Our December 2010 HIPAA-HITECH eNewsletter has been published.

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” – its Data Breach Notification web page.

Attend our Upcoming Complimentary Live Webinar on:

• How to Revitalize Your HIPAA-HITECH Compliance Program

Please enjoy our analysis and links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

IT professionals are increasingly looking to online backup and recovery (or “cloud storage”) services when it comes to server data protection. These solutions are especially relevant for small to medium-sized businesses and for the remote offices of larger enterprises. But with all the choices today, how do you decide what is right for your company?

The factors driving interest in online backup and recovery solutions include: workforce dependency on 24×7 access to business data; price and consistency of a Software-as-a-Service (SaaS) subscription model over costlier onsite options; and easier compliance with burgeoning requirements to protect distributed information (in all formats) and ensure business continuity.

The scope, strengths, and weaknesses of the various categories of online backup and recovery service provider should be evaluated in the context of the current and forward-looking requirements of corporate customers. Requirements range from full system (versus data only) backup and restore to comprehensive business continuity best practices and support. Understanding these strengths and weaknesses can help businesses clarify their server protection requirements and better align their selection criteria and focus with their business goals.

Unlike workstations and laptops, servers:

• Are usually left running, rather than frequently powered on and off, and are not mobile
• Require broader bandwidth requirements due to the volume of the data to be protected
• Store a wide variety of data types of varying importance and recovery or retention requirements

Category 1: Service Providers Leveraging Investments In Core Business Resources These service providers includes companies whose entry into online backup and recovery is driven by a desire to leverage pre-existing investments in core business resources. These include 1) business continuity and disaster recovery and 2) telecommunications vendors.

Category 2: Niche Developers and Service Providers Service providers in this category concentrate on niche solutions and market opportunities. These include:
1) “Point solution” backup and recovery services using their own software exclusively for backup and recovery and
2) Providers who use other vendors’ specialized solutions to address niche markets in specific verticals, company size, or geographic regions.

Category 3: Broader Spectrum Service Providers Like the point solution and licensed software developers, these service providers own and maintain their own software. Most obtained their backup and recovery technology through the acquisition of the original software developer, but the important point is they continue to invest in its maintenance and extension. These service providers typically offer most of the essential features for server backup and recovery.  Backup and recovery is offered as part of a broader spectrum of information management and data protection services

It is important to recognize the different categories of online backup and recovery service providers. Recognizing the basic differences in their business drivers and focus, potential resources, and core competencies is key when it comes to assessing their capabilities.  By understanding these larger business criteria, businesses can better focus and align their business goals with the right partner when it comes to online backup and recovery.

You should be able to compare the various providers against their ability to address your requirements for server backup and recovery functionality, administration and support.

We believe that that choosing a cloud storage vendor is an important decision.  Contact us to learn how we may be able to help you.

We would love to hear your thoughts. Please comment below!

Today most companies are facing challenges when it comes to protecting their data.  There’s more of it.  And protecting the data properly is more important than ever.  But there are also more choices.  How do you decide what is right for you? Start by understanding what your data protection strategy should be.

Your business relies on its data. There’s more of it than ever, but more important, its value keeps multiplying. Companies are putting their information to work in new ways as they connect systems, transform business processes, and extend their relationships over the Internet with customers, partners and suppliers. Unfortunately, the risks from data loss or exposure have grown, too. The always-on world of e-commerce and companies’ increasingly distributed and mobile workforces have made data more vulnerable. Moreover, senior executives have to worry about maintaining regulatory compliance while mitigating the risk of litigation.

Do You Have A Data Protection Strategy? How can you ensure that your company is embracing the right combination of technologies and processes for a complete data protection strategy? Unfortunately, it’s easy to make the wrong choices.  Some companies assume a do-it-yourself approach, which can leave them open to unidentified risks.

An outsourcing partner who provides online disk-based backup can solve a number of the issues that organizations confront when supporting their business continuity, data retention and security requirements. The key advantage is that the data, stored off-site, is protected from unauthorized access and will survive a disaster.

Online backup combines better cost characteristics with superior reliability and world-class security. The great news for smaller businesses and remote offices of larger businesses
is that online disk-based backup services have matured in technology reliability and decreased in cost.  Today, online backup is often less expensive than tape backup alternatives.

Get Ready For Your Annual Data Protection Physical! Companies have different requirements when it comes to their recovery needs, data sensitivity, retention requirements and cost.  And these can evolve and change. Deciding which backup solution, or solutions, to use is just the start of what should be an annual process of testing data protection and recovery strategies to ensure they remain in line with business requirements. A great plan, a great vendor and getting data off-site are a good start, but you need to test the whole process, not only to ensure everyone knows what they are doing but to identify potential gaps in the process that need attention. And as the business changes, your plan needs to change with it to meet any new requirements.  

We would love to hear your thoughts. Please comment below!

Chief Financial Officers typically care about three things when it comes to assessing new investments in IT.  They are:  1) Speed, 2) Focus and 3) Affordability.   I know this first hand! The key is to understand how replacing your current server and/or PC data protection processes with a cloud storage solution would address these three areas of concern.

In today’s economic environment, every spending proposal needs to have solid justification.  Often just speaking about a shift to a “pay-as-you-go” model is enough to get the CFO’s attention.  But the appeal of cloud storage extends beyond its financial benefits.  Here are three key benefits companies are realizing today when adopting cloud storage:

Focus: Companies want to focus on their core competencies, and outsource the rest to experts.  Are you still doing your own payroll?  Using a cloud storage provider allows your IT department to focus on projects that drive the business, such as customer service or e-commerce applications.  And cloud storage providers have the expertise to optimize their operations for better efficiencies.

Speed: How often have you been involved in IT projects that took longer than expected?  Chances are your CFO has felt the same pain.  Quick ROI is everything, and when it comes to competing for funding, decisions are being made about when companies can expect to see valuable returns for their investments.  This theme is a key one driving the adoption of cloud computing today.

Affordability: In addition to the “pay-as-you-go” model, cloud storage is appealing because it offers flexibility.  As a company you aren’t paying up front, predicting your storage requirements and investing in the hardware and software to support those requirements.  Instead you pay for what you use.  As you scale or reduce your demand.

With capital at a premium, and companies looking for faster returns from their investments, another appeal of cloud storage services is that they typically can be funded from the Operating Expense (OpEx) budget, without sunken Capital Expenditures (“CAPEX”).  This approach allows you to match the cost of the service to the period in which it is consumed.

If you aren’t already outsourcing your data backup and recovery, then its time you took a look at the cloud storage model.  Today’s solutions can provide you and your company with the technical functionality to protect your data better than you can probably do it in-house, with none of the headaches.  The 1-2-3 message of “Focus + Speed + Affordability” is often enough to cause any company to evaluate cloud storage. 

Data Mountain has been providing world-class cloud storage solutions since 2003, through our service partner, Iron Mountain Digital, and we truly understand what it takes to securely protect corporate information in the cloud.  Contact us to learn more if you think we may be able to help you.

We would love to hear your thoughts. Please comment below!

Our November  2010 HIPAA-HITECH eNewsletter has been published.

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” – its Data Breach Notification web page.

Attend our Upcoming Complimentary Live Webinars on:

• Are Your Business Associate Agreements HITECH Ready?
• How To Conduct a HIPAA Security Risk Analysis
• How to Revitalize Your HIPAA-HITECH Compliance Program 

Please enjoy our analysis and links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

For some companies, including Marriott, abandoned mines and military bunkers offer a subterranean safe haven from hurricanes and other threats. But there are additional advantages to be realized when it comes to protecting your data underground.

Our service partner, Iron Mountain, is among the oldest and best known providers of underground storage and data center space. Known for storing everything from backup tapes to old movie reels in its repurposed limestone mine in rural Pennsylvania, Iron Mountain has seen its electronic storage and leased data center space business increase significantly.  With 60,000 square feet of available data center space and another 145 acres undeveloped in the facility, Iron Mountain has plenty of room for more.

What is driving an interest in Iron Mountain’s underground and other specialized hardened data centers? Some companies have found that there is a general lack of high-end infrastructure – enterprise-class data center space. Others have very specific requirements to protect them from natural disasters.

Not all hardened data centers are created equal.  While computer systems may be protected in a bunker, critical infrastructure needed during a disaster, such as generators, fuel tanks and air conditioning cooling towers, may be above ground. That could be a problem if the catastrophe you need to worry about is a tornado.

Are you going to pay a premium if you locate your computing resources in such a hardened environment?   IT executives say they’ve driven deals where the total cost of ownership is competitive with above-ground facilities. Because they’re repurposing existing space that the government or a mine operator paid to build, providers say they don’t have to pass on the original construction costs for the structures and can afford to be cost competitive.

Another consideration is that these underground facilities tend to be in rural, out-of-the-way locations. The facilities may be too far away from a company’s primary data center, and finding local lodging for staff in a disaster situation may be difficult. Marriott International wanted a hardened, secure facility in a location that was within a day’s drive from Marriott’s Bethesda, Md., headquarters.  That led them to Iron Mountain’s underground facility in Pennsylvania.

Underground facilities do have a few other advantages. The limestone floors at Iron Mountain’s facility have a virtually unlimited load rating, while the walls maintain a constant temperature of about 55 degrees and act like a heat sink for some of the waste heat that comes off data center equipment. The limestone walls absorb 1.5 BTUs per hour per sq. foot of wall space.

Cool stuff
The green aspect of going underground is what attracted Marriott International. It wanted to move from an outsourced “cold site” disaster recovery service to managing its own hot site backup data center. And it wanted to make sure the facility followed the company’s focus on environmentally friendly best practices.

Last year, the hospitality business completed the build-out of a 9,000 sq. foot remote backup data center at Iron Mountain’s Underground. Although the extreme level of security, including armed guards, exceeded their requirements, the idea of reusing an old mine rather than breaking new ground appealed to Marriott.

Energy efficiency also factored into Marriott’s decision. While Marriott’s data center uses a traditional chiller as its primary cooling system, the backup is a prototype free cooling system. That prototype, designed by Iron Mountain, uses an air-to-air heat exchanger, drawing 55-degree air from the unused space within the mine. Iron Mountain also is experimenting with a system that would pull cool water from an underground lake within the mine.

We would love to hear your thoughts. Please comment below!

Establishing a policy on how long data must be retained sounds easy enough. It isn’t. For starters, not all data is the same.  If you are protecting everything, or are uncertain if data is being protected properly, then it is time to build and implement a data retention policy.

Some companies realize they need a proper data retention policy when they examine their storage costs.  Others realize gaps when they go through a litigation hold.

What happens if your company requires you to retain certain data forever? One company’s IT director related how for several years they had been forbidden to overwrite any data related to e-mail, home directories, financial systems and several other document repositories and systems. Being barred from overwriting backup tapes comes at a cost – they were spending about US$40,000 a month just for new tapes. More costs arose because they were prohibited from overwriting the hard drives of departed employees. At least that cost was alleviated recently with a new initiative to capture images of those hard drives before reassigning them to other employees.  It wasn’t until the IT director spoke to the company’s inside counsel that they created an appropriate retention policy that allowed them to move away from their “protect everything” policy.

Data retention policies are fairly straightforward documents that establish how long information must be kept on hand, unaltered. The problem is that different types of data must be retained for different lengths of time. Most data-retention policies open with a policy statement, followed by a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There are also special instructions for archiving and for the ultimate destruction of the data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.

A comprehensive data-retention schedule requires a considerable amount of data-gathering. For example, you need to know the general nature of all data held in servers, in storage, on backup tapes and on individual PCs. That includes both active data — e-mail, chat logs, UNIX system logs, and firewall and VPN logs, for example — and inactive data such as documentation related to sales, service, legal and finance.

Another complication arises from being a global organization.  You need to look across the various markets that you serve and understand relevant data retention and privacy requirements. Some regulations extend to e-mail messages containing price negotiations. The key is to develop a policy to keep employees from deleting data that they think would hurt the company if discovered.

Creating a data retention policy is not easy.  Just identifying the various data custodians can be a challenge. But this shouldn’t be a task that you ignore.  Just like having a good disaster recovery plan, having a data retention policy will pay dividends, both when it comes to finding and presenting the data that you need in a hurry, and through storage cost reductions.    Here is link to a good article that can help you get started.

We would love to hear your thoughts. Please comment below!

Huh?

Lots of confusion continues to swirl around the difference between a HIPAA Security Evaluation versus HIPAA Security Risk Analysis.  No wonder, the terms are often used interchangeably.

Let’s end the confusion…

Technically, one might argue when it comes to regulatory compliance of any type, three types of assessments can be completed:

1.      Compliance Assessments (Evaluation, in HIPAA Security Final Rule parlance) answer questions like: “Where do we stand with respect to the regulations?” and “How well are we achieving ongoing compliance?”

2.      Risk Assessments (Analysis, in HIPAA Security Final Rule parlance) answer questions like: “What is our risk exposure to information assets (e.g., PHI)?” and “What do we need to do to mitigate risks?”

3.      Readiness Assessments answer questions like “Have we implemented adequate privacy safeguards?”, “Have we implemented adequate security safeguards?” and are we ready for audit.

We focus on the first two in this post becuase these are the ones you must complete.  Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule.  Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation. 

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate.  The language of the law is in 45 C.F.R. § 164.308(a)(8):

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of assessment is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program and maintaining an existing program.  The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board.  Think FOREST view. At the end of such an evaluation, one would have a Summary Compliance Indicator such as the one shown in the following Security Evaluation Compliance Summary:

A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A))  is also required by law to be performed by every Covered Entity and Business Associate.  Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives.  Section 164.308(a)(1)(ii)(A) of the HIPAA Security Final Rule states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

As required by The HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  This guidance was published on July 8, 2010.  No specific methodology was indicated.  However, the guidance describes nine (9) essential elements a Risk Analysis must incorporate, regardless of the risk analysis methodology employed.  We have designed a Risk Analysis methodology and ToolKit around these elements while using industry best practices.

As an example, upon evaluation of each information asset that creates, receives, maintains or transmits electronic Protected Health Information (ePHI), one would have an asset-by-asset evaluation of risk, along with mitigation actions involving new safeguards or controls:

Upon completion of the Risk Analysis for all information assets, an overall Risk Analysis Project Tracking tool would be used to ensure ongoing project management of the implementation of safeguards:

So, when it comes to HIPAA Security Compliance Evaluation, think:

·         Forest-level view

·         Overall compliance with the HIPAA Security Final Rule

·         Establishing baseline evaluation score for measuring progress

·         Asking: Have we documented appropriate policies and procedures, etc?

·         Asking: Are we performing against our policies and procedures?

When it comes to HIPAA Security Risk Analysis, think:

·         Trees/Weeds-level view of each information asset with PHI

·         Meeting a specific step in the overall compliance process

·         Understanding current safeguards and controls in place

·         Asking: What are our specific risks and exposures to information assets?

·         Asking: What do we need to do to mitigate these risks?

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are, required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.

Please feel free to contact us to benefit from our expertise and help you jump-start your program. 

bob.chaput@H3CA.com or call 615-496-4891

Like moths to a porch light, many lawyers are finding the uncertain legal and regulatory terrain of cloud computing to be fertile ground for new legal analysis–and new legal business.  They may have a point.  What should you do to reduce the risks when implementing cloud computing?

Cloud computing, which can be a truly dynamic, multi-party compute environment, challenges laws that assume that electronic assets behave the same as their paper or celluloid brethren—being static, not easily duplicated and stored on the owner’s premises.

The gap between the cloud and the current state of legislation is considerable. Legal experts who have looked at cloud computing from the user’s perspective have identified several issues, including:

1.    The ability of cloud computing service providers to change terms of service with little or no notice to users of the service

2.    The attraction to hackers to “high value” targets.  The breach of Twitter data on the Google infrastructure was a wake-up call.

3.    The possible centralization of user data with a few cloud computing firms

4.    Exposure of data to seizure by foreign government and data subpoenas

5.    The ability to put a litigation hold on your data if data is carried in the “cloud.”

Until these issues are addressed, corporations will hesitate before jumping into cloud computing and cloud storage.  The legal debates that are happening now will hopefully lead to legislation that will make external clouds as safe a choice as leasing office space.  But until then, buyer beware.  

You should evaluate any cloud computing outsourcing relationship based upon the vendor’s track record and its ability to document service levels very specific contracts.  

Our advice is to work with a cloud storage vendor who truly understands your enterprise storage requirements. 

We would love to hear your thoughts. Please comment below!