Hi

if anyone is working in this industry please explain to me what a basic HIPPA compliant storage setup would be like. Is it just a office PC in a medical practitioner office that has a encrypted and secured internal hard drive or is there something more than that ? is it a external solution ? what kind of encryption ?

Im so confused and we have until the end of the month to get something up and running storing over 20,000 patient records lol.

thanks a lot!!

we decided to go with a NAS solution server. estimated total size of data is between 1.5 TB to 3.0TB and backup copies of that should mean at least a 3.0 to 6.0 TB of total space

I did some really brief research and stumbled upon many kinds of NAS stand alone desktop server solutions ranging from specs between 3.0 to 32.0 TB and processors from ARM, Atom, Xeon and a few others and memory from 512mb to 16 GB ECC.

All are hot swapable drive configurations between 2 to 8 physical drives with RAID and iSCSI options. Some even had other more advanced options like Virtualization and Private Cloud and even Windows Storage Server 2012.

I think the best company is ioSAFE or Synology Inc but really I have no idea... there is also Seagate and Western Digital and also other brands like Buffalo which had a 32 TB NAS hahaha... thats probably overkill

But I need some help from some storage and data experts please.

I also have not considered the factor of how much time the data will be stored for until its purged.

Im told that since its sensitive data it must be completely secured both on a physical level as well as a electronic level. So ioSAFE I noticed has fire and water proof solutions. And then it seems every brand offers some sort of automated proprietary backup software solution plus the included government and even military grade encryption which meets or exceeds what we require for HIPPA compliance. Im in the state of California also so Im not sure if that makes a difference.

Budget is between $1k to $4k but Id prefer the maximum cost savings. And that may or may not include Data recovery service - it really depends on the quality of the hard drives and their individual warranties. If the hard drive quality sucks then maybe we might need to have data recovery service. But if the hard drives are enterprise / data center grade then maybe we can go by without data recovery service and just make use of the RAID functions on the NAS itself.

Here is synology - http://www.newegg.com/Synology-Inc-Desktop-NAS/BrandSubCat/ID-11245-124
Here is ioSAFE - http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=ioSAFE&N=-1&isNodeId=1

http://www.newegg.com/Product/Product.aspx?Item=9SIA2E11427335 (and notice they include Data recovery service for 1 year)
http://www.newegg.com/Product/Product.aspx?Item=N82E16822501063 (and notice they include a Data Recovery service for 5 years!)

so anyone familiar with NAS, backup solutions, Cloud, or even data recovery services then please do drop a comment here as all help is appreciated. I hope to get something ordered by end of the year please.

I checked on how long the data needs to be stored and I am getting back it can range between 3 to 10 years lol but its preferred to be at least 10 to 15 years but for legal reasons and so on outside of compliance requirements its best to keep it as long as possible. But it also depends on weather or not the patient record data is active or not and if the patient is alive or dead as a good chunk of those 20,000 records belong to deceased patients.

So this means the hard drives and the backup functions must be spot on with high reliability and redundancy. Nothing cheap or known to be faulty. Although keeping multiple backups will help which is why I think RAID is defiantly needed, I still think its a good idea to have as many physical drives as possible because in case 1 or more were to fail I can just swap out the faulty one, purge the data quickly and replace the drive. So again drive quality itself must be rock solid.

And what exactly is iSCSI - I thought a basic http or FTP would be fine but whats all this about iSCSI or whats the difference between conventional access and transfer tools over online IP address site and then this iSCSI thing lol. sorry if this is a silly question.

And here is the insane Buffalo 32 TB NAS-

http://www.newegg.com/Product/Product.aspx?Item=N82E16822165501

Synology Inc - http://www.synology.com/en-us

for you data experts to read - http://www.synology.com/en-us/dsm/business_virtualization_iscsi_virtualization_suppo rt

It seems of all the brands Synology offers the best in class for speed but what about reliability of the drives themselves ? some users on newegg complained of drives failing lol

But synology is good also because they have scalability and integration with Camera Video Surveillance

ioSAFE website
http://iosafe.com/products-2baynas-overview

its a high quality product I must admit but Im not sure if its the best in price and value or if its complete for what we need. It seems like they just wrapped up the drives themselves with water and fire proof material and attached NAS hardware lol....

I am surely not a NAS expert, but i am sure that to reach compliance with the strenuous requirements you will need to consider an off-site data backup program.
Even the best fire-proof safes can be stolen. They also can fail, etc. if the PSU on that NAS goes out and fries your drives, your screwed to put it bluntly. Also, viruses, etc, can do serious damage.
Many companies will keep a safe deposit box with a HDD in there with all of their data for offsite data storage.
iSCSI allows the user to configure the drive as a local storage volume. You would handle it much like a normal HDD, even with queuing that some solutions dont offer, once the connection is established with the host computer.

Western Digital
http://www.wdc.com/en/products/business/networkstorage/
http://www.wdc.com/en/products/products.aspx?id=1160
http://www.amazon.com/Sentinel-DS6100-Ultra-Compact-Storage-WDBWVL0120KBK-NESN/dp/B00F42GXAU

Very high quality specs if you notice and reasonable price. I can find it for $3200 / 12 TB model or $3700 / 16 TB model or $2700 / 8 TB model

and its a quad core XEON with 16 GB ECC and its expandable and includes Windows Storage Server 2012

or if we took one series down we can get the dual core XEON
http://www.wdc.com/en/products/products.aspx?id=1150

and its basically half the specs of the other one at 8 GB ECC RAM and Dual Core XEON

but I cant seem to find any information on the drives themselves if they are SATA 300 or 600 on any of the western digital NAS options ?

I am surely not a NAS expert, but i am sure that to reach compliance with the strenuous requirements you will need to consider an off-site data backup program.
Even the best fire-proof safes can be stolen. They also can fail, etc. if the PSU on that NAS goes out and fries your drives, your screwed to put it bluntly. Also, viruses, etc, can do serious damage.
Many companies will keep a safe deposit box with a HDD in there with all of their data for offsite data storage.
iSCSI allows the user to configure the drive as a local storage volume. You would handle it much like a normal HDD, even with queuing that some solutions dont offer, once the connection is established with the host computer.

Good point. Yes I thought about enabling the access online so I can begin a remote offsite backup copy of the original data from the NAS once the NAS is up and running.

But it wont be managed nor does it seem any companies out there offer much in terms of management services unless you configure your own customized plan and that can run up to thousands and thousands of dollars.... It really just comes down to protecting the data from loss or failure and theft by means of backup and security measures. So a NAS + a basic offsite backup (secured physically of course) I think is enough and I think most NAS all-in-one storage solutions have included security and backup features. But to go the extra mile I am planning to duplicate the contents from the NAS and then store that duplicate copy in a safe. I think that should be sufficient.. at least for the next 10 to 15 years assuming proper backups are maintained and checked periodically.

also I dont feel like building my own NAS although if someone wants to guide me step by step into doing that then I may consider it but it seems like all these all-in-one ready to go NAS solutions from these companies offer much more better performance and support. And I think they are cheaper than building a custom NAS server but I can be wrong in saying that. I am not a NAS expert.

okay for offsite we will go with crashplan pro i think
http://www.crashplan.com/enterprise/private-cloud.html
https://www.crashplan.com/enterprise/compliance.html

mayo clinic uses them and they are in fact HIPPA compliant :D

but this does not eliminate the need for a physical copy of our own on hand whenever we need

So that means we still will need to go with a NAS solution and yes it should include the security and reliability as mentioned above but all in all in the end the crashplan setup will cover all the compliance requirements and long term needs for backup... ha i just read they dont ever delete anything lol


the only question i have about crashplan is whats the difference between private and public cloud - if I understand correctly, the private cloud is like its almost "invisible" online so only a person who knows the address location and login credentials could see it ? and if thats true then do the individual plans include private cloud lol.... i mean the 1 system we can backup on the individual plan can be the NAS itself lol so it would be very very inexpensive this way and it seems we get all the same features otherwise as the business plan side of crashplans offerings.... we dont have more than 1 system / user so why would we need to go with the multi-user setup on the business plan ?

and what exactly is geographic redundancy or Geo-redundant storage

Every company seems to have their own cherry-picked definition and its annoying lol

If I understand correctly, basically it just means my data has multiple backup copies outside in other data centers around the world depending on which data centers the company has access to ?

I think you need to speak with consultants that are specialized in HIPAA (not HIPPA right?) compliance as there are may levels / layers to their requirements and some are just guidelines rather than requirements.

NAS's are not all the same, you may not even need a NAS. I read through some of the guidelines but I would not consider myself to be a good source of information.

Something to bear in mind, you may be fine with direct attached storage (external) if you aren't sharing the disk space out and using a compliant encryption application.

hecktic

There are quite a few IT providers for medical industry. VCPI, Airimed(SP?), OID just to name a few.

HIPPA doesn't actually have any DATA reliability factors. Just Data security. For example TrueCrypt full volume encryption on a laptop would be HIPPA complaint, as long as you do not make the optional recovery media.

If your part a provider network, usually they can lead you to consulting firm or offer in house assistance. Please remember most provider networks have requirements more advanced then required by statute. Also the back-ups need to provide the same level of security.

Please remember site like crash-plan usually over sell. As for Mayo Clinic (at least if your referring to the one here in Chicago) uses a in house solution built around :censored:. Now that I think about it I'm not sure if I'm allowed to discuss it.