In regulated industries, sensitive data must both be protected and retained, a challenging juxtaposition in a landscape of increasing cybersecurity threats. In the healthcare field, for example, losing data is one matter. Not having “exact retrievable copies,” as required by law, is another. And protecting those backed up files is equally important.
Healthcare and financial data must be retained for several years, but in many cases companies that handle sensitive data may retain it much longer. This means exponentially more sensitive data being sent offsite for remote backup and archival. Earlier this year, company officials at Bit.ly blamed a breach of its customer database on unauthorized access of its offsite backup data maintained by a third-party hosting provider.
Adding one or more remote locations and/or third parties to your offsite backup and recovery strategy complicates your risk profile, but there are a few things to look for that can help you sleep better at night, even if your sensitive data is stored offsite. If you have to meet compliance and security demands, here are three things to incorporate into your proposals and requirements:
1. Visit the physical location of your backup data
Even if you are going with a cloud-based or a third party tape or media-based offsite backup solution, it helps to know you can fly, drive, walk and point to your backup data. Not only does this improve your ability to accurately assess the risk to that data while in storage, it also increases the odds that you can get it back in a timely manner if you need it for disaster recovery efforts. Spend the few hundred dollars to go visit the facility, it will be cheaper than sleeping pills in the long run and well worth the peace of mind. There’s nothing that tells you more about the safety of your backup data location than experiencing it yourself.
2. Encrypt with Mr. FIPS
Those of you in regulated industries may already know Mr. FIPS, as in FIPS 140-2. If not, please introduce yourself. FIPS 140-2 is a cryptography standard specified by the Federal Information Processing Standard, and referenced by NIST (National Institute of Standards and Technology), the government, healthcare and other industries. Why do we care? If you choose an offsite backup solution that embeds one of the validated FIPS 140-2 cryptographic modules, you have a good level of assurance that the sensitive data you’re storing offsite is protected by strong encryption that had been tested and verified by an independent, third party organization. Unless you have time to try breaking the encryption algorithm yourself, go with an approach that someone else has had the time to test.
For healthcare covered entities and business associates, encrypting your offsite backup with a FIPS 140-2 validated cryptography module means that you can prove due diligence to protect patient data in the event it is lost or stolen. In fact, if the patient information has been encrypted in this manner, it’s not considered a data breach. When you compare any investment into using solutions that meet this encryption standard with the costs of data breach remediation including legal, loss of customer confidence, and remediation, it’s an easy investment to make.
In our own case, it was the deciding factor when Online Tech chose the encrypted version of EMC’s Avamar technology since we serve many healthcare, financial, and eCommerce clients that need to protect sensitive information. This gives us peace of mind knowing we’re protecting our clients data while in-transit and at-rest in our offsite backup.
3. Ask for the audit report
Adding a third party or remote location increases the complexity, but doesn’t need to make you less compliant or secure. Find a partner with the same approach to compliance and security as your organization. If you are handling sensitive, regulated information, this means that they too, should be getting independent, annual audits. Ask for the audit reports, and read them. They should make sense and leave you feeling reassured. If otherwise, keep looking.