In-Depth

HIPAA: The Storage Labyrinth

How recent Federal data protection regulations impact storage

• By Jon William Toigo
• 05/08/2003

I was naïve. A newcomer to on-line trading, I didn’t know at the time that the outcome had already been priced into the value of the stock. I learned my lesson the hard way.

I had a bout of déjà vu last week when Kirby Wadsworth, Chief Marketing Officer for Revivio, forwarded a PDF file to me containing the final report of an interagency panel that had been looking at Sound Practices to Strengthen the Resilience of the U.S. Financial System. A group from the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission (SEC) had been looking at the events of 9-11 and wondering what needed to be done to ensure that some future calamity would not devastate the national economy.

Kirby, who I regard as the best CMO in Lexington, MA, sent me the document to brag. He had speculated back in late 2002 that the regulators wouldn’t do much to change the obvious vulnerabilities represented by banks and brokers placing their primary and backup data centers and mirrored arrays within a scant 30 miles of each other. Earlier, the group had made some comments in the press that a 300-mile separation should be required for mirrors of critical data. Someone convinced them otherwise. Instead of specifying a 300-mile requirement, or even just stating that a 30-mile separation was inadequate, the group simply washed their hands of the issue. The document says, “The agencies do not believe it is necessary or appropriate to prescribe specific mileagerequirements for geographically dispersed back-up sites.”

I was naïve again. Politics is politics, and between the storage companies and the banking lobbies and who-knows-who-else, the opportunity to establish a data protection standard was lost. I suspect Kirby knew that the outcome had already been priced into the stock when the Microsoft decision came down, too. He is obviously a smarter guy than I.

Interestingly, there are some who heave a sigh of relief at the government’s hands-off approach to data protection in this decision. There are some IT service providers who wish that HIPAA—the Health Insurance Portability and Accountability Act—had never passed the legislature either. HIPAA imposes some hefty data retention and protection requirements on healthcare services and insurance companies. Someone sent me an e-mail that shows the Allstate logo on a billboard and underneath the hands it reads, “Don’t all die at once, or we’ll go broke.” Mention HIPAA to a healthcare facility administrator and you will get the same nervous chuckle.

It is a good example of a Pandora’s box that, once opened, seems to be emanating all kinds of bad humors. The story heard around HIPAA conferences is that when a certain California health insurer went belly up recently, its HIPAA-compliant data backups, stored at a data storage facility, became the burden of the offsite storage vendor. The vendor is no longer being paid for storing the data; nor is he allowed to put all the tapes out by the street for the trash collectors to haul away. HIPAA says the data must be preserved and protected from disclosure, and the offsite vendor inherited this responsibility because it was serving the company that created the data. Now that the insurance company is gone, the HIPAA requirements have rolled downhill to the service provider, who is not terribly happy about it.

Another HIPAA story I heard recently has to do with a fellow in a hospital IT department in the New England area who had some disk drives go bad in one of his arrays. Now he is in a quandary: HIPAA won’t let him send the drives back to the manufacturer for warranty replacement if it is at all possible that the data they contained in production use might still exist on the drives. The drive manufacturer won’t replace the drives if he doesn’t ship them. He could damage the drives beyond readability to comply with HIPAA, but the vendor won’t honor the warranty if he damages the drives deliberately.

The result of this legal twisting path is that the IT guy is stuck with his bad drives and needs to buy more rather than having his defective ones replaced for free. He said he considered using a big electromagnet to erase the data, but the legal department advises that such as scheme may be viewed as insufficient if the fellow can’t read the drive afterwards to confirm that the data they contained has been completely erased.

HIPAA was based on some well-intentioned goals to safeguard privileged and private health data from disclosure and to ensure that health records could follow folks when they transfer from one provider to another. No one knew they were uncorking the bottle containing the data genie.

The same may hold true with the Sarbanes-Oxley Act of 2002 (in formal terms, the Public Company Accounting Reform and Investor Protection Act of 2002, but PCARIPA doesn’t roll off the tongue like “Sarbox”). Intended to prevent another Enron or WorldCom debacle, legislators have decided to tighten corporate governance and auditing rules. Unfortunately, by forcing corporate officers to put their heads on the block over the accuracy of the data they report to the SEC, it also puts the storage manager’s head right next to them.

Officers must swear on a stack of Bibles that annual and quarterly financial reports contain no material errors or omissions. That means the storage guy (as well as the server guy, the network guy, and the IT manager) had better be sure that no bits are flipping randomly from plus to minus states.

What will happen if the Sarbox police catch an error in the data? I’d be willing to bet that the axe will fall not on the corporate exec but on the little storage guy. Maybe I’m just cynical, but if there’s one thing I’ve learned recently, it’s that the outcome has already been figured into the price.

Good luck.