Article

User spends over $60k on storage security for HIPAA

Kevin Komiega

The idea of someone getting his hands on your personal medical history is nerve-racking. So how would you sleep at night if your job was to keep thousands of medical records safe?

This monumental task falls to Vincent J. Fusca III, operations director for the Center for the Evaluative Clinical Sciences (CECS) at Dartmouth, Hanover, N.H. Fusca manages more than 7 TB of sensitive Medicare records for the Center's team of doctors and researchers. The ultimate goal of the CECS is to analyze and dissect the way health care works and make recommendations on how to improve the nation's health care system.

To that end, CECS researchers pore over years of Medicare data from various insurance companies and government organizations and, until the advent of the Health Insurance Portability and Accountability Act (HIPAA), they believed their storage and network security were satisfactory.

Fusca had many security protocols in place, including a standard virtual private network and firewalls, but in the age of regulatory compliance -- particularly HIPAA -- it wasn't enough. "We felt good about our network and perimeter security, but HIPAA added an extra measure of concern over security. We knew what we had was not an end-state solution," Fusca said.

The only part of the CECS' infrastructure that wasn't airtight was its FAS storage systems from Sunnyvale, Calif.-based Network Appliance Inc. (NetApp) and its ever-growing collection of AIT backup tapes.

Requires Free Membership to View

Fusca and his team were brainstorming on how to secure all their data all of the time and, as a retired Marine familiar with handling classified materials, he decided that hardware-based data encryption was the best option. "We really didn't want to get into software-based [storage security] because then you're always worrying about version changes," he said. So Fusca brought in Decru Inc., Redwood City, Calif., to shore up his storage security.

The cost

Decru had already done integration work with NetApp and the subsequent product coupling has earned 5015.2-STD certification from the Department of Defense. The combined solution, however, starts at about $60,000. With less than a $10,000 million overall budget dependent on federal grant money, Fusca had to convince his bosses that opening up the IT wallet was a necessity.

As the Center plotted its course to HIPAA compliance, management quickly realized the implications of storage security. "We felt we should err on the side of overkill rather than trust that the status quo could be maintained and we'd be OK," said Fusca.

Fusca had to deplete his reserve technology spending account, but he felt that the peace of mind he and his colleagues now have was well worth the added expense. "I've had experience handling confidential materials. You never sleep well when that's your responsibility," Fusca said.

How it works

The CECS storage network contains clients based on Linux, Dell file servers and networked storage from NetApp. Each Linux desktop communicates to the servers using an encrypted VPN link, securing data in flight. Access to the data is controlled via firewalls and Linux IP tables, so connections to the NFS servers are only allowed from a select group of clients.

The Decru DataFort E-series appliance sits in between Fusca's Linux desktop systems and the NetApp filers, and uses Strong AES-256 Encryption to scramble data as it's being written to disk. The appliance decrypts the data when they are requested by authorized users. Because data are encrypted in primary storage, they are also secure when backed up to the CECS AIT tape library.

RELATED ARTICLES:

Where to put your compliance dollars

Symantec: Not just security

Who's going to be responsible for compliance -- vendors or end users?

SearchStorage.com crash course: Compliance


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: