In this article, we are going to discuss HIPAA principles — the basic law that regulates operation with personal medical data. We will also create a HIPAA compliant backup using CloudBerry Backup.
HIPAA Basic Principles
The United States HIPAA (Health Insurance Portability and Accountability Act) is legislation that mandates data privacy and security provisions for the safeguarding of patient data by health organizations, including drugstores, hospitals and specialized insurance companies. This law was further amended to include the HITECH Act (The Health Information Technology for Economic and Clinical Health). It is a requirement to apply necessary protection for this data for backup storage and data transfer to comply with these laws.
There are two major HIPAA sections:
- HIPAA Privacy Rules ensure the protection of confidentiality of patient medical data.
- HIPAA Security Rules ensure security, confidentiality, and availability of medical data.
HIPAA Privacy Rules protect “personal or protected health information” or PHI. Special attention is paid to data that is managed or sent from organizations through email. The objective of HIPAA Privacy Rules is to detect and terminate any circumstances in which PHI can be used or disclosed without the knowledge of patients. Organizations should also be able to provide access to PHI, as well as data relating to personal data disclosure, upon the request of third parties, or organizations to the patient, or his/her representative.
HIPAA Security Rules also establish a number of basic principles for organizations. In particular, it is imperative to guarantee the confidentiality, integrity, and availability of all PHI that is created, received, managed or transferred by the organization. In addition, this information shall be protected from security and integrity threats, inadmissible use, or disclosure. Backup is a means of protection from such risks.
Both, organizations that maintain user data and business partners, shall observe the legislative regulations. When using cloud storage, said partners are cloud service providers.
PHI Backup to the Cloud
Backup of confidential health information to a HIPAA compliant cloud avoids significant penalties if such information is ever lost.
To be HIPAA compliant, a cloud provider should sign a special business partnership contract. The contract includes the need to notify of data leaks and additional protection of information. Not all cloud providers support HIPAA regulations.
Here, is a list of the most popular cloud storage providers and their services compliant with the requirements of law:
- Amazon Web Services. HIPAA support in S3, S3-IA and Glacier. You can find a full list of compatible services here
- Microsoft Azure. HIPAA support in Microsoft OneDrive for Business or Microsoft Azure Storage
- Google Cloud Storage. HIPAA support in Google Nearline and Google Coldline
But is it enough to simply backup files to the compliant cloud storage providers?
Ensure your Backup is Compliant
Compliant backup is not simply about transferring files to local or cloud storage. It means implementing several necessary procedures.
- Backup to multiple locations
The best way to ensure your local data is safe and protected against unexpected issues (floods, fires, ransomware) is to backup files to multiple locations. One of the most effective ways is to follow 3-2-1 backup strategy.
- Encrypt your data
PHI data needs to be encrypted and, if possible, re-encrypted. All HIPAA compliant storage providers support server-side encryption. However, server-side encryption is not enough. Refer to this article about how server side encryption can fail even with the best companies.
Let’s set up a CloudBerry Backup encrypted backup plan to AWS S3 cloud for HIPAA compliant backups.
How to Perform a Backup using CloudBerry Backup
Let’s suppose that patient medical records are on-site, in folder D:\data.
We will now set up regular data backup to AWS S3 in CloudBerry Backup:
1. Select Local to Cloud in the main window. You can select either Local or Cloud Backup or Hybrid backup. Hybrid backup is a feature that allows you to perform local and cloud backup in one take. Check out more details about this feature here.
2. Select the required cloud storage account (you can add a new provider in Add New Account on the same tab):
3. Enter the name of the backup plan and select Advanced Mode – this will allow you to choose encryption settings, both for Amazon and CloudBerry Backup.
4. To prevent backup issues related to opened files and / or permissions, you should use VSS and copy NTFS permissions.
5. Choose the data to back up. If necessary, set exception filters for any files or folders which is not required to be backed up.
6. Set the backup encryption. You can use CloudBerry Backup encryption instead of AWS encryption – backups, in this case, data will be encrypted before the transfer to the cloud. Since only your company knows the encryption password, data cannot be decrypted without this password. However, it’s acceptable to use CloudBerry encryption with AWS Server-Side Encryption to add a second layer of protection.
7. Set up the policy for archive deletion, archiving schedule(s), and the start of programs and scripts, pre- and post-backup.
8. Set up email notifications for successful or unsuccessful backups completion. WIndows Event Logging can also be used to generate notifications by your central monitoring system since these systems often monitor the WIndows System Logs.
9. Lastly, review the backup plan parameters to complete the setup process.
You can find the newly created HIPAA compliant backup plan on the Backup Plans tab:
Patient medical records are now protected from hardware failure and unauthorized access thanks to AWS and CloudBerry Backup. You can archive SQL Server and Exchange databases in a similar way.