" backup Archives - LuxSci

Posts Tagged ‘backup’

7 Essential Steps to Creating a HIPAA Website

Tuesday, August 8th, 2023

The recent focus on tracking pixels and analytics codes by enforcement agencies has many healthcare organizations reassessing their website security and compliance. As technology has evolved over the past thirty years, HIPAA rules have adapted to secure sensitive data. In this article, we review the requirements for HIPAA websites and what you need to do to ensure your website is compliant and secure.

healthcare website on laptop screen

Read the rest of this post »

Infrastructure Requirements for HIPAA Compliance

Thursday, December 1st, 2022

If you are building a new environment that must comply with HIPAA, you may be surprised to find that the infrastructure requirements for HIPAA compliance do not require the use of any specific technology. This provides a lot of flexibility for developers and architects but can also introduce risk if you are unfamiliar with the requirements. This article outlines a few considerations to keep in mind as you build a HIPAA-compliant infrastructure or application.

infrastructure hipaa requirements

Dedicated Servers and Data Isolation

Reliability and data security are two of the most important considerations when building a healthcare application. Building an infrastructure in a dedicated server environment is the best way to achieve these aims. Let’s look at both.

Reliability

Hosting your application in a dedicated environment means you never have to share server resources with anyone else, and it can be configured to meet your needs exactly. This may also include high-availability configurations to ensure you never have to deal with unexpected downtime. For many healthcare applications, unexpected downtime can have serious consequences. 

Security

A dedicated environment isolates your data from others, providing an added security layer. Segmentation and isolation are crucial components of the Zero Trust security stance, and using a dedicated environment helps keep bad actors out. Hosting your application in a public cloud could put sensitive data at risk if another customer falls victim to a cyberattack or suffers a security incident.

HIPAA does not require the use of dedicated servers. Still, any host you choose must follow the HIPAA requirements associated with access controls, documentation, physical security, backups and archival, and encryption. Review our checklist for more details about HIPAA’s security requirements.

Encryption

It’s worth spending a minute discussing encryption because it’s an often misunderstood topic. Encryption is listed as an “Addressable” standard under HIPAA. Because it is not “Required,” this leads many to think that it is optional. The Rule states: “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.” So, while HIPAA does not state that covered entities must use encryption, it does say that they need to ensure the confidentiality of any ePHI that is created, received, maintained, or transmitted.

The confusion arises because HIPAA is technology-neutral and does not specify how exactly to protect ePHI. Encryption is unnecessary if your organization can devise another way to protect sensitive data. However, practically speaking, there aren’t many alternatives other than not storing or transmitting the data at all. Encryption is the easiest and most secure way to protect electronic data in transmission and at rest.

At-Rest Encryption

HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability in some situations. Suppose your risk assessment determines that storage encryption is necessary. In that case, you must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless the keys are stolen). Storage encryption is essential in any scenario where the data may be backed up or placed in locations out of your control. 

Transmission Encryption

If protected health information is transmitted outside of the database or application, encryption must also be used to protect the data in transmission. At a minimum, TLS encryption (with the appropriate ciphers) is secure enough to meet HIPAA guidelines. However, TLS alone may not be appropriate for your use cases.

  • Consider using a portal pickup method, PGP, or S/MIME encryption when transmitting highly sensitive information to end users.

Backup Infrastructure Requirements for HIPAA Compliance

Backups and archival are often an afterthought regarding HIPAA compliance, but they are essential. HIPAA requires that organizations “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.” You must be sure that all ePHI stored or collected by your application is backed up and can be recovered in case of an emergency or accidental deletion. If your application sends information elsewhere (for example, via email), those messages must also be backed up or archived. HIPAA-compliant backups are robust, available, and accessible only by authorized people.

Under HIPAA Omnibus, organizations must keep electronic records of PHI disclosures for up to three years. Some states and company policies may require a longer record of disclosures; some states require up to ten years. When building a HIPAA-compliant infrastructure from scratch, it’s also essential to build backups.

Conclusion

If it is your first time dealing with infrastructure requirements for HIPAA compliance, be sure to ask the right questions and work only with vendors who thoroughly understand the risks involved. It can be overwhelming, but by selecting the right partners, you can achieve your goals without violating the law. 

Increasing Resiliency with Data Backups

Tuesday, June 21st, 2022

Making backups of collected data is a critically important part of risk management. Backups provide redundancy in case of human errors, hardware failure, cyberattacks, power failure, and natural disasters. Properly implemented backups reduce risk and provide organizations flexibility when systems go down. Server outages, whether accidental or malicious, can be detrimental to business operations, and adequately implemented backups can help mitigate the effects and save time and money.

data backups

What is a Data Backup?

Backups are copies of data, files, and directories found on the disk at a specific time. Backups are used to restore files in case of an outage or accident. They are not the same as an email archive and are insufficient to meet compliance data storage requirements. This is because backups may not capture all sent and received data. If files are added and deleted in between backup times, they will not appear on the most recent backup. See Email Backup or Archival: What’s the Difference for more information.

LuxSci performs daily and weekly backups of email, WebAides, Widgets, MySQL databases, FTP, and website data in customer accounts. If data is misplaced or deleted accidentally, LuxSci’s support team can quickly and easily restore it from any available snapshots.

Ways to Configure Data Backups

How backups are configured can drastically affect how information is stored and retrieved. Backups are typically located on-site or off-site. On-site backups are located in essentially the same place as the original data, while off-site backups are located far away from the originals. It is fast and easy to recover data using an on-site backup. Still, if the location is affected by a cyberattack or natural disaster, both the original data and the on-site backups could be compromised or destroyed. Off-site backups are isolated from the original system and act as a fail-safe. It is slower to recover data from off-site backups and often costlier to maintain.

At LuxSci, we provide both on-site and off-site backups. This enables fast daily backups of recent changes and longer-term weekly backups. This backup schedule also ensures that separate, independent copies are kept in geographically distant locations for disaster planning reasons. We also create custom backup schedules for enterprise customers.

Preparing for Disaster

Cyberattacks like ransomware allow criminals to take control of an organization’s systems and hold data hostage. By backing up systems properly, administrators can restore data without paying the ransom.

Ensuring copies of data remain available even in an emergency requires extensive preparation and planning. It’s important to understand which systems and data are the most crucial and create a plan to protect them. Cyberattacks and natural disasters may limit access to on-site backups. In this case, it is helpful to have off-site backups available. Isolating off-site backups from the main infrastructure helps protect data in the event of a cyberattack or natural disaster.

Administrators should also take special consideration for confidential or sensitive information. When drafting a backup policy for disaster recovery, some issues to consider include:

  • Identifying who is responsible for performing backups.
  • Specifying where the backup data are to be located.
  • Establishing how to access the files and how to log access to sensitive information.
  • Creating a schedule for backing up data.
  • Performing backups of digital data.
  • Automating backups.
  • Backing up the metadata along with the data.
  • Encrypting data at rest.
  • Determining how long to keep backups.

HIPAA Considerations

Compliance regulations may also influence the organization’s backup policy. It goes without saying that organizations that work with protected health information need to use a backup solution that is HIPAA-compliant. Backups need the proper access controls and encryption to comply with HIPAA regulations. To keep sensitive data protected and resistant to cyberattacks, contact LuxSci today.

Is Email Archival Required by HIPAA?

Tuesday, April 5th, 2022

Customers often inquire if email archival is required by HIPAA regulations.

There is a great deal of confusion and uncertainty here because:

  1. HIPAA lists many requirements but does not provide specific instructions on implementing them. It’s ambiguous but provides a great deal of flexibility for organizations.
  2. Email archival adds a fixed cost to any email solution – and everyone prefers to avoid unnecessary costs.
  3. Due to time and budgetary constraints, many organizations want to do the minimum needed for compliance.

email archival hipaa

In our opinion, email archival is an implicit requirement of HIPAA for all organizations that send ePHI via email. In the next section, we’ll review why.

Read the rest of this post »

High Availability High Volume Email

Tuesday, June 8th, 2021

High volume email sending is essential to the business operations of many different companies. Whether these emails involve onboarding messages to new users, form a crucial part of an organization’s marketing strategy, or are sent for a wide range of other purposes, they are often a core component of how a company spreads necessary information.

If the suitable systems aren’t in place, high volume email can go down. This stops all transactional and marketing emails from being sent, which can cause delays or disruptions to business operations. These outages can have significant effects on a company’s bottom line.

If critical email systems cannot go down, then a high availability, high volume email system needs to be in place. This creates redundancy to keep systems online in case of an outage.

high volume email

What Is High Availability?

As we discussed above, the goal of high availability is to keep an organization’s email up and running as much as possible. This is known as high availability, an engineering term applied to many systems, especially in computing.

High availability is commonly used when talking about websites–a high availability service has redundancies in place that keep a website online, even if the main server fails. In addition to the server that hosts the site itself, high availability web apps also need high availability MySQL so that databases are still accessible if the main server that hosts them goes down.

These high availability services are critical for businesses that cannot perform their core functions if their websites or databases go offline.

If a high availability service isn’t used and there aren’t redundancies in place, outages to the servers will force the site down. This means that customers will no longer be able to access the platform or some of the site’s essential services.

It’s not just websites and web services that can go down. If a company’s high volume email doesn’t use a high availability infrastructure, it can go down when a server fails. This grinds all of an organization’s email to a halt, delaying or disrupting its marketing and transactional emails.

If these emails aren’t sent and received by customers, the company won’t be able to perform many of its necessary business functions until the server comes back online. This can lead to the loss of customers, increased complaints, reduced sales, and many other serious problems. With this in mind, high availability high volume email services are critical for any organization that relies on its email to perform its core functions.

Why Do Systems Go Down?

Some of the most common reasons that online systems go down include:

  • Hardware failures bringing down critical components such as the memory, CPU, or power.
  • Crashes or bugs in an operating system or other software.
  • DDoS and other attacks against the server.
  • Excessive amounts of traffic.
  • Failure of the network.
  • Overloading the network.
  • Failures at the data center, including human error or power outages.

How Can Load Balancing Help to Give You High Availability High Volume Email?

As we discussed above, there are many reasons services could go offline. These causes of failure are inevitable, and they can occur at random. If the organization’s high volume email needs to be operational as much as possible, put redundancies in place to take over when these inevitable failures happen.

A core component of this is load balancing, which shares the workload between servers. This boosts the capacity, allowing servers to share the volume with others when they get overwhelmed by traffic. Load balancers can also detect server failures and automatically redirect traffic to healthy servers when necessary. When high volume email services are equipped with load balancing, they will continue to send emails even when a server in the cluster goes down.

Many providers have their servers and load balancers in the same place, making it easier to operate but creating additional risks. If everything is located in the same data center, a failure at the data center or in the network can still bring the email system down. Load balancing won’t help if the servers’ data center goes down because of a power outage or extreme weather.

At LuxSci, we offer a more robust alternative by placing servers in separate data centers in the same geographic region. Having servers in different physical locations makes high volume email services far more resistant to going offline. Even if one data center fails, there will be backups online at other sites.

High Availability MySQL For High Volume Email

High volume email requires databases for tracking, logging, and other purposes. If the database goes down, so does the ability to send transactional and marketing emails. If high volume email is critical to business operations, high availability databases should also be put in place.

LuxSci’s solution is its regional high availability MySQL service. This offering includes a cluster of Enterprise MySQL servers, each located in separate locations within the same geographic region. It automatically replicates the databases across all servers, with features including automated:

  • Failover and recovery
  • Zero-downtime system
  • Software updates

Our high availability MySQL service is excellent for organizations that rely on their high volume email for business operations because it makes databases extremely resistant to going offline. It’s a solution that can help organizations survive the failure of a data center all maintaining HIPAA compliance.

Together with LuxSci’s high availability load balancers, our high availability MySQL makes bulk email systems incredibly resistant to downtime.

LuxSci’s High Availability High Volume Email Solution

High availability services are highly recommended if marketing and transactional emails are critical to an organization’s operations. When you consider the costs of the service going down, it’s best to choose a solution that offers high availability.

Nothing will stop systems from failing, but with redundancies such as high availability load balancers and MySQL in place, we can ensure common failures don’t impact your business. Contact us now to find out more on how LuxSci’s offerings can help to keep high volume email systems online as much as possible.