CPUs have this. Many i3’s do not.

Some Software with AES instruction support (Where are backup vendors?)

7-Zip 9.1 [16] [17] BitLocker Bloombase Cryptographic Module Citrix XenClient 1.0 and on Cryptographic Development Kit (CDK) 7.0 from Information Security Corp.[18] Cryptography API: Next Generation (CNG) (requires Windows 7)[19] Crypto++ 5.6.1 CyaSSL - an open source SSL/TLS implementation supporting AES DiskCryptor 0.9 DiskSec 1.85 Crypto API (Linux) (used by dm-crypt for full-disk encryption and by other software on Linux) FileVault version 2 (Mac OS X Lion) AES full disk encryption [20] IAIK-JCE version 5.0 Integrated Performance Primitives (IPP) Libgcrypt 1.5.0-beta1 McAfee Endpoint Encryption for PC 6.x FreeBSD's OpenCrypto API (aesni(4) driver)[21] OpenSSL from version 1.0.1[22] Oracle Database 11g Release 2 Patchset 1 (11.2.0.2) Transparent Data Encryption[23] PGP Whole Disk Encryption 10.1.0+ (Only on Windows, The Mac OS X version since 10.2.0+)[citation needed] SafeGuard Enterprise 6.0 by Sophos (Utimaco) SecretAgent 6.1.1 and above from Information Security Corp.[24] SecureDoc 5.2 by WinMagic[25] Solaris (starting with Solaris 10 8/10) through the Solaris Cryptographic Framework[26] and all software using that framework. TRESOR TrueCrypt 7.0 Vormetric Encryption 5

Self Encrypting Drives (SED) Story

Recent ASCII member had 3 Dell Optiplex 790 USFF desktops running Windows 7 that will be working and all of a sudden every program goes to not responding, if you try to open task manager it literally will take 20 minutes to open. 8 other 790’s and 5 780’s had no issue – only the 3 ordered together

We replaced the SED drives in all the computers with non-SED drives. No complaints for a month now, seems to have fixed the issue.

Summary of EncryptionFor HIPAA Use Beefy notebooks with AES

instructions and Bitlocker Or enterprise encryption like PGP that can be

better managed.Or SED drives that can be managed with

WinMagicFor Backup to removable disk use fast Server

CPU to minimize performance hit of backup software that doesn’t leverage AES instructions

Data Retention and Destruction

Data Retention

HIPAA does not mandate how long a patient's records must be retained.

Each state's laws govern the retention period for medical records.

There is a 6 year retention period for HIPAA policies and procedures. (Not medical Records)

Medicare requires 5 years and State Laws often require retention of medical records of considerably longer.

This might include x-rays, images, voice recordings that take considerable storage.

State Data Retention Summary

Before you get past Alabama you see that data might be retained for 26 years (So for a newborn – retain data until age of Majority of 19 plus 7 years)

Email me or Mike Semel for a copy of this document. Darren@high-rely.com

So the Question is – How long will your customer want to pay for that in the cloud?

Let’s assume $.25/Gig/Month (Anyone charging $1?)

Dentist practice with 300GB of data (Is that a lot?)

300GB*$.25*12 Months*7 years = $63001TB for 26 years is $78,000 at 25 cents per

Gig/MonthThat’s assuming data size stays constant. As X-

rays and photos increase resolution things grow.1 TB hard drive? A Few hundred bucks.Of course putting it on tapes or hard drives still

has the issue – will it be readable in 7 years?Probably have to commit to re-write every few

years.

Data DestructionHIPAA does require you to destroy PHI

(Protected Health Information)The rumors of requiring 35 overwrites are

greatly exaggerated.One to three is probably enough. Google

for my article entitled Multiple pass wiping of hard drives is unnecessary.

Can’t hurt to make sure by doing 2 or 3 though.

HIPAA and BackupA Review of Considerations for Both

Cloud and Local Backup

darren@high-rely.comwww.high-rely.com775-329-5139 x 107

The New 48TB RAIDFrame Plus NAS (with RAID 10)

Email me for this slide deck

Are SSD’s more reliable than Rotating Media?

•SSD certainly costs too much for large backup•Jury is still out on reliability – Without rotating mechanical parts some people claim that SLC enterprise SSDs are definitely more reliable•But certain brands of consumer SSDs using MLC have worse track record than drives•Certainly SSD aren’t good for shelf life. Refer to Toms Hardware article Is Your SSD More Reliable Than A Hard Drive? http://www.tomshardware.com/reviews/ssd-reliability-failure-rate,2923.html