HIPAA Compliance & Abacus Online Backup

This page details Abacus' response to the Administrative Simplification Provisions of HIPAA Code of Federal Regulations, Title 45, Part 164: Security & Privacy

Administrative Safeguards
Sections	Standards	Implementation Specifications (R)=Required, (A)=Addressable		Application Functionality
§164.308(a)(1)	Security Management Process	Risk Analysis	(R)	The Covered Entity (CE) can store their Risk Analysis document encrypted and off-site using ABACUS Backups managed software solutions.
		Risk Management	(R)	ABACUS Backups technology provides a high degree of security measures by encrypting Protected Health Information (PHI) on the covered entity’s servers. In providing our managed data backup service, ABACUS Backups data is transmitted over the network using additional “over-the-wire” encryption and is transferred to a secure, offsite data center thereby reducing risks and vulnerabilities for PHI. No ABACUS Backups employee has access to the unencrypted PHI because the covered entity or business associate has the only encryption password.
		Sanction Policy	(R)	ABACUS Backups works with the CE to comply with their sanction policies and procedures.
		Information System Activity Review	(R)	The ABACUS software provide comprehensive reports for backup activity, restore activity, log files, late backup status
§164.308(a)(2)	Assigned Security Responsibility		(R)	ABACUS Backups Personnel will work with the CE’s Security Officer to ensure that data protection policies adhere to the policy and procedures of the CE.
§164.308(a)(3)	Workforce Security	Authorization and/or Supervision	(A)	ABACUS Backups’s software and service solutions are designed to ensure that only those personnel with appropriate application as well as encryption passwords have access to PHI.
§164.308(a)(3)	Workforce Security	Workforce Clearance Procedure		The CE’s Security Officer determines who has access to both application and encryption passwords.
		Termination Procedures	(A)	As a part of the CE’s termination procedures, ABACUS Backups’s software and service solutions allow authorized CE personnel to: □ Change encryption password and □ Change account password on the Vault
§164.308(a)(4)	Information Access Management	Isolating Health care Clearinghouse Function	(R)	ABACUS Backups’s software and service solutions allow the CE to isolate data protection to authorized personnel and protect the electronic PHI (ePHI) from the larger organization.
		Access Authorization	(A)	ABACUS Backups’s software and service solutions easily allow the CE to implement policies and procedures for granting access to ePHI through server as well as encryption password protection. The CE has the only password for encrypted ePHI.
		Access Establishment and Modification	(A)	ABACUS Backups’s software and service solutions easily allow the CE to implement policies and procedures for granting and modifying a user’s access to ePHI through server as well as encryption password protection. The CE has the only password for encrypted ePHI.
§164.308(a)(5)	Security Awareness and Training	Security Reminders	(A)	ABACUS Backups will participate in a CE’s periodic security updates on an as needed basis.
		Protection from Malicious Software	(A)	ABACUS Backups’s software and service solutions provide protection from malicious software by keeping a full copy of ePHI encrypted and off-site. A CE can easily recover their uncorrupted data online, 24 hours a day.
		Log-in Monitoring	(A)	ABACUS Backups records log on activity for backup and restore tasks. This activity information can be provided to the covered entity as needed.
		Password Management	(A)	ABACUS Backups backup architecture is designed specifically so that only those personnel with appropriate application as well as encryption passwords have access to PHI. Covered entities can encrypt and store their passwords off-site with the ABACUS Backups solution.
§164.308(a)(6)	Security Incident Procedures	Response and Reporting	(R)	ABACUS Backups’s software and managed services can mitigate harmful effects of security incidents by storing a full, encrypted copy of ePHI off-site. Through ABACUS Backups’s managed service, this encrypted ePHI is stored in secure data facilities.
§164.308(a)(7)	Contingency Plan	Data Backup Plan	(R)	ABACUS Backups' software and managed services are specifically designed to provide CEs better operational control of their data backup and recovery process. The automated process ensures that backups have occurred and are automatically off-site. The software facilitates customized data retention schedules. The solution limits human involvement which can lead to error in the backup process or in tape transport. The backup and recovery process can be centrally controlled (through a graphical user interface) for remote locations. Data can be instantaneously recovered 24 X 7 x 365 days. Data is further secured by utilizing RAID arrays and redundant components. Data is encrypted and sent to secure data centers with limited physical access.
		Disaster Recovery Plan	(R)	ABACUS Backups provides data protection and recovery as a part of the CE’s Disaster Recovery Plan. ABACUS Backups’s main purpose is to protect our client’s data in the event of a full disaster or file and folder recovery. ABACUS Backups will also work with the CE to test data restoration as a part of the DR Plan.
		Emergency Mode Operation Plan	(R)	With ABACUS Backups’s managed service, data is automatically off-site and easily accessed 24 hours a day, 7 days a week. Data can be instantaneously restored while operating in an emergency mode. With ABACUS Backups’s software, data can be protected at an off-site facility of the CE’s choice.
		Testing and Revision Procedure	(A)	CE can contract with ABACUS Backups for periodic testing of data recovery.
		Applications and Data Criticality Analysis	(A)	The ABACUS Backups solutions easily allow the CE to identify critical data and design customized retention policies to meet the needs of other contingency plan components.
§164.308(a)(8)	Evaluation		(R)	CE can contract with ABACUS Backups Professional Services for periodic evaluation of backed up data integrity and the recovery process.
§164.308(b)(1)	Business Associate Contracts and Other Arrangement	Written Contract or Other Arrangement	(R)	ABACUS Backups employees do not have access to protected health information and is not considered a business associate; however, ABACUS Backups understands the criticality of protecting health data and will work with Covered Entities to insure their compliance with the HIPPA Act.
§164.310(a)(1)	Facility Access Controls	Contingency Operations	(A)	ABACUS Backups Protect customer data is stored in vaults located in highly secure, raised-floor data centers that provide limited physical access but have redundant systems and power. In the event of a disaster, using ABACUS Backups software and service solutions, data can be recovered via the network or the public Internet to a location selected by the CE. Only authorized personnel with application and encryption passwords can recover the data.

Technical Safeguards (see 164.312)

Sections	Standards	Implementation Specifications (R)=Required, (A)=Addressable		Application Functionality

§164.312(a)(1)	Access Control	Unique User Identification	(R)	ABACUS Backups’s software technology encrypts ePHI at the source of the information, on the CE’s computer servers. Only authorized CE representatives have server and encryption passwords. The CE assigns the unique user identification. In providing our managed data backup service, ABACUS Backups Protect, no ABACUS Backups employee has access to the unencrypted PHI because the covered entity or business associate has the only encryption password.
		Emergency Access Procedure	(R)	ABACUS Backups’s software and service solutions are designed to provide fast, easy data recovery in case of an emergency. Access to information stored at ABACUS Backups data centers can be done online at anytime. An authorized administrator at the CE can take advantage of ABACUS Backups InfoStage CentralControl to search through the data stored on the vault and recover the lost data online. Only the authorized system administrator can enter the vault account username and password as well as the encryption password to authenticate and get the data back.
		Automatic Logoff	(A)	The ABACUS Backups scans the server on which it is installed to gather the blocks within files requiring backup. It compresses the files, encrypts them and then sends them over the network using network encryption to the storage vault. As soon as the transmission has been completed, it automatically disconnects from the customer server and logs off.
		Encryption and Decryption	(A)	The agent encrypts all data to be backed up on the server before sending them over the network. ePHI is encrypted at two levels: • Data is encrypted on the vault to ensure that only the covered entity system administrator has access to the information as he is the only owner of the encryption password. • Over-the-Wire encryption ensures that the data is safe during transmission. The encryption password is entered by the system administrator while configuring the backup. If the need to recover data arises, only the system administrator can start a restore job and enter the encryption password to allow the software to bring back decrypted data to the server.
§164.312(b)	Audit Control		(R)	ABACUS Backups records information about users who backup and restore data.
§164.312(c)(1)	Integrity	Mechanism to Authenticate Electronic Protected Health Information	(A)	ABACUS Backups software uses 2 levels of authentication to protect Health Care Information: • Vault account authentication • Encryption authentication The CE will implement policies and procedures to ensure that ePHI has not been altered or destroyed in an unauthorized manner. If the CE finds that data has been altered on the originating server, original data can be restored on line from the ABACUS Backups backup. Data is destroyed only at the request of the CE. ABACUS Backups will issue a certificate of data destruction if the CE requests that destruction.
§164.312(d)	Person or Entity Authentication		(R)	Authentication is required to backup and recover data to and from the vault as well as to decrypt the data. • The CE’s system administrator will authenticate with the vault when configuring a backup job by entering the username and password recorded on the vault
				• The user also enters an encryption password while configuring the backup job. He is the only one that knows this key and it will be impossible to decrypt the data while doing the restore without it.
§164.312(e)(1)	Transmission Security	Integrity Controls	(A)	Controls can be run periodically to ensure data integrity. For example, the system administrator can run test restores to ensure that the data is intact and has not been corrupted. The CE system administrator has 24/7 access to the data stored on the vault and can start restores at any time through our easy-to-use graphic user interface.
§164.312(e)(1)	Transmission Security	Encryption	(A)	ABACUS Backups delivers encryption of in two levels at no additional cost: • Over-the-Wire encryption to ensure that data can’t be read during transmission over a network or public Internet. • Encryption at storage location (vault) ensures that the data can only be decrypted by the owner of the encryption key (CE entity system administrator) • ABACUS Backups utilizes 128-bit AES or 128-bit Blowfish