HIPAA and SOX: What You Need To Know
With all of the hype surrounding new laws and regulations such as HIPAA and Sarbanes-Oxley that dictate short-term and long-term data storage and privacy, I thought I should spend some time discussing some of the issues facing storage professionals.
HIPAA Changes Healthcare Practices
The new Health Insurance Portability and Accountability Act regulations have changed healthcare documentation and storage requirements, and more importantly, requirements for data security. In my discussions with medical professionals, I understand that health care practices must deal with the following issues:
- Password protection and automatic lock outs.
- Hierarchies of security based on need to know. A doctor might have different access to information than the nurse or the pharmacist.
- Backup of data and ensuring 100 percent data reliability.
- Forms and releases must be scanned, saved and available.
- Strict authorization controls.
A good place to start is to review the guidelines provided by the National Institute of Standards and Technology (NIST) in its HIPAA Resource Guide. These standards are very high-level and do not deal with specific security issues for specific systems, but they do provide a general framework for some of the requirements.
One important area to consider is that most UNIX and Linux operating systems do not provide a multi-level security frame, so if someone gets root access they can read the raw device, and on some systems, they can read any file system data, circumventing all other protections. Nowhere in the regulations did I find anything that addresses this persistent problem in UNIX and Linux operating systems, but it's an important vulnerability to address.
For more on HIPAA, see HIPAA Deadline Boosts Healthcare Data Practices.
Thanks to accounting fraud at the likes of Enron and Worldcom, Congress decided that additional protections were needed to safeguard sensitive corporate data. Sarbanes-Oxley deals with much more than just storage, but documents and e-mail provide an important record or trail for regulators (and lawyers).
For more details on Sarbanes-Oxley requirements, see Sarbanes-Oxley: Driving the Storage Compliance Boom.
Developing a Compliance Policy
As a storage professional, how do you develop a compliance policy for these types of regulations, and how can you ensure that it is followed?
Sarbanes-Oxley and HIPAA share a common theme for storage administrators: that data must be controlled and protected. There are three areas that must be examined in order to secure storage:
- Access to local data;
- Access to backup data, and
- Ensuring that backups of critical data are maintained.
Access to file systems data can only be protected on most operating systems (this includes UNIX, mainframe, Windows and Linux) if the operating system supports multi-level security. NIST provides ratings of a variety of different products including operating systems. These ratings go from Evaluation Assurance Level 1 to 7, or EAL1 to EAL7. The definitions and meanings of these levels can be found here.
International readers should note that much of the world is following these standards for operating systems security functionality. You can see the latest information on operating systems ratings at this link.
Understanding what an operating system can provide in the way of security and implementing operating systems that meet the security requirement for the data in question is a critical part of making sure you don't wind up in front of a grand jury.
Some operating systems are very secure, not allowing access to any data by anyone, including root, unless specifically authorized. For these types of operating systems, there is a great deal of communication between the file system and operating systems.
One thing I did not see listed in the regulations is the firmware for RAID controllers and Fibre Channel switches. Many Fibre Channel switches have authentication between the HBA, switch and RAID built in, which is part of the current standard, but as of this writing, neither Fibre Channel switches nor RAID controllers and their maintenance interfaces have been certified. This is likely a low vulnerability area, but it should be pointed out.
Of course, if machines are on the Internet, the vulnerability increases greatly, and operating systems that support multi-level security and are certified are a critical component for data security.
Backup tapes are an important way of ensuring that critical data is always available, but as recent tape losses at Bank of America and other have shown, shipping tapes without having the data encrypted can get you into serious trouble.
Backing up data is a double-edged sword. On one hand, you want to make sure that if the system fails, you can reliably and quickly get all of you data back. On the other hand, once the data leaves your environment, the possibility grows that someone will access the data who should not. So what is an administrator to do?
Even if the data is within your organization, someone could still access data that was not authorized if you don't encrypt or have proper handling policies. Also, remember that writing tapes over a network can be problematic (see Tale of the Tape: Beware of Wind Quality), but a number of new virtual tape products are now available that will allow you to cache before it is written to tape.
Keeping tape backups out of the hands of someone who shouldn't have access to the data takes time and careful planning, as does ensuring that the data is accessible by those who need it.
Remember that rolling backups using the same tapes over and over again plays into the hands of someone wanting to delete potentially damaging information. Keeping your backups can be expensive, since enterprise tape costs on average about $100 per cartridge. Most sites keep backup tapes, but it is always important to maintain a great deal of security so that the data cannot be erased either inadvertently or on purpose.
With new technologies such as MAID (massive array of idle disks), deleting or changing data backups could theoretically be done much faster than ever before. This means that hackers and white-collar criminals can cover their tracks quickly, and even with some very expensive computer forensics, getting the original data back might not be possible. Gone are the days in the 1980s where people who used e-mail did not realize that backup copies were kept of everything.
Keeping yourself out of trouble is not that hard, but it seems that far too many companies do not get that it is the simple things that can easily maintain data security; take Bank of America, for example. Data security does not come free, whether it is patient records, credit card numbers or other personal data, but the cost of one mistake, one hacker, or one stolen Federal Express box can be more than you think. The cost of an MLS operating system, encrypted tapes and other security measures are all cheap compared to one loss or fraudulent activity. The negative publicity alone from such an event can cost more than doing it right in the first place. I never plan to sit in front of a federal grand jury, and I keep that in the back of my mind every time I make a decision on data security. You should too.
Henry Newman, a regular Enterprise Storage Forum contributor, is an industry consultant with 24 years experience in high-performance computing and storage.
For more storage features, visit Enterprise Storage Forum Special Reports