The idea of someone getting his hands on your personal medical history is nerve-racking. So how would you sleep at night if your job was to keep thousands of medical records safe?
This monumental task falls to Vincent J. Fusca III, operations director for the Center for the Evaluative Clinical Sciences (CECS) at Dartmouth, Hanover, N.H. Fusca manages more than 7 TB of sensitive Medicare records for the Center's team of doctors and researchers. The ultimate goal of the CECS is to analyze and dissect the way health care works and make recommendations on how to improve the nation's health care system.
To that end, CECS researchers pore over years of Medicare data from various insurance companies and government organizations and, until the advent of the Health Insurance Portability and Accountability Act (HIPAA), they believed their storage and network security were satisfactory.
Fusca had many security protocols in place, including a standard virtual private network and firewalls, but in the age of regulatory compliance -- particularly HIPAA -- it wasn't enough. "We felt good about our network and perimeter security, but HIPAA added an extra measure of concern over security. We knew what we had was not an end-state solution," Fusca said.
The only part of the CECS' infrastructure that wasn't airtight was its FAS storage systems from Sunnyvale, Calif.-based Network Appliance Inc. (NetApp) and its ever-growing collection of AIT backup tapes.
Fusca and his team were brainstorming on how to secure all their data all of the time and, as a retired Marine familiar with handling classified materials, he decided that hardware-based data encryption was the best option. "We really didn't want to get into software-based [storage security] because then you're always worrying about version changes," he said. So Fusca brought in Decru Inc., Redwood City, Calif., to shore up his storage security.
Decru had already done integration work with NetApp and the subsequent product coupling has earned 5015.2-STD certification from the Department of Defense. The combined solution, however, starts at about $60,000. With less than a $10,000 million overall budget dependent on federal grant money, Fusca had to convince his bosses that opening up the IT wallet was a necessity.
As the Center plotted its course to HIPAA compliance, management quickly realized the implications of storage security. "We felt we should err on the side of overkill rather than trust that the status quo could be maintained and we'd be OK," said Fusca.
Fusca had to deplete his reserve technology spending account, but he felt that the peace of mind he and his colleagues now have was well worth the added expense. "I've had experience handling confidential materials. You never sleep well when that's your responsibility," Fusca said.
How it works
The CECS storage network contains clients based on Linux, Dell file servers and networked storage from NetApp. Each Linux desktop communicates to the servers using an encrypted VPN link, securing data in flight. Access to the data is controlled via firewalls and Linux IP tables, so connections to the NFS servers are only allowed from a select group of clients.
The Decru DataFort E-series appliance sits in between Fusca's Linux desktop systems and the NetApp filers, and uses Strong AES-256 Encryption to scramble data as it's being written to disk. The appliance decrypts the data when they are requested by authorized users. Because data are encrypted in primary storage, they are also secure when backed up to the CECS AIT tape library.