HIPAA has enacted several mandates to improve the access and portability of patient health records while maintaining strict privacy and security. A critical aspect of the HIPAA privacy ruling is Data Protection, requiring compliant backup methodologies to ensure the security and confidentiality of patient records. Health care providers who engage in electronic transactions must observe privacy safeguards to restrict the use and disclosure of individually identifiable health information.

Requirements

Restrict Unathorized Access: patient record confidentiality is critical. Any electronic data transfer and storage must be adequately protected and secure from all unathorized access.

Contingency Plan: Organizations are required to have a written contingency plan to continue operations in the event of data loss. This contingency plan MUST include details concerning the data backup and recovery process, who handles the backup media, the media rotation process, where the media is stored off-site, how quickly it can be retrieved in the event of a disaster, and all other aspects associated with data backups, protection, security, storage, and recovery.

Data loss can result in further losses of productivity, patients/customers, and revenue. In many cases significant data loss will result in lost business. Fortunately, the damaging impact of data loss can be negated with a qualified data protection solution as part of your contingency plan.

Data Protection Options

Tape Drives: A tape drive, is a data storage device that reads and writes data stored on a magnetic tape. It is typically used for archival storage of data stored on hard drives. Tape media generally has a favorable unit cost and long archival stability.

Instead of allowing random-access to data as hard disk drives do, tape drives only allow for sequential access of data. A hard disk drive can move its read/write heads to any random part of the disk platters in a very short amount of time, but a tape drive must spend a considerable amount of time winding tape between reels to read any one particular piece of data. As a result, tape drives have very slow average seek times. Despite the slow seek time, tape drives can stream data to tape very quickly. For example, modern LTO drives can reach continuous data transfer rates of up to 80 MB/s, which is as fast as most 10,000 rpm hard drives.

• A rotating backup methodology uses a minimum of 19 tapes per year.
• Tapes have a limited shelf life.
• Due to tape costs and media rotation hassles, it is common to resort to taping over and over on the same tape, only to discover that the tape has worn out, rendering the backups unusable.

External Disc Media (CD/DVD) 

Due to their low price point and readily available drives, rewritable CDs (CD-RW) and DVDs have become a popular backup media. However, you should note:

• CDs have less storage capacity than tapes, making automated and unattended backups impractical.
• DVDs have a larger storage capacity than CDs, but are still limited.
• Off-site storage required. Convenient storage and expedited retrieval is necessary for emergency situations.
• Limited shelf life is a definite concern.

Since external backup storage media (Zip drives, CDs, DVDs, Tapes, Flash Drives, external hard drives, etc.) can be easily stolen, support limited data sizes, often utilize no or minimal encryption security and must be transported to/from off-site storage facilities they seldom represent adequate data protection solutions for HIPAA compliance.

Online Backup Services: a remote, online, or managed backup service is a service that provides users with an online system for backing up and storing files. Online backup systems are typically built around a client software program that runs on a schedule, typically once a day. This program collects, compresses, encrypts, and transfers the data to the remote backup service provider's servers. Other types of products are also availabe on the market, such as remtoe continuous data protection (CDP).

Online backup services are ususally priced as a function of the following:

• The total amount of data being backed up.
• The number of machines covered in the backup service.
• The maximum number of versions of each file that are kept.

Network Attached Storage (NAS)

NAS hardware is similar to the traditional file server equipped with direct attached storage. However, it differs considerably on the software side. The operating system and other software on the NAS unit provides only the functionality of data storage, data access and the management of these functionalities. Use of NAS devices for other purposes (like running a database) is strongly discouraged. Many vendors also purposely make it hard to develop or install any third-party software on their NAS device by using closed source operating systems and protocal implementations.

• NAS units also usually have a web interface as opposed to monitor/keyboard/mouse.
• Often minimal-functionality or stripped-down operating systems are used on NAS devices.
• NAS systems usually contain one or more hard disks, often arranged into logical, redundant storage containers or RAIDs (redundant arrays of independent disks), as do traditional file servers.
• NAS removes the responsibility of file serving from other servers on the network.