In a previous Spear Digest article, I wrote about data back-up systems and basic security requirements. The article focused on significant challenges with the integrity of the data being backed up, leading to compromised data recovery 30-50 percent of the time.
In the second article, I discussed the direct penalties to the owner dentist as well as to individual staff members for compromised security and integrity of protected health information as well as a real-life example of an actual breach.
After these articles were published, I am certain that many of you made a quick – maybe even lengthy – telephone call to challenge your IT specialists with these facts and to make sure that your data security and back-up measures disprove the reported facts. I hope you did. Most of your technicians likely reassured you that the guy who wrote these articles is not a computer expert and does not know what he’s talking about. After all, you are likely well backed up and secure because you have either a RAID system or a mirrored server, and your data is securely backed up to the Cloud.
The good news is that if they said that confidently, your system is on par with the status quo and the IT industry standard of care. However, having learned from the “School of Hard Knocks” and a lot of reading and discussions with IT gurus, your system Is likely not adequate for reproduction of ePHI (electronic Protected Health Information) in the event of a catastrophe, such as an attack by a devastating Trojan virus, major fire or damage from a superstorm like Sandy. I know because my own double-RAID array, mirrored server let me down on at least two occasions.
RAID stands for redundant array of independent disks. They were developed as an economical approach to meet the growing needs for redundancy and protection of data from a system crash. In simplest terms, RAID systems can be thought of as a stack of plates spinning independently on a spindle. One of the disks contains the operating system software and other installed software as well as the communication center for printers and workstations on the network. Data is stored on the other disks in a variety of methods, from packets of information stored in separate compartments on varying disks to mirroring where all of the data is stored to one disk that is then sequentially copied to the other disks in the system.
Since RAID systems have become more costly with time, software to create “virtual” RAID systems has become popular. In fact, some major computer manufacturers are not including virtual RAID technology. The major problem with a RAID system is that all of the disks run in the same machine with the same power source; if there is a power surge that takes out the system or if the mechanical components of the RAID fail, the redundancy is pointless because data is still lost. RAID systems have a single point of failure because they are a single device. RAID systems are not a back-up system.
Mirrored servers involve at least two physical server towers, both of which are commonly also RAID systems. Essentially, one server copies the other server incrementally on a regular basis. These usually work very nicely in the event of a hardware crash due to mechanical components. The “back-up” server can be converted over to serve as a server to maintain business operations. However, the mirrored server is typically connected to the same power source and could be damage by a power surge as well unless the mirrored server is stored in another area of the facility and attached to a different power source.
Both of these methods of preserving data through redundancy have worked reasonably well over the years, which is why many dental practices are equipped with them. However, they are not without significant common shortcomings:
- Off-site back-up of protected health information still is necessary.
- IT support is necessary for proper configuration and monitoring.
- If there is a major catastrophe like a major flood or fire where the facility is completely destroyed, back-up from off-site back-ups is challenging and only reliable about 50 percent of time.
- All information is copied, including any viruses that are not caught by anti-virus software, like Cryptovirus or one of its many clones.
- There are multiple mechanical components that can fail, such as individual disks.
- They do not prevent problems related to recovery of deleted files, corrupt applications, or operating system failure.
(Click this link for more articles by Dr. Kevin Huff.)
Kevin D. Huff, DDS, Spear Moderator and Contributing Author www.doctorhuff.net