Backups and HIPAA

  • What are the sql backup requirements with HIPAA? does backups need to be password protected? Any Info would be helpful.

  • I have no idea what HIPAA is, however, the native SQL backup isn't that secure, even with password protection it's fairly easy to get into.

    Depending on how you want to do your backup (disk or tape) you might be better off looking at a 3rd party utility that allows you to put decent password protection on the backup.

  • If going the third party route is not an option you could create backup files from SQL Server then zip them and password protect the zip file.  A poor man's substitute but better than none! 

    Don

  • Don,

    Do you know if password protection is required under HIPAA?

     

  • To my knowledge, HIPAA (Health Inofrmation Portability and Accountability Act) doesn't require passwords per se, but rather requires you to keep PHI (Private Health Information) secure from people who shouldn't have access.  So, having good network security in the folder(s) that backups are stored in may be good enough. 

    If you really want to be secure, I would use EFS (Encrypting File System), though in our shop, we just make sure that permissions on the folders where backups are stored are limited.

    I work in a medical claims processing company, so I have some idea what is required, but in the end, unfortunately, the courts will decide what should have been done, if a lawsuit is lost.

    So long, and thanks for all the fish,

    Russell Shilling, MCDBA, MCSA 2K3, MCSE 2K3

  • HIPAA is not that specific. You will need to do a risk analysis and if you believe your backups are insecure, then implement protection. If in your risk assessment you believe that your are storing the backups on a secured network, on a secured server ... then simply document it and move on. HIPAA does however require encryption over a public internet, so if you are moving your backups across a public network, then that needs to be encrypted or behind a firewall ...

  • I concur with the previous two posts.  Most vulnerability assessments that I've participated in concerning HIPAA were primarily concerned with the API, user security, password policies enforcement, and restricting PMI (Patients' Medical Information) data to those in a (usually clinical) position with a 'need to know' in order to perform their job functions.  Other questions were about having policies in place to remove access for terminated or transferring employees, how often audits were conducted, etc.  Finally we have signs up all over the floor wherever printers are installed reminding users not to leave PMI in public view.  In fact, I can't remember one instance where they even really asked much about the back end.

    Your responsibility as an administrator however is to make sure the all data is as secure as possible and that's true with or without being held under the HIPAA rules.  IMHO, password protecting the backup files is of limited value because it's not very robust and there's other ways to get at the data for a determined individual. 

    My hovercraft is full of eels.

  • I just found this link http://www.imceda.com/files/HiPAA.pdf

     

     

  • Justr remember that Imceda wants you to buy their encryption solution.  I'd be concerned that the encryption key has to be accessible to those same people who would likely have server access.  Thus, encryption is no better protection than server access controls.

    So long, and thanks for all the fish,

    Russell Shilling, MCDBA, MCSA 2K3, MCSE 2K3

  • HIPAA requirements do require that any personal identifying private health information be protected on a need to know basis.  This would mean that even within your organization, there are those colleagues that do not have a need to know, and if that information was "leaked" to those individuals, a violation has occurred.  I work for a health insurance company, and we have been told to be very careful about discussing claims with other individuals within our departments, because of who might overhear what is being said.  HIPAA is a serious situation in any organization dealing with health related data.  I would say that you do need to be concerned with securing backups, and though encryption may not be required right now, it probably will be in the near future.  Password protection in and of itself won't be sufficient.  IMCEDA uses some of the strongest encryption routines available, and gives options for several different ones.  Rijndael 128bit encryption is available with LiteSpeed (IMCEDA), SQL Safe (IDERA), and SQL Backup (Red Gate).

    Steve

  • HIPAA doesn't require password, but there are many business products which provides Health care solution. Edifecs Hippa 5010 migration provide you with a Edifecs health care business solutions.

  • I work in a medical insurance company (12 years now), from the IT end I am involved in most of the HIPPA related activities. As mentioned previously, the core of HIPPA is to keep PHI information out of the hands, sight, access etc of those who do not have a "need to know" situation.

    The specifics on how this is done are not set. What you need to be able to do at the end of the day with your backup is say, no one who does not have a business reason to have the backup can get to it.

    This could be encryption, it could be tapes stored in a safe, even a secured room can work, as long as, in this case, only those who need to use the backups can get to them.

    HIPAA does include a reasonability clause, that is you are expected to do everything reasonable to protect the data. As is clearly known, nothing is perfectly secure.

    In general, most of what HIPPA requires would be generally good practice for any sensitive information.

    Myself, as I work on projects here I keep in mind, if this was my personal information, what would I want done to protect it. Seems to help alot in the figuring out what to do.

  • Hello

    Id like to add that even tho HIPPA may not require you to encrypt your database at rest, it does require you to notify EVERY person in that database and make a press release and to notify FDA etc.. if that data is miss placed or stollen if it is not encrypted.

    If it is encrypted at rest then you dont need to notify under some instances. These are things you need to consider

    in terms of the data PHI (primary health information) MUST not be identifiable to the patient. this goes for name, date of birth, city, serial numbers so its basically every bit of data you collect about them.

    it is a VERY VERY complex set of laws and you need to consult a lawyer as the potential liability are severe not only monetary but financially

    also at rest encryption means if some one copies the database, backups, rips out the drive etc.. that the data is unusable. disk based encryption isn't enough

  • Offsite backup is best for HIPAA compliance, and encryption is not necessary. The technical requirements for HIPAA are minimal, and more concerned with policies/procedures. If you're contracting with a third-party, I'd recommend checking to see if their company has been audited for best HIPAA-compliant hosting practices.

Viewing 14 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic. Login to reply