Greetings and welcome back! This week we continue our series on cyber, physical and operational security standards we take a look at HIPAA Backup Power Standards for Server Racks. Many entities who are under HIPAA requirements are not unaware that there are exacting operational standards for backup power and environmental control of the servers which contain ePHI. It is our hope that this blog will bring to light those standards in a way that compliance with these standards will be greatly enhanced.
Let’s focus on the Backup Power Standard and how to be in full compliance with its requirements.
“Section 164.308(a)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. When a covered entity is operating in emergency mode due to a technical failure or power outage, security processes to protect EPHI must be maintained.”
To begin with, while a small number of organizations find themselves on a power grid segment that rarely goes down, the simple fact is that most every facility has at least one power problem during the year. Our local utility – PG&E – republished an excellent article entitled: “How to guard computers and sensitive electronic equipment from expensive downtime and unscheduled maintenance” Even though this article is nearly 20 years old, the fact is that power problems have not changed nor have the means needed to protect data from power problems. The only change is the technology used in these data protection systems has been significantly upgraded in the past few years.
In this article, PG&E sites a number of power problems and solutions but, generally, the problems and solutions fall into 3 categories:
- Power outage or transient – requires and Uninterruptible Power Supply (UPS) and potentially a backup generator
- Power surge – requires a Power Distribution Unit (PDU) with a surge suppressor
A UPS can provide protection of your data from a power outage or a transient such as a power spike or dip. However, only what is known as an “on-line” UPS can provide true protection from any type of outage or transient. An on-line UPS uses what is known as “Double-conversion” technology where a rectifier converts the AC power wave into a DC signal and then an inverter creates a new and clean AC power wave from scratch. A battery or string of batteries are included in the circuit to provide ride-through AC power during the transient or outage.
The bottom line is that a true on-line UPS can protect your data from improper destruction – a HIPAA requirement – and can provide continuous access to records during an emergency condition – also a HIPAA requirement. The one type of power disturbance that often seems to throw UPS units into fits is a power surge that can happen so quickly, the UPS simply can’t protect the load. To protect against this problem, high-quality Rack PDU units can provide excellent surge suppression abilities. While we won’t go into technology specifics here, there is a very good correlation between the price of a Rack PDU and its internal technology so, please don’t be penny wise and dollar foolish in purchasing a PDU.
Now, when you add a backup power and surge suppression system, you will also need to monitor these units to ensure that they are properly protecting your data. For example, you need to know that the UPS’s battery is available and fully charged and you need to know when the UPS is on battery for a transient. You also need to know when a power surge has hit your PDU units. But, while you need to monitor your UPS and PDU’s to be HIPPA compliant, the communications protocol used for this monitoring – Simple Network Management Protocol (SNMP) – is actually non-compliant in-and-of-itself. This well done university research paper shows just how insecure SNMP monitoring of a UPS and PDU is. This, then, creates a huge dilemma: How do you monitor your power systems securely if their communications are insecure?
Fortunately, RackGuardian has you covered. RackGuardian does monitor all UPS and PDU parameters but, it does so inside its CYBER-SAFE COMMUNICATIONS ENVELOPE. The unit blocks ANY outside attempt to read data or interfere with the power systems while it securely monitors all operational parameters and sends all of its data via an encrypted, secure link to our fully compliant cloud system. The cloud system uses the same technology that you use to connect with your online banking to ensure HIPAA compliance. The combination of all these factors means that you can securely monitor and protect you power systems from any type of cyber, physical or operational harm.
In sum, HIPAA requires all covered entities and business associates to support ePHI systems with backup power and power distribution units. This is requires to keep ePHI from being destroyed by a power problem and to keep ePHI data available during a power emergency. You must monitor the health of your UPS and PDU systems but, you must do so in a way that does not expose these units to cyber, physical or operational attack. RackGuardian is the only system that has been purposefully built to protect your UPS and PDU systems from all threats that could wreak havoc on your data.
Please think about your systems and we would be happy to have a confidential discussion about how you can protect your ePHI from all threats.
Until next time,