Research has shown that as much as 60% of any organization’s data is inactive (data that is not frequently accessed and modified).  Inactive data should be moved off-site and archived, freeing up valuable resources. The key is understanding which data is inactive, and can be archived, and which is active.  Read on how one company solved this problem and reduced their backup windows and overall storage costs.

As one Florida-based physician’s imaging data sets began to grow larger, they realized that they needed a better solution for storing the terabytes of information that were being created.  Protecting that data with their current backup solution was too expensive and taking too long.

That’s when they signed up for Iron Mountain Digital’s new Virtual File Store (VFS) solution, a cloud-based archiving solution designed to help enterprises securely and cost-effectively manage their data. VFS offers secure, long-term storage of inactive data in off-site centers.

The Virtual File Store service frees up precious storage resources, while ensuring inactive data is secure and easily accessible. Plus, capacity is readily available in the event of short-term storage spikes, long-term structural changes, and expanding digital file archives.

Using VFS has allowed the physician’s office to greatly reduce their investment in an expensive, on-site storage infrastructure and supports their regulatory and compliance initiatives.  And being located in a hurricane zone, they understood the value of getting their data off-site.

By taking recognizing what is active data that should be kept on-site and backed up, and what is inactive data that can be cost-effectively archived, companies can escape the cycle of having to keep buying and managing storage and servers.  By instead using efficient cloud storage solutions such as Iron Mountain Digital’s VFS they can reduce their business and legal risks and costs by storing their inactive data securely offsite.

We would love to hear your thoughts. Please comment below!

More importantly, I hope the NPRM has some effect on the business leaders and managers of organizations (Covered Entities, Business Associates and, newly proposed, Business Associate “subcontractors”) that ought to be doing something about privacy and security!

This NPRM is a good one! “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act”.

Some pundits are proclaiming they’ve studied the 234-page NPRM! No doubt, that will impress you about the blogger’s reading skills and chronic insomnia. I did read the official 58-page version published in the Federal Register, so there!

In announcing the NPRM, HHS Secretary Kathleen Sebelius said, “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

There’s much to discuss, but my comments in this post focus on HIPAA Security and Business Associates. The HIPAA Security Rule is where the greatest amount of neglect, ignorance and non-compliance exists and from which the continued inexplicable and most egregious data breaches emanate. (As of this writing, since HHS started posting “data breachers” in February 2010 on the HHS data breach “wall of shame”, Covered Entities and their Business Associates have impermissibly disclosed the Protected Health Information of ~3.5 million fellow Americans – equivalent, almost, to the entire population of Los Angeles!)

1. Let’s stick with data and facts for those seeking real information, not opinions:
   The official HHS Press Release on this NPRM: http://www.hhs.gov/news/press/2010pres/07/20100708c.html
2. The official NPRM was issued on July 14, 2010: http://hipaasecurityassessment.com/wp-content/uploads/2010/07/Modifications-to-the-HIPAA-Privacy-Security-and-Enforcement-Rules-under-HITECH.pdf
   A Notice of Public Rule Making is not the final regulation. It is a notice and an invitation for public comment.
3. Public comments are due in roughly 60-days; therefore, September 13, 2010.
4. Comments received will be considered and possibly incorporated into the Final Rule over a time period that could extend through the end of the year, December 2010.
5. While it’s important to get started (I’m a strong advocate), as stated in the NPRM, there is some time: “In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.”
6. Fundamentally, the standards and the specifications in the HIPAA Security Final Rule stand as written – there are no sweeping, dramatic changes that make compliance any more or less difficult. Compliance is still a (large, non-trivial) business risk management project (not an IT project) and is still a journey, not a destination.
7. As it relates to the Security Rule and as we knew from the HITECH Act statutes, the single biggest changes for Security Rule compliance come in the form of a much, much larger net that is cast to now include not only Business Associates but also Business Associates Subcontractors. “Therefore, consistent with Congress’ intent in sections 13401 and 13404 of the Act, as well as its overall concern that the HIPAA Rules extent beyond covered entities to those entities that create or receive protected health information, we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.”

What Actions You Should Take Now:

1. Familiarize yourself with the proposed changes; discuss with your attorney and/or HIPAA Consultant
2. Don’t set your hair on fire yet!
3. If you’ve not already done so, start your HIPAA Security Compliance work by completing an honest self-assessment of where you stand (we may be able to assist you).
4. Sink your teeth into this Business Associate and subcontractor matter, whether you are a Covered Entity, Business Associate or Business Associate subcontractor. I predict that all parties in the “chain of trust” or “chain of custody” will be statutorily obligated to comply with the law AND be subject to the new Civil Monetary Penalty system:
   1. Document your “ePHI data life cycle” for all ePHI that you create, receive, maintain or transmit to understand your “chain of custody”
   2. Complete an exhaustive inventory of your upstream and downstream “chain of custody” relationships
   3. Hold a Business Associate conference or webinar or workshop to take a more active role to ensure your Business Associates become compliant with the Privacy and Security requirements
   4. Update your standard Business Associate Agreement to reflect the requirements of the HITECH Act
   5. Start re-executing or executing Business Associate Agreements to get this critical area under control

If we may be of any assistance, please do not hesitate to call or write.

Cloud storage is gaining popularity as an easy to implement and scalable way to solve your storage requirements.  Before signing up with any third party to store your data in the cloud, make sure you are comfortable with the answers to these key questions.

If you are considering storing your important data in the cloud, then make sure that any cloud storage vendor you are considering can satisfactorily answer these questions:

1.   “Who has access to our data?” Ask for specific information on the hiring and oversight of privileged administrators who might have access to your data.

2.   “Where would my data be stored?” Ask for details about the data center and its location.  And ask if they can store your data in a specific location (in-state, out-of-state, out-of-country, etc.).  Ask for verification that they comply with the data privacy requirements of their chosen jurisdiction.

3.    “How will my data be stored?” Ask for details on how they intend to segregate your data and for details about their encryption schemes.

4.    “Do you have a disaster recovery plan?” Ask if they can completely restore your data and service, and how long that will take.

5.    “Will you comply with external audits?” Ask if you or your auditors can audit their processes and security certifications.

6.    “Can you help us if we are in an eDiscovery investigation?” Ask your provider what role they would play if you are involved in the discovery phase of a lawsuit.  Get contractual commitments, and understand how they have supported other customers in similar situations in the past.

7.    “Will you be in business in five years?” Ask them how you will get your data back if they were to fail or be acquired.  And find out if the data would be in a format that you can easily import into a replacement application.

The key is to appreciate that the decision to store your data off-site using a cloud storage vendor is not one driven by cost.  You need to be comfortable with how and where your data is stored, and how reliable the service provider is.

Iron Mountain Digital thinks that businesses today have unique and complex requirements, beyond simple storage, when it comes to protecting data off-site leveraging the Internet.  Their Storage-as-a-Service (STaaS) framework allows customers to capture and protect data from a variety of sources, including PCs, servers and email, and protect that data at their secure data centers, while making the protected information available immediately for use, whether it is for recovery or eDiscovery.

Their Connected® Backup solution is today used to protect over 3 million PCs and Macintoshes while their LiveVault® server backup solution is used to protect the data on over 20,000 distributed corporate servers.  Contact us to learn how you can take advantage of these STaaS solutions to meet your data protection requirements today.

We would love to hear your thoughts. Please comment below!

When it came to data protection, the Gas Operations Division of Airgas found that they had three critical issues:  1) ensuring that data on lost or stolen laptops isn’t compromised; 2) ensuring that their data, if lost, can be replicated to replacement PCs, and 3) protecting data on servers in hundreds of remote locations.  What they also found was that one vendor could solve all these problems.

When it came to data protection, the Gas Operations Division of Airgas found that they had three critical issues:  1) ensuring that data on lost or stolen laptops isn’t compromised; 2) ensuring that their data, if lost, can be replicated to replacement PCs, and 3) protecting data on servers in hundreds of remote locations.  What they also found was that one vendor could solve all these problems.  The combination of Iron Mountain’s DataDefense™, Connected® Backup for PC, and LiveVault® gave Airgas the comprehensive data protection solution they need.

Fresh Air Airgas is the largest US distributor of industrial, medical, and specialty gases to industrial and commercial markets, servicing over 700 locations nationwide. Their Gas Operations Division of Airgas has extensive staff of mobile sales representatives and field technicians throughout the United States.

Problems in the Air IT face several major challenges in supporting more than 600 employees nationwide with a staff of only four. Many of the mobile sales representatives and field technicians use laptops and work away from office locations. These employees sometimes lose track of their laptops, either through misplacing them or through theft. One of the main concerns of IT was to protect vital business data on laptops, to prevent that data from falling into the wrong hands. Plus IT wanted to be able to rapidly replicate lost data onto a new laptop so that an employee could quickly continue working after a loss.

The IT staff faced a number of difficulties in solving their laptop problems. They had implemented full-disk encryption before and had encountered problems with running their applications, as well as with corrupted data. They found that Iron Mountain’s DataDefense had the features they needed to protect employee laptops properly. DataDefense protects sensitive and confidential data on all computers, including laptops, whether in or out of the office.  If a computer is lost or stolen, DataDefense can destroy sensitive data automatically to prevent it from falling into the wrong hands. Should a user fail to logon correctly, it is a simple matter for IT to use their encryption key to decrypt files.

Encrypting the data was only part of the solution.  To ensure that all laptop data was always backed up and available for restoration, they also implemented the Connected Backup for PC solution. Connected operates automatically in the background, whenever their remote users connect to the Internet. No user interaction is necessary.

Clearing the Air In addition to their laptop issues, IT also wanted to provide a workable backup and restore solution for all servers at their facilities. However, like many companies, Air Gas includes many small, remote sites far away from corporate servers. Moreover, many of these sites do not have access to high-speed data connections, but must rely on low-bandwidth 56 kbps connections. Many backup products could not work efficiently enough over the low-bandwidth connections available.

Air Gas implemented Iron Mountain’s LiveVault online backup and restore solution for servers.
LiveVault’s superior data reduction technologies compress data, to reduce and optimize transmission time, especially over low-bandwidth connections, providing fully automated, “hands-free” offsite storage and guaranteed recovery. Gas Operation’s IT found that LiveVault was quick to roll out to their sites, and easy to administer.

Does this scenario sound familiar to you – trying to both protect your PC and server data, with limited IT staff and budget?  If so, contact us to learn how Iron Mountain’s Storage-as-a-Service solutions might be a fit for your organization.

We would love to hear your thoughts. Please comment below!

In a recent survey commissioned by HP, less than half of the business decision-makers responding had a high degree of confidence in the quality and accessibility of information within their organizations. Can’t find something? Why worry? Because today the “average” U.S. based company faces up to 305 lawsuits at any one time. Not finding that critical information can result in expensive legal fees and potential fines.

In the HP survey more than half of the respondents from small and medium-sized businesses cited a lack of understanding of eDiscovery requirements as the reason why they don’t have an effective eDiscovery strategy (eDiscovery is discovery in civil litigation situations of information in electronic formats). Companies struggle when trying to associate a strong business case for investing in eDiscovery solutions.

Getting Started: If you fall into the category of companies that don’t have an effective eDiscovery strategy, then you should start with the fundamentals, including a defined records management process, an established information retention system and the support of appropriate experts.

And knowing the stages of the Electronic Discovery Reference Model (EDRM) helps. These include information management; identification; preservation and collection; processing; review and analysis. Most companies are looking to apply technology to solve their information management issues.

As much as 80% of the information within an organization is “unstructured” (and is therefore harder to search).

Getting Help: A good place to start when it comes to managing your information better and applying retention policies is Iron Mountain Digital’s Storage-as-a-Service offerings, which include Connected Backup for PC and Mac, and LiveVault server backup. Instead of backing up your information to tape, with these solutions your end-user and server data is automatically and securely backed up to remote data centers. If and when you face an eDiscovery request, your information is conveniently consolidated, saving you time and money.

We would love to hear your thoughts. Please comment below!

Over the past few years, the focus of IT risk management has shifted from the physical assets to information assets.  With new computing technologies and a shift from centralized data (think “easy to protect”) to decentralized computing power and data (think “vulnerable”), the IT mandate has changed.  Is your company ready for the challenge?

Today it is not enough for IT to ensure that networks are running and that the devices are “working”. These “dial tone” type services are expected. The risk – and value – to any organization is in the information, not the devices. The value model has completely changed. There are numerous recent examples of lost laptops, and one thing is universally true: The risk of lost information far exceeds the cost of the lost device.  Today’s users demand Resiliency and Protection for their company’s data.

Resiliency – making sure that information is recoverable if a device fails
Protection – making sure that information can’t be “taken” for unauthorized use

Solving for Resiliency
Resiliency is the most mature when it comes to available solutions. Simply put, backup and recovery is an important capability for devices at the edge of the network. Today, it is a simple fact that:
•    Compute and storage capacity makes it possible to create tremendous amounts of information on remote systems
•    Technology is readily available to ensure that this information can be recovered in the event that the device fails / is unavailable.

To satisfy this requirement, a copy of the information must be made that is physically and logically separate from the source system.  However, having a removable copy only helps if you can find the removable copy when you need it, and know what the procedure is to restore the information.

Online backup and recovery solutions are a potential solution for information Resiliency needs.  Technology has now advanced to allow for online/network based models for backup and recovery. In this model, information is analyzed at the edge of the network and then:
•    Reduced in size
•    Encrypted
•    Sent over a network to a data center

Providing Protection
Protection of information is a must have in today’s world. It is not enough to ensure that information can be restored in the event of loss. Certainty that the information cannot be used by unauthorized parties is equally, if not more, important.

The problems in this space are obvious:
•    If a laptop is lost, how do you ensure that the information on the machine cannot be read?
•    If you copy information to a DVD or USB drive, how do you track it and protect it?
•    If you upgrade to a new machine, what happens to the information on the old machine?

The most common response to the question of protection is to use encryption. Encryption is a process where information is “scrambled” so that it cannot be read. This information is then unencrypted only when an authorized user or system proves that they are allowed to see the information.

Encryption alone is not enough to ensure that your information is protected. A framework is needed around encryption so that things are not left to chance. This includes:

•    A policy framework to ensure that locale information is being encrypted
•    An enforcement capability to make sure that if control over information is lost, that the information will be destroyed before it is compromised

In addition to protecting data from loss, it is equally important to ensure that old storage devices are purged of information before they are “set loose”. When most computer programs issue a “delete command”, the information that is on the storage will still exist. Truly deleting the information requires the use of an “electronic shredding” capability. Simply deleting a file does not ensure that it cannot be retrieved later.

Solutions exist today that allow for not just encryption and secure deletion of information, but also for policy management and enforcement of information protection in the event that a device is lost or compromised.

Has your organization changed in how it thinks about the IT department’s mandate?  Is IT focused on the right tasks when it comes to data resiliency and protection? Are you confident that information is recoverable if a device fails?  And that valuable information can’t be accessed in an unauthorized manner?

We would love to hear your thoughts. Please comment below!

Our July 2010 Data Protection eNewsletter has been published.

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” — its Data Breach Notification web page.

Please enjoy these links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

Chances are that up until recently if you or your company had Macintosh computers they were primarily used only in the creative departments by users who claimed that the Mac was the only machine that met their computing requirements.  In some cases IT would label the Mac as a “non-supported” platform. Now with the ability to run standard Windows® applications and concerns about PC security/robustness, the Macintosh has been making inroads into mainstream business computing environments.  Up until now IT has been challenged to offer Mac users the same level of backup and recovery that existing PC users have enjoyed.

Recently, Iron Mountain Digital our “parent” released its Connected® Backup solution to support Mac users, with benefits including:

• Fast, automatic backups without user interruption or IT intervention
• An end to data loss from viruses, misplaced or stolen laptops, data corruption and user error
• Unparalleled security with data being encrypted at the desktop and kept encrypted both during transmission and in storage
• IT control of secure backup and restoration both inside and beyond company firewalls, across the Mac and PC platforms.

Connected Backup was the only storage service to be listed on CRN’s (Computer Reseller New’) “Hot Storage Products” list at MacWorld 2009.  If you or your users have been challenged when it comes to protecting the data on Macintoshes, then contact us to learn how we can protect their data with Connected.

• View a brief 8-minute video/demo of Connected®
• Review our Connected® DataSheet
• Subscribe to our Connected® service now!

We would love to hear your thoughts.  Please comment below!

But it doesn’t have to be an either-or-situation.  Innovative strategies can lead directly to cost savings and efficiencies now.  Storage-as-a-Service (or STaaS) is an example of a cost-saving and process-improving strategy that can be implemented today.

While sales and spending may have slowed, the trend for data creation grows exponentially, clogging servers, networks, and the to-do lists of the IT staff.  And government regulations around issues of privacy are causing companies to rethink how they protect their data. Yet no-one has the appetite or budget for larger capital expenditures when it comes to new solutions. If you are evaluating how to update your data protection processes, then Storage-as-a-Service’s “pay-as-you-go” model is appealing.

Whatever the near term brings for you and your company, we can be certain that the downturn will eventually end.  Those organizations left standing are the ones that took honest stock of their priorities, cut costs wisely and leveraged innovative strategies for short-term efficiency and long-term competitive advantage.  And when it comes to your business, nothing is more critical than your data.  Partnering with a trusted advisor to help you navigate the data protection choices only makes sense.

We would love to hear your thoughts.  Please comment below!

Online storage has been available for several years. So what makes Storage-as-a-Service different? Think about how it makes your protected data useful.

True storage-as-a-service (STaaS) goes beyond simply filing away data for a rainy day. Rather, an effective STaaS solution reduces the risks, cost and complexity of managing information, providing secure and efficient data capture, protection and storage, as well as services designed to help organizations better utilize their stored data.

These value-added services might include e-discovery, recovery, the classification of the protected data, retention and destruction policies and procedures.

When considering a move to outsourced storage you need to ask yourself “What matters most to my business when it comes to data protection?” Understanding your unique requirements (in terms of the type of data to be protected, any regulatory or compliance requirements, or cost considerations) will help you focus on the right fit.

You need to evaluate if the STaaS vendor you are considering has worked with companies like yours. Do they have practices in place for managing 7-year-old data versus data created today? Does the vendor have e-discovery and archiving services that you can take advantage of?

While trust and security are the most important factors when considering a STaaS vendor, leadership and experience are also critical. Your goal is to choose a STaaS partner who will be with you for the long haul.

We would love to hear your thoughts.  Please comment below!