Over the last decade-or-so, regulatory standards have become an increasingly important part of doing business across the planet. Whether it’s a small eCommerce site out of Norway or a mega health insurance company in New York City, nearly every modern business has some industry standard that it needs to comply with. And whether it’s a federal law, like the Sarbanes-Oxley Act, or an international industry specification, like ISO 27001, hosting providers (especially those offering backup and disaster recovery) are often responsible for helping their clients achieve and maintain their compliance with these standards.
Let me just get this out of the way now: This article is not meant to provide legal advice for organizations who need to comply with these standards. If that's what you're looking for then, my apologies, this isn't the article you're looking for.
What this article does aim to do is help service providers understand what they can do on their end to make themselves more favorable to potential customers who are aiming to comply with any of the following standards. From backup frequency and encryption to thorough planning and documentation, there is a lot you can do to earn the trust – and as a result, the business – of SMBs who are looking for a web hosting or data storage provider.Here are suggestions and resources to help you do that.
HIPAA , HITECH, and the Health Care Industry
The Health Insurance Portability and Accountability Act (HIPAA) regulations were first introduced in 1996, with the HIPAA Security Final Rule going into effect in April 2003. While much of the regulations tied to HIPPA were meant to establish a standard for access and renewability to health insurance for U.S. citizens, Title II specifically aims at preventing health care fraud and keeping patient information secure.
Following the passing and implementation of these rules, all covered entities were legally obliged to securely back up "retrievable exact copies of electronic protected health information” (ePHI). The HITECH Act, enacted in 2009, pushed the health care regulatory standards a step further by strengthening the civil and criminal enforcement of HIPAA rules, particularly around patient privacy and security.
Okay, but what does all of that really mean to web hosts and their clients who are responsible for that electronic health information?
In short, it means that CEs (and through them, web hosting providers) must ensure that all patient data is recoverable and that they have the means to fully “restore any loss of data.” As technology has become more and more prevalent in this industry the meaning of this has evolved, but in today’s real-time transactional world it essentially means that web hosts should be able to backup their clients’ data multiple times an hour to safeguard against a server crash, database corruption, or even human error. Without the ability to backup at least every half hour, web hosts are potentially putting their customers at risk of losing a significant amount of data if an emergency situation were to occur.
Taking a quick look at HIPAA’s standard contingency plan specifications, it becomes clear that it’s about more than the frequency with which ePHI is backed up. Rather than jump into all the intricacies and legal jargon of the regulations, here are a few basic tips that you and your customers in the health care industry can start with:
- Replicate Data Offsite: It’s very difficult to defend any backup and disaster recovery plan that stores the backup copy of ePHI data in the same location as the original data store.
- Encrypt: As a hosting provider, it’s important that you do your best to maintain the security of any data in your possession. Whether it’s original data or a backup, in transit or at rest, encrypting ePHI is a great way to safeguard against the data breaches that are mentioned in the HITECH Act.
- Recovery Mode: Make sure that you talk to your clients and help them understand your processes for restoring any original data that they may lose. Work with them to establish and implement a plan that they’re comfortable with and that you can live up to.
- Test, Test, Test – It is required that covered entities implement periodic testing and revision of their BDR plan. While this can seem tedious and time-consuming, failing to confirm that backups are running successfully is nearly as bad as not backing up at all.
- Document the Procedures – It’s not good enough for you or your customers to talk about a BDR plan. Documentation of policies and procedures are a huge part of this. If it’s not thoroughly documented, it’s hard to prove it even exists.
The Sarbanes-Oxley Act of 2002, better known as SOX, is a U.S. federal law set to regulate the retention, management and control of electronic records and financial transactions – primarily for public companies. Essentially, SOX established that public companies needed to retain financial records and data without alterations for a minimum of five years.
Along with settling on 256-bit AES encryption as the government standard, SOX further emphasized the need for these organizations to utilize backup within the wide spectrum of data protection. It means that stored financial data must not only be accessible 24x7, they must also be kept in an organized, discernable sequence. As was the case with HIPAA, SOX compliance includes the documentation of retention policies and testing of backup systems on a quarterly basis.
All of this means that, for customers who fall under the SOX umbrella, you need to be able to provide a backup solution that includes:
- 256-bit AES encryption, both with data in transit and at rest
- Frequent, light-weight retention points built on top of an original full snapshot of the data
- Continuous Data Protection technology that constantly monitors and backs up the sequential changes to client data
PCI Security Standards
Unlike SOX and HIPAA, the Payment Card Industry Data Security Standards were not created by federal law in the United States. The PCI Security Standards Council, the governing board for PCI standards, was born in 2004 out of a need to standardize the security programs of five major credit card companies (Visa, MasterCard, American Express, Discover, and JCB). In June 2005, the industry standards decided upon by this private regulatory board took effect internationally in an effort to protect payment card user data.
The fact that these standards were created by a private, international regulatory board adds a bit of complexity. For service providers, who are specifically called out in the standards, it means that regardless of where you or your customers are geographically located, if you are storing, processing, or transmitting any information from a major credit or debit card companies, you must comply with their standards. And according to FocusonPCI.com, PCI standards are the most “comprehensive and specific set of security controls ever compiled into a major industry standard or law.”
And in the eyes of the PCI SSC, it is the merchant that is “ultimately responsible for ensuring that each service provider protects the integrity and confidentiality of the payment card data.” While that may sound like it takes some pressure off service providers, it still means that, due to the wide usage of those payment cards, it’s all but certain that you won’t get any eCommerce merchants to do business with you unless you can prove that your data management, security, and retention standards fall in line with these standards, which includes going through an annual on-site assessment.
Luckily, there are a lot of great questionnaires and assessment resources available for service providers. Here are just a few that you can choose from:
- PCI DSS Self-Assessment Questionnaire (Why not go directly to the source, right?)
- PCI Compliance Guide (Focus On PCI)
- PCI Assessment Services (RapidFire Tools)