WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery



Similar documents
WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA COMPLIANCE AND

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

CHIS, Inc. Privacy General Guidelines

HIPAA Privacy & Security White Paper

VMware vcloud Air HIPAA Matrix

Datto Compliance 101 1

HIPAA Compliance and the Protection of Patient Health Information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Security Alert

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Security Matrix

HIPAA Information Security Overview

C.T. Hellmuth & Associates, Inc.

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA and HITECH Regulations

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

THE LOGICAL CHOICE FOR ONLINE DATA PROTECTION. Brought to you by

HIPAA Security Series

Preparing for the HIPAA Security Rule

HIPAA Security Checklist

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Healthcare Compliance Solutions

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA Compliance Guide

An Effective MSP Approach Towards HIPAA Compliance

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Policies and Compliance Guide

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Security COMPLIANCE Checklist For Employers

Montclair State University. HIPAA Security Policy

eztechdirect Backup Service Features

HIPAA Security Rule Compliance

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

SECURITY RISK ASSESSMENT SUMMARY

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA/HITECH: A Guide for IT Service Providers

How To Write A Health Care Security Rule For A University

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Why cloud backup? Top 10 reasons

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

M E M O R A N D U M. Definitions

Introduction. Ease-of-Use

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

GoToAssist Remote Support HIPAA compliance guide

SVA Backup Plus Features

Disaster Recovery Planning Save Your Business

HIPAA PRIVACY AND SECURITY AWARENESS

An Introduction to HIPAA and how it relates to docstar

HIPAA. considerations with LogMeIn

HIPAA: In Plain English

How To Backup Your Hard Drive With Pros 4 Technology Online Backup

HIPAA Compliance: Are you prepared for the new regulatory changes?

LogMeIn HIPAA Considerations

How Managed File Transfer Addresses HIPAA Requirements for ephi

Healthcare Security and HIPAA Compliance with A10

HIPAA Compliance Review Analysis and Summary of Results

ITS HIPAA Security Compliance Recommendations

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Online Backup Solution Features

HIPAA Compliance Guide

HIPAA/HITECH Compliance Using VMware vcloud Air

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

The Second National HIPAA Summit

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Evolved Backup Features Computer Box 220 5th Ave South Clinton, IA

Healthcare Management Service Organization Accreditation Program (MSOAP)

Things You Need to Know About Cloud Backup

WHITEPAPER. 7 Reasons Why Businesses are Shifting to Cloud Backup

to EMR transition Contents

Supplier IT Security Guide

White Paper. Support for the HIPAA Security Rule PowerScribe 360

White Paper: Librestream Security Overview

Transcription:

WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery

DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights Reserved. TRADEMARKS VaultLogix and the design of the swirl are trademarks or registered trademarks of VaultLogix, LLC. All other trademarks and registered trademarks are the property of their respective owners. CONFIDENTIALITY The information set forth herein represents the confidential and proprietary information of VaultLogix. Such information shall only be used for the express purpose authorized by VaultLogix and shall not be published, communicated, disclosed or divulged to any person, firm, corporation or legal entity, directly or indirectly, or to any third person without the prior written consent of VaultLogix, LLC. DISCLAIMER No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of VaultLogix, LLC. The information in this document is subject to change without notice and should not be considered a commitment by VaultLogix, LLC. While VaultLogix has made every effort to ensure the accuracy and completeness of this document, it assumes no responsibility for the consequences to users of any errors that may be contained herein. 2011 VaultLogix, LLC www.dataprotection.com - 877.828.5856

Table of Contents Overview... 1 Background The Health Insurance Portability and Accountability Act... 2 HIPAA and the Security Rule... 2 Choosing a HIPAA-Compliant Data Backup Solution... 4 Leveraging VaultLogix Online Backup for HIPAA Compliance... 5 User Authentication... 5 Role-based Access... 5 Data Encryption... 5 Offsite Storage... 6 Secure Storage Facilities... 6 Solid Reporting... 6 Managing HIPAA Compliance While Managing Your Business... 6 About VaultLogix... 7 2011 VaultLogix, LLC www.dataprotection.com - 877.828.5856

Overview The federal government passed the original Health Insurance Portability and Accountability Act (HIPAA) in 1996 as a law designed to: 1. Protect workers from losing their medical insurance coverage if they change or lose their jobs, 2. Reduce the administrative costs of healthcare, specifically by promoting electronic recordkeeping, 3. Increase the security and portability of patient records, 4. Develop standards for consistency in the health care industry. HIPAA applies to all health care providers, health plans and clearing houses, known collectively as "Covered Entities," that electronically maintain or transmit health information of individuals. Covered Entities must have appropriate measures that address the physical, technical, and administrative components of patient data (information) privacy. The Security Rule of HIPAA requires health care providers to put in place certain administrative, physical and technical safeguards for protected patient health information in electronic formats. This is protected patient information either transmitted by electronic media or maintained on electronic media. As part of these safeguards, Covered Entities must institute a contingency plan to be prepared for an emergency, such as a natural disaster or computer virus attack, which could result in a major data loss. This contingency plan must include the following required plans: 1. Data backup plan - Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. 2. Disaster recovery plan - Establish and implement procedures to restore any loss of data. 3. Emergency mode operation plan - Establish and implement procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. There are various ways that a healthcare firm can put together a solution that meets these requirements. When choosing a data backup solution, the firm should evaluate the solution s capabilities across 6 core functionality categories: user authentication, role-based access, data encryption, offsite storage, storage facility security, and reporting. An online backup solution is one alternative to meet the data contingency plan requirement of HIPAA. In particular, the VaultLogix Internet Vault Advantage solution can be the perfect fit to meet these core functionality needs with cost efficiency and low resource utilization. 2011 VaultLogix, LLC www.dataprotection.com Page 1

Background The Health Insurance Portability and Accountability Act 1 The federal government passed the original Health Insurance Portability and Accountability Act (HIPAA) in 1996 as a law designed to: 1. Protect workers from losing their medical insurance coverage if they change or lose their jobs, 2. Reduce the administrative costs of healthcare, specifically by promoting electronic recordkeeping, 3. Increase the security and portability of patient records, 4. Develop standards for consistency in the health care industry. HIPAA applies to all health care providers, health plans and clearing houses, known collectively as "Covered Entities," that electronically maintain or transmit health information of individuals. Covered Entities must have appropriate measures that address the physical, technical, and administrative components of patient data (information) privacy. With the exception of small health plans, all Covered Entities must have had data security standards in place as of April 21, 2005, when the Standards for the Security of Electronic Protected Health Information (the Security Rule ) of HIPAA went into effect for most health care providers. Small health plans were exempted until April 21, 2006. HIPAA was established to protect patient privacy while promoting electronic recordkeeping. As a healthcare provider it is imperative that you understand the act and its implications for your business. HIPAA and the Security Rule The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for protected patient health information in electronic formats. This is protected patient information either transmitted by electronic media or maintained on electronic media. Covered entities that maintain or transmit electronic protected health information are required by the Security Rule (see 45 C.F.R. 164.306) to: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain or transmit; 2. Identify and protect against reasonably anticipated threats to the security or integrity of the information; 3. Protect against reasonably anticipated, impermissible uses or disclosures; 4. Ensure compliance by their workforce. 1 All HIPAA requirements are taken from HIPAA Administrative Simplification Regulation Text, Unofficial Version, as amended through February 16, 2006. <http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf> 2011 VaultLogix, LLC www.dataprotection.com Page 2

The Security Rule defines confidentiality to mean that electronic protected health information is not available or disclosed to unauthorized persons. The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of protected health information. The Security Rule also promotes the two additional goals of maintaining the integrity and availability of electronic protected health information. Under the Security Rule, integrity means that electronic protected health information is not altered or destroyed in an unauthorized manner. Availability means that electronic protected health information is accessible and usable on demand by an authorized person. The HIPAA Security Rule is designed to support the Privacy Rule by defining security requirements that ensure the integrity, availability, and confidentiality of patient data. According to the HIPAA regulations, Covered Entities are allowed to use a flexible approach when implementing the above requirements. Specifically, Covered Entities may use any security measures that allow the Covered Entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. In deciding which security measures to use, a covered entity must take into account the following factors: 1. The size, complexity, and capabilities of the covered entity. 2. The covered entity s technical infrastructure, hardware, and software security capabilities. 3. The costs of security measures. 4. The probability and criticality of potential risks to electronic protected health information. With this information in mind, organizations must adhere to the Security Rule s standards and specifications for safekeeping electronic data. Covered Entities also need to institute a contingency plan to be prepared for an emergency, such as a natural disaster or computer virus attack, which could result in a major data loss. The contingency plan must establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information (Administrative Safeguards - 164.308(a)(7)(i)). This contingency plan must include the following required plans: 1. Data backup plan - Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. 2. Disaster recovery plan - Establish and implement procedures to restore any loss of data. 3. Emergency mode operation plan - Establish and implement procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Covered Entities must also have certain physical safeguards, such as facility access controls. They must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed (Physical Safeguards - 164.310(a)(1)). The contingency operations should establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency ( 164.310(a)(2) 2011 VaultLogix, LLC www.dataprotection.com Page 3

In addition, Covered Entities must implement specific technical safeguards ( 164.312) to, among other things: 1. Limit access to electronic protected health information only to those persons or software programs that have been granted access rights. 2. Encrypt and decrypt electronic protected health information. 3. Put into place audit controls that record and examine activity in information systems that contain or use electronic protected health information. 4. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. These regulations are in place to ensure that healthcare organizations properly secure their Electronic Protected Health Information. Based on these directives, an organization should evaluate their system and then implement a secure backup, archiving, and recovery solution to comply with HIPAA standards. Covered Entities must ensure they have a well-defined contingency plan that ensures that patient data is still available after a primary data loss. This plan must include backup, recovery, and emergency operating plans. In addition, they must implement technical safeguards to ensure that their patient data is properly secured. Choosing a HIPAA-Compliant Data Backup Solution Clearly, the contingency plan subpart of the HIPAA Security Rule requires a Covered Entity to have a solid data backup plan that meets all of the HIPAA criteria. There are various ways that a healthcare firm can put together a solution that meets these requirements. When choosing a data backup solution, evaluate it across the following criteria: 1. User authentication you should be able to establish private password authentication known only to each user. 2. Role-based access the service authentication and access scheme should enable limiting users to access only information they have authority to see. 3. Data encryption all data should be encrypted using the highest encryption standard available before it leaves your location (and, therefore, under the control of your compliant safeguards) and remain encrypted at all times outside of your location. The data should only be unencrypted during a restore after it has been returned to your location. If data needs to be returned from the offsite location to your location via a device (Tape, USB drive, DVD, etc.), the data on the device should be delivered in the encrypted state. The solution should also have an option for you to select your own encryption key that ensures that no one without knowledge of that specific key can gain access to the data. 4. Offsite storage it is necessary to have some versions of your backup data stored at a different location than the primary source, providing recovery capability from a disaster that caused loss of the primary data location, such as floods, hurricanes, and electrical outages. 2011 VaultLogix, LLC www.dataprotection.com Page 4

5. Secure storage facilities the offsite location that stores the remote data versions should have necessary safeguards protecting from sabotage and natural disasters. A location that has met a SAS70 Type II audit (previous to July 1, 2011), or an SSAE 16 SOC 2 Type II audit (after July 1, 2011) offers assurances that the proper safeguards are in place to meet HIPAA standards. 6. Solid reporting Reports for every backup should be a part of the solution, providing verifiable status data ensuring that the proper resources can monitor and be proactive to any potential problems with the solution. When choosing a data backup solution, the firm should evaluate the solution s capabilities across 6 core functionality categories: user authentication, role-based access, data encryption, offsite storage, storage facility security, and reporting. Leveraging VaultLogix Online Backup for HIPAA Compliance An online backup service can be the best overall solution to implement a data backup plan, disaster recovery plan, and emergency operation plan that ensures full HIPAA compliance for your firm. However, not all online backup services are equal, and to ensure HIPAA compliance, it is imperative that you measure your online backup service against the Data Backup criteria defined in the previous section. The VaultLogix Internet Vault Advantage (IV-Advantage) solution meets all of these important HIPAA-compliant data backup criteria. User Authentication Internet Vault requires a unique ID and password for creation of backup sets, and that ID and password are required to review the backup sets or restore data from those sets. In addition, an added level of security can be placed on the backup client that is installed on your LAN, requiring an additional password to even access the client. Role-based Access By defining your user IDs and passwords to correlate to your existing HIPAA-compliant administrative guidelines, you can ensure that users are only able to review or restore data that they are authorized to access. Data Encryption IV-Advantage individually encrypts each block of data using Advanced Encryption Standard 256 bit encryption technology (AES256). AES encryption was developed by the U.S. National Institute of Standards and Technology (NIST) and is now the state-of-the-art standard encryption technique for both commercial and government applications. 256 bit is the highest level of AES encryption available for commercial data. For added security, and to meet the Security Rule s transmission requirements, each encrypted block is transmitted over the Internet via a secure channel using Secure Sockets Layer (SSL) technology - the same Internet transmission technology used by online banking and online credit card applications. With this additional security layer, data is encrypted twice - it is encrypted at all times using the AES encryption, and the encrypted blocks are encrypted again while they are being sent over the Internet, to and from the VaultLogix data vaults. 2011 VaultLogix, LLC www.dataprotection.com Page 5

Offsite Storage With our online backup solution, backup sets that are defined to backup to our vaults give you instant offsite storage of your backup data. You will not need to define a process to get your tapes or disk drives offsite, or pay to have a delivery service pick up and drop off those tapes or disk drives. You can rest easy knowing your most recent backup, and all previous versions that you retain, are safely stored away from your primary data source, preventing them from being subject to any disasters that may affect your primary data location. Secure Storage Facilities VaultLogix data vaults are housed in Tier 4 data centers. In addition, the VaultLogix Internet Vault Advantage service has successfully completed a SAS70 Type II audit, and will be completing the new SSAE 16 SOC 2 Type II audit by year end, giving VaultLogix customers comfort in knowing that the entire service has been confirmed to execute stringent processes and controls to ensure that backup data stored on our vaults meets the security controls required by the HIPAA Security Rule. Solid Reporting IV-Advantage has numerous reporting capabilities, ranging from email notifications of backup completion to detailed status and information reports available through our Web interface, the Client Web Operator. In addition, for businesses that use Remote Management & Monitoring (RMM) or Professional Service Automation (PSA) software, we have integrated with most major providers of these systems so status notifications will appear in your RMM and, for resellers or larger IT shops that bill back to the business, billing data integration into your PSA. An online backup solution is one alternative to meet the data contingency plan requirement of HIPAA. In particular, the VaultLogix Internet Vault Advantage solution can be the perfect fit to meet these core functionality needs with cost efficiency and low resource utilization. Managing HIPAA Compliance While Managing Your Business Costs for implementing HIPAA compliance can be quite significant. Surveys project upgrade costs to vary from $10,000 for a small private practice to $14 million for a larger organization. The average cost of $3.1 million from surveyed firms is considerably more expensive than the government s projected average estimate of $450,000 that was done prior to implementation. 2 Given the overall cost to implement and maintain HIPAA compliance, finding cost-efficient solutions that reduce the total cost of ownership is imperative to successfully managing your healthcare organization. Online backup - and VaultLogix Internet Vault Advantage in particular - can be one solution that reduces your compliance cost and ensures your piece of mind knowing that your data is protected. ******************************************** 2 Arora, Richa and Pimentel, Mark. Cost of Privacy: A HIPAA perspective, December 9, 2005. <http://lorrie.cranor.org/courses/fa05/mpimenterichaa.pdf> 2011 VaultLogix, LLC www.dataprotection.com Page 6

About VaultLogix VaultLogix Internet Vault Advantage is a comprehensive online backup service that provides state-ofthe-art offsite data protection for business servers, PCs, and laptops at an affordable price. VaultLogix s unique online backup service safeguards important information through an automated, reliable solution that sends data securely to multiple locations. VaultLogix also delivers industry-leading solutions for support, billing, and marketing for VAR s, MSP s and IT Consultants. Internet Vault Advantage is integrated with the leading PSA solutions, enabling you to easily bill and manage your online backup customers. Our integrations with the leading RMM vendors enable you to monitor the online backup service, streamlining your ability to support your customers. 2011 VaultLogix, LLC www.dataprotection.com Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information