Disk/Volume Encryption

sphardy wrote:
Hope that small law office takes more care with their customer files on paper... Is there a law for if that stuff gets stolen too?(and I wouldn't believe for a second that nothing is on paper)

Yes, paper has to be secured as well. Cabinets locked and cabled/chained or bolted to an "imovable medium". The cabinets were not touched though. Even the Cisco phones and phone system (UC-520) were taken.

Seems a pretty lopsided law if physical security for files on paper is adequate, but not for the same files on disk.

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary. The following breaches have been reported to the Secretary:
Here is the HIPAA wall of shame:
http://www.hhs.gov/ocr/privacy/hipaa/ad ... htool.html
We strive to never have one of our clients on this list!

I wasn't questioning the validity of what you stated, more trying to understand the sense behind it

So what are the legal requirements for physical security of HDDs?

Physical safeguards account for 24% of the Security Rule, but the requirements are fairly vague. Regarding physical access controls, the rule has an addressable implementation specification that states, "Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision."
Actual HHS documentation on Physical Security: http://www.hhs.gov/ocr/privacy/hipaa/ad ... guards.pdf

|"Covered entities must implement facility access controls as a part of their physical safeguards. The HIPAA Security Rule defines that as "policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed."

Four implementation specifications are included in this standard, all of them addressable:

contingency operations,
facility security plan,
access control and validation records, and
maintenance records.

The first embraces the establishment -- and if necessary implementation -- of "procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency." (Both types of plan are required implementation specifications of the contingency plan standard.)

The second includes policies and procedures "to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft."

The third relates to policies and procedures that "validate a person's [physical] access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision." This is the physical analogue of the "need to know" information access limits described by the minimum necessary rule.

Taken together, the second and third could include such measures as sign-in and/or escort for visitors to the areas of the facility that contain information systems hardware or software. But this would depend on the covered entity's particular circumstances. While some sort of physical access control is obviously necessary for every facility, the particulars will vary considerably. (For that reason, as noted, all of these are addressable rather than required specifications.)

The last of the four covers policies and procedures "to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).

As with all the other specifications, policies and procedures are required to be "formal, documented" ones."| ~UofM-Miller School of Medicine

So do I understand this correctly - legal requirements for physical security demand:

1. Cabinets of documents must be cabled/chained or bolted to an "imovable medium"
2. Physical security of the same files on HDD is limited to signing in and escorting non-authorised people provided data is encrypted.

Spitting on a sidewalk and adultry are lillegal too (In MA at least), just the fines and enforcment of same is not at the forfront of our current culture.

wchp wrote:
Spitting on a sidewalk and adultry are lillegal too (In MA at least), just the fines and enforcment of same is not at the forfront of our current culture.

Great way to put it.

I just find it amazing that so often the mandated solution to problems where technology is involved is to develop/implement more technology.

Don't get me wrong, I can understand that it can be very costly for a small firm to implement good physical security - but for there not to even be a legal requirement for basic physical security (from your explanation, a simple locked room would appear sufficient to meet requirements) whereas lack of a technology based security can result in huge fines seems absolutely crazy to me.

Oh um...

SHOCKED....Two years later and still no AES : Full volume encryption.

Shame on me for missing this from the requirements, frankly would not have bought this product - was busy with performance and ASSUMED AES would be standard.

Seems that Netgear / Readynas team is overwhelmed and can't keep up as competitors have excelled in providing these requirements. Clearly this product is not Business class at all. Features are great, AJAX is geat, but encryption is mandatory.

I'll take this Pro6 I have home for a media center and buy a Qnaps :roll:

Also shocked that some people actually questioning the law and associated fines....like that makes any difference to reality - business reality.

FUNNY = taken from ReadyNas Value Cloud service - Just not on YOUR NAS:

If you have a business entity, you know that there are an increasing number of compulsory regulatory requirements your business must comply with or face stiff penalties. ReadyNAS Vault offers enterprise-level protection at affordable prices. All data is encrypted during transmission (128-bit SSL secure connections) and storage (256-bit AES encryption at rest). ReadyNAS Vault meets multiple industry compliance standards and provides easy and complete access and recovery of information should you ever face legal discovery.

LOL
We have given up on ReadyNAS and have just been using Qnap in all of our business applications. (Between MA state law, HIPPA and HiTech you have to have volume encryption nowadays)
The only time we are using the ReadyNAS units now is if we need a dumb iSCSI target for VM/LUNs
I too have a lovely Pro6 for my house. Never would have guessed 5 years ago I would need 7+ TB at the house ! ? :o