Compliant WORM Storage – A Vital Tool to Assure HIPAA and HITECH Compliance

altby Thomas Finn

Healthcare organizations, regardless of size, are required to meet HIPAA/HITECH requirements for records retention, privacy, protection and security. When making the IT investments to meet these obligations, larger healthcare organizations are at an advantage compared to smaller hospitals because of larger budgets and because economies of scale let them more quickly recoup their costs. It’s no secret that smaller hospitals can suffer from a relative paucity of IT resources, including smaller budgets, fewer IT personnel, narrower range of IT expertise, etc. Larger healthcare organizations can choose to invest in multiple applications, hardware systems, and IT personnel with specialized expertise without adversely affecting their bottom line. Smaller hospitals normally don’t have this luxury. There is however, an available technology that can provide regulatory compliant levels of records retention, protection and security ­– non-proprietary WORM HDD storage solutions.

Ablative Optical WORM, and later CD-R and DVD-R, technology came into widespread use for permanently storing records during the late ‘80s and ‘90s. Optical storage systems are still used by many hospitals for archiving PACS imaging data, for instance. Different types of media are available to meet the different archiving needs: true Archival Write-Once-Read-Many (WORM) prevents the data from ever being erased, Compliant WORM media prevents any modification of records once they are written but does allow specific records to be erased at the end of their retention periods, and Rewritable media, of course, allows data to be written, altered and erased.

While Optical Archive systems are flexible enough to meet the various regulatory compliance and governance requirements, they also have a number of drawbacks compared with HDD and hybrid HDD/SSD drive arrays. In short, they’re more expensive, more prone to failure, eventually require off-line storage once the disks or cartridges get full, and have slower R/W times and lower data transfer rates. For these and other reasons, most hospitals now use HDD-based storage systems to meet their HIPAA/HITECH requirements for storing medical records.

HIPAA/HITECH Requirements for Data Storage
Covered healthcare entities need to meet a variety of HIPAA/HITECH requirements for the storage and handling of patient records, or face fines and/or loss of incentive payments. These requirements are included in the following Rules:

  • HIPAA Security Rule 45 CFR Part 160 and Subparts A and C of Part 164
  • HIPAA Privacy Rule 45 CFR Part 160 and Subparts A and E of Part 164
  • HITECH Act Rule 45 CFR Part 170.210

Security Rule
The Security Rule requires that appropriate administrative, physical, and technical safeguards are taken to ensure the confidentiality, integrity, and security of electronic protected health information. Briefly, these consist of:

  • Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
  • Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
  • Implement a mechanism to encrypt and decrypt electronic protected health information.
  • Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Privacy Rule
The Privacy Rule requires appropriate safeguards to protect the privacy of personal health information (PHI). In terms of stored data this is mainly addressed by implementing procedural safeguards that control access to and prevent release of PHI.

§170.210 specifies minimum standards for the encryption and hash tag algorithms used to protect electronic health information and ensure that the information is not altered, and specifies the record actions that must be recorded (audit trail).

WORM HDD technology was first developed in the early-2000s and is essentially a software implementation of Optical WORM/DVD-R technology, but without the disadvantages.

Since WORM HDD is a software implementation, and doesn’t depend on characteristics of the media to create permanent records, its Archive Data Storage capabilities are more flexible and can be adapted to meet multiple regulatory requirements:

  • Files can be locked forever, providing true Archive storage;
  • Files can be locked for different fixed periods of time, and then purged, to meet Retention requirements;
  • Files can be R/W;
  • Copies of data can be stored offsite for use in Disaster Recovery by using real-time Replication;
  • Archived data that is also encrypted is secured against deletions and modifications from accidental and intentional causes and kept private; and
  • Other HIPAA/HITECH requirements for stored data can be met through a combination of administrative and physical procedures used in conjunction with the above technical measures.

Many, but not all, WORM HDD systems are built on open-standards operating systems, yet they utilize proprietary interfaces making them complex as well as more expensive and increasing the chance of vendor lock-in.

Major Vendor Solutions
Most major data storage companies have solutions that allow healthcare organizations meet their HIPAA/HITECH obligations and some of these solutions are based on WORM HDD storage. These solutions generally consist of a combination of (multiple) software applications installed on a server and pointed to a storage system.

  • Data Retention Software
  • Data Protection – Records Privacy – Encryption
  • Data Security – Backup Recovery – Stored Data Encryption – Anti-virus scanning
  • Archive Data Storage Software – (immutability)
  • Data Storage Servers

These systems normally provide excellent performance, but tend to suffer from a common set of drawbacks that can make them less than ideal for smaller healthcare organizations. Acquisition, integration, and maintenance costs can skew towards the high end. Many of the vendors of these systems use proprietary data base applications, content-addressable storage (CAS) systems, hardware and equipment. Some of these systems may require proprietary connectors to work with the standard systems and third-party applications commonly used in healthcare organizations. In short, it’s very possible to get locked-in to a particular solution (vendor lock-in), and be forced to pay increasingly high maintenance costs because the expenses associated with converting stored data to an open format can make switching prohibitively expensive.

Evaluating WORM HDD Storage Systems
Healthcare organizations in the process of expanding or replacing their current HIPAA/HITECH compliant data storage systems to lower their c
osts, should investigate what non-proprietary WORM HDD technology-based solutions have to offer. Capable of multi-petabyte (PB) storage capacities, these storage systems can be a realistic solution for many healthcare organizations grappling with the rapidly growing amounts of data subject to regulation. It offers fast online search and retrieval of data and huge capacity — at a lower total cost of ownership than other solutions. Non-proprietary, WORM HDD solutions have been available since 2001, with some running on Windows Servers, that don’t require specialized hardware, and that don’t involve proprietary connectors; all pluses for the many smaller datacenters that are trying to satisfy stringent compliance requirements on limited budgets.

Thomas Finn is a technical writer for KOM Networks.

Leave a Reply

WWPI – Covering the best in IT since 1980