Results 1 to 13 of 13

Thread: HIPPA Compliance Storage solutions ??

  1. #1
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589

    HIPPA Compliance Storage solutions ??

    Hi

    if anyone is working in this industry please explain to me what a basic HIPPA compliant storage setup would be like. Is it just a office PC in a medical practitioner office that has a encrypted and secured internal hard drive or is there something more than that ? is it a external solution ? what kind of encryption ?

    Im so confused and we have until the end of the month to get something up and running storing over 20,000 patient records lol.

    thanks a lot!!

  2. #2
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    we decided to go with a NAS solution server. estimated total size of data is between 1.5 TB to 3.0TB and backup copies of that should mean at least a 3.0 to 6.0 TB of total space

    I did some really brief research and stumbled upon many kinds of NAS stand alone desktop server solutions ranging from specs between 3.0 to 32.0 TB and processors from ARM, Atom, Xeon and a few others and memory from 512mb to 16 GB ECC.

    All are hot swapable drive configurations between 2 to 8 physical drives with RAID and iSCSI options. Some even had other more advanced options like Virtualization and Private Cloud and even Windows Storage Server 2012.

    I think the best company is ioSAFE or Synology Inc but really I have no idea... there is also Seagate and Western Digital and also other brands like Buffalo which had a 32 TB NAS hahaha... thats probably overkill

    But I need some help from some storage and data experts please.

    I also have not considered the factor of how much time the data will be stored for until its purged.

    Im told that since its sensitive data it must be completely secured both on a physical level as well as a electronic level. So ioSAFE I noticed has fire and water proof solutions. And then it seems every brand offers some sort of automated proprietary backup software solution plus the included government and even military grade encryption which meets or exceeds what we require for HIPPA compliance. Im in the state of California also so Im not sure if that makes a difference.

    Budget is between $1k to $4k but Id prefer the maximum cost savings. And that may or may not include Data recovery service - it really depends on the quality of the hard drives and their individual warranties. If the hard drive quality sucks then maybe we might need to have data recovery service. But if the hard drives are enterprise / data center grade then maybe we can go by without data recovery service and just make use of the RAID functions on the NAS itself.

    Here is synology - http://www.newegg.com/Synology-Inc-D...t/ID-11245-124
    Here is ioSAFE - http://www.newegg.com/Product/Produc...=-1&isNodeId=1

    http://www.newegg.com/Product/Produc...9SIA2E11427335 (and notice they include Data recovery service for 1 year)
    http://www.newegg.com/Product/Produc...82E16822501063 (and notice they include a Data Recovery service for 5 years!)

    so anyone familiar with NAS, backup solutions, Cloud, or even data recovery services then please do drop a comment here as all help is appreciated. I hope to get something ordered by end of the year please.
    Last edited by hecktic; 12-16-2013 at 12:16 AM.

  3. #3
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    I checked on how long the data needs to be stored and I am getting back it can range between 3 to 10 years lol but its preferred to be at least 10 to 15 years but for legal reasons and so on outside of compliance requirements its best to keep it as long as possible. But it also depends on weather or not the patient record data is active or not and if the patient is alive or dead as a good chunk of those 20,000 records belong to deceased patients.

    So this means the hard drives and the backup functions must be spot on with high reliability and redundancy. Nothing cheap or known to be faulty. Although keeping multiple backups will help which is why I think RAID is defiantly needed, I still think its a good idea to have as many physical drives as possible because in case 1 or more were to fail I can just swap out the faulty one, purge the data quickly and replace the drive. So again drive quality itself must be rock solid.

    And what exactly is iSCSI - I thought a basic http or FTP would be fine but whats all this about iSCSI or whats the difference between conventional access and transfer tools over online IP address site and then this iSCSI thing lol. sorry if this is a silly question.

    And here is the insane Buffalo 32 TB NAS-

    http://www.newegg.com/Product/Produc...82E16822165501
    Last edited by hecktic; 12-15-2013 at 11:48 PM.

  4. #4
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    Synology Inc - http://www.synology.com/en-us

    for you data experts to read - http://www.synology.com/en-us/dsm/bu...zation_support

    It seems of all the brands Synology offers the best in class for speed but what about reliability of the drives themselves ? some users on newegg complained of drives failing lol

    But synology is good also because they have scalability and integration with Camera Video Surveillance

  5. #5
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    ioSAFE website
    http://iosafe.com/products-2baynas-overview

    its a high quality product I must admit but Im not sure if its the best in price and value or if its complete for what we need. It seems like they just wrapped up the drives themselves with water and fire proof material and attached NAS hardware lol....

  6. #6
    Uber Raid King
    Join Date
    Aug 2009
    Location
    Wichita, Ks
    Posts
    3,888
    I am surely not a NAS expert, but i am sure that to reach compliance with the strenuous requirements you will need to consider an off-site data backup program.
    Even the best fire-proof safes can be stolen. They also can fail, etc. if the PSU on that NAS goes out and fries your drives, your screwed to put it bluntly. Also, viruses, etc, can do serious damage.
    Many companies will keep a safe deposit box with a HDD in there with all of their data for offsite data storage.
    iSCSI allows the user to configure the drive as a local storage volume. You would handle it much like a normal HDD, even with queuing that some solutions dont offer, once the connection is established with the host computer.
    "Lurking" Since 1977


    Jesus Saves, God Backs-Up
    *I come to the news section to ban people, not read complaints.*-[XC]Gomeler
    Don't believe Squish, his hardware does control him!

  7. #7
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    Western Digital
    http://www.wdc.com/en/products/business/networkstorage/
    http://www.wdc.com/en/products/products.aspx?id=1160
    http://www.amazon.com/Sentinel-DS610.../dp/B00F42GXAU

    Very high quality specs if you notice and reasonable price. I can find it for $3200 / 12 TB model or $3700 / 16 TB model or $2700 / 8 TB model

    and its a quad core XEON with 16 GB ECC and its expandable and includes Windows Storage Server 2012

    or if we took one series down we can get the dual core XEON
    http://www.wdc.com/en/products/products.aspx?id=1150

    and its basically half the specs of the other one at 8 GB ECC RAM and Dual Core XEON

    but I cant seem to find any information on the drives themselves if they are SATA 300 or 600 on any of the western digital NAS options ?

  8. #8
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    Quote Originally Posted by Computurd View Post
    I am surely not a NAS expert, but i am sure that to reach compliance with the strenuous requirements you will need to consider an off-site data backup program.
    Even the best fire-proof safes can be stolen. They also can fail, etc. if the PSU on that NAS goes out and fries your drives, your screwed to put it bluntly. Also, viruses, etc, can do serious damage.
    Many companies will keep a safe deposit box with a HDD in there with all of their data for offsite data storage.
    iSCSI allows the user to configure the drive as a local storage volume. You would handle it much like a normal HDD, even with queuing that some solutions dont offer, once the connection is established with the host computer.
    Good point. Yes I thought about enabling the access online so I can begin a remote offsite backup copy of the original data from the NAS once the NAS is up and running.

    But it wont be managed nor does it seem any companies out there offer much in terms of management services unless you configure your own customized plan and that can run up to thousands and thousands of dollars.... It really just comes down to protecting the data from loss or failure and theft by means of backup and security measures. So a NAS + a basic offsite backup (secured physically of course) I think is enough and I think most NAS all-in-one storage solutions have included security and backup features. But to go the extra mile I am planning to duplicate the contents from the NAS and then store that duplicate copy in a safe. I think that should be sufficient.. at least for the next 10 to 15 years assuming proper backups are maintained and checked periodically.

  9. #9
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    also I dont feel like building my own NAS although if someone wants to guide me step by step into doing that then I may consider it but it seems like all these all-in-one ready to go NAS solutions from these companies offer much more better performance and support. And I think they are cheaper than building a custom NAS server but I can be wrong in saying that. I am not a NAS expert.

  10. #10
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    okay for offsite we will go with crashplan pro i think
    http://www.crashplan.com/enterprise/private-cloud.html
    https://www.crashplan.com/enterprise/compliance.html

    mayo clinic uses them and they are in fact HIPPA compliant

    but this does not eliminate the need for a physical copy of our own on hand whenever we need

    So that means we still will need to go with a NAS solution and yes it should include the security and reliability as mentioned above but all in all in the end the crashplan setup will cover all the compliance requirements and long term needs for backup... ha i just read they dont ever delete anything lol


    the only question i have about crashplan is whats the difference between private and public cloud - if I understand correctly, the private cloud is like its almost "invisible" online so only a person who knows the address location and login credentials could see it ? and if thats true then do the individual plans include private cloud lol.... i mean the 1 system we can backup on the individual plan can be the NAS itself lol so it would be very very inexpensive this way and it seems we get all the same features otherwise as the business plan side of crashplans offerings.... we dont have more than 1 system / user so why would we need to go with the multi-user setup on the business plan ?
    Last edited by hecktic; 12-16-2013 at 01:00 AM.

  11. #11
    Xtreme Mentor
    Join Date
    Mar 2007
    Posts
    2,589
    and what exactly is geographic redundancy or Geo-redundant storage

    Every company seems to have their own cherry-picked definition and its annoying lol

    If I understand correctly, basically it just means my data has multiple backup copies outside in other data centers around the world depending on which data centers the company has access to ?

  12. #12
    Xtreme Addict
    Join Date
    Nov 2003
    Location
    NYC
    Posts
    1,650
    I think you need to speak with consultants that are specialized in HIPAA (not HIPPA right?) compliance as there are may levels / layers to their requirements and some are just guidelines rather than requirements.

    NAS's are not all the same, you may not even need a NAS. I read through some of the guidelines but I would not consider myself to be a good source of information.

    Something to bear in mind, you may be fine with direct attached storage (external) if you aren't sharing the disk space out and using a compliant encryption application.

  13. #13
    Registered User
    Join Date
    Oct 2006
    Posts
    4
    hecktic

    There are quite a few IT providers for medical industry. VCPI, Airimed(SP?), OID just to name a few.

    HIPPA doesn't actually have any DATA reliability factors. Just Data security. For example TrueCrypt full volume encryption on a laptop would be HIPPA complaint, as long as you do not make the optional recovery media.

    If your part a provider network, usually they can lead you to consulting firm or offer in house assistance. Please remember most provider networks have requirements more advanced then required by statute. Also the back-ups need to provide the same level of security.

    Please remember site like crash-plan usually over sell. As for Mayo Clinic (at least if your referring to the one here in Chicago) uses a in house solution built around . Now that I think about it I'm not sure if I'm allowed to discuss it.
    Last edited by arddrea; 01-29-2014 at 09:09 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •