Highly Reliable Systems: Removable Disk Backup & Recovery

HIPAA Security Rule Compliance Statement

Highly Reliable Systems, Inc. provides this compliance statement as assurance that our High-Rely backup and disaster recovery solutions conform to Federal regulatory provisions within the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The AES-256 encryption features on select High-Rely models were created specifically for HIPAA compliance. Use an encrypting NAS such as a High-Rely NetSwap or RAIDFrame toovercome software limitations (for example: if your backup software doesn’t do encryption).  Encryption is a necessary part of your data protection strategy.  Compliance laws like HIPAA dictate you strongly consider using it to protect yourself and your clients.

We feel that the key to this is using either backup software (such as Intelliback or Shadowprotect) or hardware (such as the netswap and RAIDFrames) that encrypts all data on removable drives.  While we can’t control the final configuration or what data is stored on our devices, we can provide assurances that when data is encrypted, it provides a “safe harbor” level of protection for HIPAA and other sensitive data.

Encryption is becoming a more important topic as more companies struggle to meet compliance requirements and keep their data secure.  Encryption is used more than you might expect, including for various website security functions.  Backups are another important area to consider using encryption on. To completely protect your data and your backup, you should consider encrypting both the data in motion and at rest.  Here are 4 things you have to know about encryption for backup that will help you understand the landscape.

There are 2 types of Encryption: Symmetric and Asymmetric.  Our High-Rely uses symmetric encryption.  Symmetric encryption means the same mathematical “key” is used for both encrypting and decrypting.  A common example of symmetric encryption is AES (Advanced Encryption Standard), which is used for data at rest such as on hard drives or to encrypt private networks.  By contrast, in asymmetric encryption 2 different keys are used – a “public key” for encrypting and a “private key” for decrypting.  This type asymmetric encryption is referred to as public key Infrastructure (PKI) or public-key cryptography and is often used for encryption of data in motion over the Internet.  Asymmetric encryption key lengths must be longer than symmetric key lengths to provide similar protection.  A key length of 2048 bits is considered a very secure standard when using asymmetric encryption.  However, a key length of only 256 bits using AES is considered all but unbreakable when using symmetric encryption.

CPUs used in Netswap and RAIDFrames have hardware encryption built in to retain performance  If you will be doing encryption, you should consider using special hardware or making sure you’re doing it with a CPU that has additional hardware instructions to help your performance. intelcpu  Both AMD and Intel offer encryption support in hardware.   This feature is called AES-NI.  Starting in 2010 Intel offered their Core processor family (codename Westmere) with seven special AES instructions. Beyond improving performance, the AES instructions provide important security benefits. By running in data-independent time and not using tables, they help in eliminating the major timing and cache-based attacks that threaten table-based software implementations of AES.  As you might expect, your software must be capable of using the instructions too.  Many Intel i5, i7, and Xeon processors have AES-NI.  A few Atom processors also have it.  The difference in performance when encryption is turned on using these features can be night and day, although if you have a fast CPU doing nothing else it can sometimes overcome even it if lacks the new instructions.   Use a combination of hardware and software supporting AES with a 256 bit key to insure encryption doesn’t impact your backup or recovery time objectives.

As a best HIPAA practice, you should not auto mount encrypted backup volumes unless the backup appliance (Netswap or RAIDFrame) is in a locked server room.  If the backup appliance is physically secure, only then should you consider allowing the NAS to decrypt drives at boot time automatically.   The automatic mount will provide more reliability if there is a power outage or reset scenario because the encryption key will not have to be typed in manually by the IT staff.  However, if this feature is used and the entire NAS is stolen with an automount decryption key stored it means the unit could be rebooted elsewhere to gain access to the data (the decryption key is stored securely  on the device).  If the drives are removed and stolen, the data is still fully secure because the decryption key is needed to access data and there is no way to recover that.