The MSP’s Guide to Regulatory Compliance: Backup Edition
Is your backup solution meeting your clients’ regulatory compliance requirements? As an MSP, your clients depend on you for technology solutions that meet all their needs, and take their budget, size and daily operations into account. For some of your clients, especially those in the healthcare and financial industries, federal regulations pose additional challenges when implementing IT solutions.
Oftentimes, these industry specific regulations are difficult to understand for those in the relevant field, and even more difficult for you as an MSP to keep track of them all. To help you out, we’ve outlined the requirements of a few of the more common industry specific regulations, and how they relate to backup and disaster recovery:
- HIPAA (Health Insurance Portability and Accountability Act): Regulating those in the healthcare industry and their business associates, HIPAA includes a series of standards for the way personally identifiable patient data is handled.
- Data must be encrypted during storage and transfer: Choose a backup solution that uses a minimum 128-bit encryption. Many covered entities and business associates have trouble with this provision because older methods of backup, including tapes and disks, are moved freely and unencrypted.
- Data must be recoverable: What good is a backup if you can’t restore from it? Covered entities must be able to fully restore an exact copy of data if it is lost.
- Data must be backed up frequently: In the healthcare industry, data is constantly changing. Backing up weekly is not frequently enough. In the case of a restore, the most current information needs to be available.
- Data must be stored offsite: In case of a disaster such as a fire or flood, local backups will not suffice. Offsiting data backups is critical for HIPAA compliance.
- Security measures must be observed during recovery: In case of an emergency, data still needs to be encrypted and handled securely during a restore process.
- Backup and recovery plans must be documented: It’s a good idea to have documentation of a disaster recovery plan anyway. But when dealing with HIPAA covered entities, written procedures of backup and recovery plans are a requirement.
- Recoveries must be tested: In order to ensure backups are working properly, regular testing is required on all backups of patient data.
- SOX (Sarbanes-Oxley Act): Regulating all public companies’ financial transactions, SOX includes rules regarding the retention and control of electronic records.
- Records must not be destroyed, altered or falsified: Having accurate electronic records and backups of those records is necessary for those required to comply with SOX regulations.
- Retention periods: Depending on the type of data, records need to be maintained for five to seven years. To maintain data integrity, storing the data on tapes may not be enough. An additional storage point should also be considered.
- SOC (Service Organization Controls) Audits: Though not specifically legal regulations, these audits are undergone by service organizations dealing with information systems. The audit is performed by an independent CPA to build trust in an organization. Gillware Online Backup has undergone the SOC 2 Type II Audit and has been reviewed in the following categories:
- Security (The system is protected, both logically and physically, against unauthorized access): Both our online backup data center and our internal networks are protected from any outside threats or vulnerabilities. Both our office and data center have protected physical access and careful documentation of visitors. Our networks are password protected and encrypted to prevent unauthorized access.
- Availability (The system is available for operation and use as committed or agreed to): As an online backup provider, Gillware knows the importance of network availability. All of the machines in our offices are securely backed up and available in the event of a disaster. We have measures in place for emergency protocol so that our internal network and data center are always available.
- Confidentiality (Information that is designated “confidential” is protected as committed or agreed): All Gillware employees are required to sign confidentiality agreements to protect sensitive information. All backed up data is encrypted during transfer and storage to prevent outside access. Backed up data is stored in our secure data center owned and operated by Latisys.
- FINRA (Financial Industry Regulatory Authority, Inc.): FINRA is an organization that handles member regulation, enforcement and arbitration for the New York Stock Exchange. Covered entities include brokerage firms and exchange markets. As part of these regulations, FINRA Rule 4370 covers business continuity planning:
- Creating and Maintaining a Business Continuity Plan (BCP): This includes data backup and recovery, both in hard copies and electronically. The firm’s BCP must address any relationship with outside vendors that provide part of their services, for example an MSP providing backup services.
- Disclosure Requirement: In order to help their customers make educated decisions about who to invest money with, firms must disclose a summary of their business continuity plan. In the even that something should disrupt future business, the firm must have a plan to respond and maintain operations.
- Annual Review: The firm’s BCP must be reviewed by a designated member of senior management each year.
To make regulatory compliance easier for MSP’s, Gillware offers a comprehensive suite of backup solutions to meet your clients’ unique needs. Our file-based backup is perfect for laptops and desktops. With the rise of the mobile workforce, regulations still apply. Our automated backup solution ensures there are no gaps in backups. On the flip side, our Full Image Backup is designed for servers and can back up full system images both locally and in the cloud. In combination, these two solutions can help your clients achieve regulatory compliance with their backup strategies.
Do you encounter these or other regulatory compliance concerns when dealing with clients as an MSP? Let us know in the comments. For all your data backup needs, check out Gillware Data Solutions.