I recently wrote a fairly lengthy article on encryption and how it can decrease the chances of a successful data recovery. A few weeks later, unsurprisingly, that still holds true. Things don’t change very rapidly when it comes to encryption and data recovery.
Now I’d like to take some time to look at the positive uses for encryption, especially as it pertains to backup storage and transfer. First we’ll go over how Gillware uses encryption in our backup, then we’ll cover HIPAA compliance and SOC II Type 2 security audits. Plus a little on hackers and encryption (and backup).
Gillware Backup – File-Based
Our file-based automated backup solution, which allows users to backup only the files that they think are important, automatically generates a unique encryption key (we don’t use that website, but it’s still cool) before the process starts.
After the system scans for files that are ready for backup, it compresses and encrypts them so they are ready for transfer. Because these files will be transferred over the Internet, the data is always transferred using the SSL protocol, or Secure Sockets Layer.
This is a form of public key encryption that can be used to transfer data over the Internet securely. You can be sure the website you’re using is utilizing the SSL protocol if the web address begins with HTTPS rather than just HTTP. If you’re reading this blog post right now, go ahead and look at the web address right now for an example. In the future, be careful not to input any personal information on a webpage that isn’t utilizing the SSL protocol, as it’s most likely a scam.
After the data gets to our backup servers, it remains encrypted in the servers at one of our data centers with state-of-the-art security. If a user wants their data restored, we merely send them the encrypted data by once again utilizing the SSL protocol. When it arrives, they use the unique encryption key to decrypt it.
Gillware Backup – Full Image
In addition to file-based backup, Gillware also offers a full-image based backup solution. Full image essentially takes a snapshot of your entire drive or server so you have all your data as well as all your configured settings ready to go should you ever require a restore. Similar to our file-based solution, our full image backup encrypts the snapshots we take and stores them securely on our servers. Easy-peasy.
Aside from the various rules and regulations we use encryption to comply with, encryption also helps reassure our customers that their data is secure. Because it is. If you read the blog post on encryption and data recovery, you’re familiar with the idea that encrypted information is just about impossible to access without the key. Since I started writing this blog post, that fact also still holds true. To put it in perspective, if you tried to brute force attack a 2048-bit SSL certificate, that is, have your computer guess every possible combination, it would take more than six times the entire history of the universe. Of course, there are more savvy ways to find the right answer, but you get the idea. Big, big, big numbers.
Also known as the Health Insurance Portability and Accountability Act of 1996. Title II of this Act sets national standards for electronic health care transactions, one of the most important parts being privacy and data security of patient medical records.
Repeat after me: HIPAA compliance, not HIPAA certification. It’s illegal to violate HIPAA. Not frowned upon. Illegal. Well, frowned upon too I suppose. We would be fined a lot of money and would lose a whole lot of credibility as a data backup service if we violated HIPAA and did not follow all regulations regarding medical record storage and transfer.
The regulations apply to health plans, health care providers, health care clearinghouses and their business associates, the latter being the category Gillware falls under. If any health care entity chooses to use Gillware to backup medical information, it is our responsibility and obligation to be HIPAA compliant or face heavy non-compliance fines.
Without being too long-winded, the information it pertains to is any Patient Health Information (PHI or ePHI for electronic info) that might reasonably lead to identifying someone using that personal information.
In regards to transfer, all ePHI must be encrypted during transfer with a minimum of 128-bit encryption, including through email.
In regards to storage, all ePHI must either be encrypted or destroyed. It turns out that in most cases, it’s actually easier to just encrypt something rather than attempt to completely destroy it. Since one other stipulation on ePHI is that it must have backups in case of technical failure or disaster, I think we’ll stick to encryption. And we’re a backup service, so it’s a better business model for us to encrypt HIPAA protected information rather than destroy it.
Protecting patient health information is vitally important in the healthcare industry. As such, encryption plays a huge role in ensuring the security of that information and helps to protect patients from any sort of data breach that might negatively impact them.
SOC II Type 2 Audited
One other topic we’ve written about numerous times is the fact that Gillware is SOC II Type 2 audited every year to ensure we meet strict standards laid out for data centers to protect data.
Contrary to HIPAA compliance, being SOC II Type 2 security audited is more of a personal preference that proves the security of our facilities to our clients. We’re not required to undergo these audits, but they serve as a valuable indicator of the strength of our security and are performed by an independent third-party to ensure we’re good on our word.
Encryption also factors into our SOC II Type 2 status by ensuring all our data, including our clients’ data as well as our own networks, are encrypted and secure. No one has access to anything they’re not supposed to, and that includes protection from unauthorized internal access.
Encryption and Hackers (and Backup)
Black hat hackers, that is, those who use their computer know-how for mostly malicious or personal gain, have often used
encryption as a way to extort people. There are many iterations of this virus, but we just go by the name “Ransomware” as a catchall term. They encrypt all your files and extort you to pay them hundreds of dollars or the files will remain encrypted forever.
Fortunately for some people, if they have a backup of those files from before the ransomware attack, we can easily just restore those items to their computer and the ransom can be ignored.
We’ve seen how encryption can help tremendously in data security, especially as it pertains to data transfer and storage. We’ve even seen a case of how backup can help with getting around cases of bad encryption. At the end of the day, encryption should be used with moderation as with anything else.
The real value of encryption comes with understanding when it’s necessary to use, and when you might be able to do without it. As I mentioned in the last post, there can be some pretty negative outcomes if encryption isn’t handled properly. Diving right in without knowing what you’re getting into can lead to problems down the road. Remember to do your research first and ensure that not only is encryption necessary in a particular situation, but also understand how to appropriately use it.
EDIT: As of September 2016, Gillware Online Backup has been acquired by StorageCraft. Click here to learn more about their backup solutions. Click here to learn more about becoming a StorageCraft Partner.