HIPAA Backup Compliance & Your External Backup Drive
HIPAA backup compliance, like ISO and almost all other forms of rather complicated, confusing and just plain obtuse regulation has been stirring up a lot of my customers.
No one seems to know exactly what is required of them for HIPAA backup compliance. There are no government licensed or approved companies to give training or accreditation for HIPAA backup compliance so we are not positive what to do for HIPAA short of reading every HIPAA document and trying to guess what “If reasonable to do so” or “addressable” means,(http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html) since for many of the security requirements this is the case.
So with this confusion there is going to be a lot of gimmicks, fear tactics and “consultants” convincing you that if you don’t do X you “could” face hundreds of thousands of dollars in fines or heck they may even go ahead and imply that your whole practice will be ruined. After all no one shops at Target anymore after their security breach.
One of the new big gimmicks is that people are pushing their new subscription service, off site, online, “encrypted” backup solutions. First, I haven’t seen a line that specifies you have to encrypt your backup to be HIPAA backup compliant, and moreover in the world of security we have rules as to what actually is TRUE encryption and it has to do with original key security and availability. But, for the sake of this post I won’t stray.
If you have a backup solution where you backup all your data to an external hard drive and you take it home with you, I have a solution for having this be encrypted and secured without having to change your backup solution, buy expensive software, or figure out how to properly use BitLocker or TrueCrypt, which if you have an automated backup could be difficult.
So check these out.
Aegis Padlock – USB 2.0
Encrypted Hard Drive with PIN Access
You can buy these on Amazon or NewEgg, or heck a bunch of places. The cool thing about these that security professionals like is that the drive will not even mount to the system without you typing in your pin first. With software encryption, if I have your encrypted data I can eventually un-encrypt it. How long that takes is a question of access rates and processor speeds. Where as with this device you can only type in the wrong code so many times until it makes the data permanently irretrievable.
Very secure, very cool, and it won’t result in your IT guy having to beat his head against the wall encrypting all of your Data just to have a HIPAA compliant backup.
As for the unencrypted data on your server hard drive. The solution to this is to keep your server in a locked office. If you ever retire a server pull the hard drives and (shoot them with a gun, hit them with a hammer a bunch of times, drill holes in them, melt them down, or use a multi level hard drive formatting program that actually writes zeros to all of the data sectors making data recovery nearly impossible.) There you have it, some suggestions on how to try and achieve HIPAA backup compliance.