Jump to content
TheMacMommy

Off Site, Online Digital Backup & Storage

Recommended Posts

I am in the process of helping a client start up an urgent care clinic. (It's the place you go when you can't get to see your PCP but you're not dying or need the ER) I've installed 2 iMacs for him. He will not be storing paper records on site and will be scanning all paper files. (got a sweet Fujitsu for that...love it BTW) I feel like I'm fighting an uphill battle because it seems no one else around here uses Macs in small business medical facilities. I'm trying to come up with a backup, archive and retrival protocol. I know, tall order and there is no one answer out there. My goal is redundancy redundancy redundancy because these are medical records with patient data that have to be stored for a long long time and there is no room for failure so I'm trying to be very careful and do as much research as possible before comitting to something. Plus there is also HIPPA laws to contend with so I'm not sure if the medical director can just take discs and store them in a safe in his house. Even if he could, I wouldn't recommend it.

 

Right now there are 2 external backup drives. 1 is a 750GB My Book Pro Edition USB 2.0 FW 400/800 7200RPM and the other is a 3.5 inch FreeAgent Pro 750GB Firewire 400/USB 2.0/eSATA. I didn't want to get 2 identical drives b/c I was paranoid about the remote possibility for both of them to fail for the same reason. I specifially got the My Book because it comes with Retrospect. It's been years since I've used Retrospect and although I'm not looking forward to using it b/c I fear it might be very complicated, I've heard good things about the s.w. so far so I'm willing to give it a try. My plan is to implement daily backups of the 2 computers and to have them swap these external HDs out each day so that one is always off site. Once they get half full, then I'll make it someone's job to archive off 2 sets of DVDs into binders. (A and B, keep set A on site for quick retrival, store set B off site in case of a catastrophic failure.)

 

Can anyone recommend good disc archiving software that would create a searchable db? Scenario: lawyer calls us to request medical records for John Q Smith from 3 years ago. I need someone to be able to launch an app, type in the person's name and unique identifiers and have the app tell them which disc those files are on so they can easily go pull out a binder from a locked cabinet and thumb through to get to the correct disc.

 

The problem with using external HDs is that somone will have to drive to some place each day and drop off DriveA and retrieve DriveB. This place has to be a quality controlled environment. We live in AZ so it can't be a locked mailbox somewhere or else the HD will bake in the heat. Then what happens when the clinic is closed for a holiday or over a weekend at some point? The backup schedule will be wonky and how will they know which drive goes where.

 

Sooooo, I was thinking perhaps online storage migth be a solution so that no one is physically having to move HDs from place to place which would also incur extra costs for drive time, etc.

 

Can anyone recommend a SECURE online storage vendor? A place I could trust with private patient data? I thought about getting a dot mac account for my client but I'm not sure how much data we'll generate in what amount of time yet but I can say there there will be DICOM images involved which have the potential to drive up the storage requirements quickly. And no, compression is not an option. The JPG versions of DICOM files I was told would not store patient data like we need them to.

 

Sorry for the lost post, but I'm not sure how to simplify this concept yet since it's all still new to me. I have tried calling other places of business to see what they do but I can never get an answer because no one wants to give out their secrets it seems.

 

So, I turn to my trusted Mac Community for some insight and suggestions...who better to ask, right?

 

Thanks in advance for any advice. I go to bed thinking about this and wake up thinking about it too, which is kind of annoying!

Share this post


Link to post
Share on other sites

the only thing i've thought of is renting a server... and uploading... but i have no clue about the software to use... good luck with this

Share this post


Link to post
Share on other sites

Wow.

 

There's an awful lot of things to think about.

 

First, paranoia is a good thing when contemplating disaster recovery (I think the new buzzphrase is Continuation of Operations Planning) so I really like the idea of 2 different kinds of drives.

 

I'm not sure, but I think HIPAA would require a secure connection to an offsite server. Personally, I'd want to use a VPN

 

Check out MacAttorney.Com for some useful information of Mac software. Maybe, even contact Randy Singer as he is an incredible resource of information for Macs in small businesses.

 

I do some more thinking and post more later/tomorrow.

Share this post


Link to post
Share on other sites

Regarding the software to use, here's what I have:

 

- Server with Linux

- OpenVPN on the server side, Tunnelblick on the client side

- NFS server

 

Works perfectly, data transfer is encrypted and fast.

Share this post


Link to post
Share on other sites

I like physical off-site storage (e.g., weekly) as protection against flood/fire/theft destroying the local infrastructure. I'm old, I like things I can hold in my hand. For large companies, that can simply be an exchange with a different building in the area. (E.g., if the doctors run two clinics, they could just exchange media between clinics periodically.) If that's not an option, Iron Mountain offers expensive but professional, reliable and convenient tape vaulting (they pickup on schedule with trucks that won't melt your media, and deliver when needed, in Phoenix and/or Tuscon. Maybe not if you're in Ajo, though.)

 

Amazon offers high-volume off-site storage in their Amazon S3 Simple Storage Service. It's flexible, with charges based on how much you store and how much bandwidth you use; it can work as both off-site backup and for regular on-line accessible data as part of out-sourcing your web or DB application. While it's very reliable and reasonably secure, it's only as secure as your access keys; so, I'd never trust it with unencrypted data. I haven't used it myself, but you might check out Jungle Disk for a Mac backup to Amazon S3 solution.

 

Anything sent offsite should be encrypted, always. (News reports that a backup tape or laptop got lost in transit and exposed thousand of customer records makes my head explode at the incompetence!) With a Mac, I'd stick my local databases in encrypted disk images (created with Disk Utility) and back them up.

 

One problem with any backup process is that they rely on humans, and humans are unreliable. Whatever the procedure, it needs a second person tasked with checking that backups are really made and dispatched. Backups need to be checked periodically. (I worked for a client once where the overnight tape backup program malfunctioned, and they had two months of blank tape, carefully labeled stored away, before someone noticed the log file errors. Luckily, this wasn't discovered too late, when someone needed the backup. Wouldn't that have been fun?)

 

If your disaster recovery plan relies on using Windows systems (assuming your application), you'll want a cross-platform storage and data encyption solution rather than Mac encrypted disk images (which are OS X only, and won't be accessible from Windows if you don't have a Mac around.)

 

I know nothing about HIPPA or HIPAA, or even why the same act has two acronyms. Based on 3 minutes web research (instant expert), Disk Utility's AES-128 would seem to be accepable HIPAA-compliant encryption for your data.

Edited by car1son

Share this post


Link to post
Share on other sites

The correct acronym is HIPAA which is sort for Health Insurance Portability and Accountability Act. I think some people believe it's called the Health Insurance Privacy and Protectiona Act because it deals a lot with data privacy but that's not the name of the act. And, of course, some people just forget and hit the P key twice (I've done it).

Share this post


Link to post
Share on other sites
The correct acronym is HIPAA which is sort for Health Insurance Portability and Accountability Act. I think some people believe it's called the Health Insurance Privacy and Protectiona Act because it deals a lot with data privacy but that's not the name of the act. And, of course, some people just forget and hit the P key twice (I've done it).

 

Yes, HuskerMn, you are correct...on both accounts. I admit I don't know the whole skinny on HIPAA; only basic things like if you need to email a patient's report, you must use encryption and that products like FileMakerPro and Adobe Acrobat comply and issue statements which detail their security protocols for use in an environment which interacts with private patient data.

 

Basically, the fact that there is such a protocol just makes me paranoid about making sure I advise my client well and put him on the right path for data security both on the business end as well as the privacy and protection of the consumer. I also have to pick my battles carefully as it is very easy to get in over your head when you're a contract IT Consultant. (I made it clear what my skill set is (limited) and what I am and am not comfortable doing, but they keep paying me, know what I mean?) That being said, there is another staff member who's duty it is to research all of these kinds of legal policies and protocols that go into this type of medical business. When I brought up my data security concerns and ideas to her and my client, she informed me that there is nothing in any of the legalese stating any kinds of information technology protocols for what we'll be dealing with and that she only included in her reporting to state inspection that yes, we will have off site backup and long term storage. That's it. Can you believe that? And, here is another interesting tidbit for you. My client checked with his medical billiing company and they told him that - because it is a private practice - it is legal for a staff member to take home with them a backup drive and bring it back the next day. I find that a little unsettling, don't you?

 

Just so you understand a little better as I now do; this is going to be an Urgent Care clinic. Because it's a private practice, it is not subject to some of the same rules and regulations that say an ER would be. i.e., and Urgent Care can refuse service. An ER can not refuse service. The patients that will be seen are walk ins. No appointments, which means there is no scheduling or consistent reocurring patients to track. They ARE, however, required by law to keep patient data for the long haul and must be able to provide it in the event something is later disputed like say 3 years from now someone turns up as having a major illness and they want to try and sue the urgent care, the data must be retrieved and presented for further study when requested. That part is the same regulation for other medical practices as well.

 

So, it would seem that it is at our discretion of how we handle our own long term storage and backups.

 

Since there is no written rule telling me that we must encrypt the data or that it must be stored at an approved off site area, then it's just a matter of being creative while covering our assets (ahem). Just because there is no law now doesn't mean that they won't turn around tomorrow and write one. So, I would rather proceed as though there were regulations and err on the side of caution.

 

My client is the Medical Director and he is perfectly fine with having a trusted staff member take an external HD drive home with them and bring it back the next day. (This will depend on shift schedules of course) He mentioned having the HD transported in a lock box of some sort. I still don't like this idea for reasons that car1son mentioned like data being exposed or lost in transit. He said it perfectly: "One problem with any backup process is that they rely on humans, and humans are unreliable." I'm thinking what if the person gets into a car wreck on the way home and the car catches fire? (of course I would hope the person is ok too) Or the car is stolen while they got groceries on the way home?

 

Same thing goes for the long term off site storage. I was thinking we would archive data from the backup drives onto 2 sets of DVDs and put them in binders. If set B is stored off site, there is nothing saying that that off site location can not be the home of the Medical Director. It would be up to him to have a locked safe to put the binders into in his home. I think I am ok with that solution but I'm leary of the transport issue. Either way, I just don't like the liability that these solutions pose, but I am in a position of advising, not making the final decision. So, I suppose all I can do is bring that point up and then he and his group will have to make the decision based on the facts and be responsible for the consequences.

 

And yes, good point, car1son I do plan to have them perform what I'll call 'retrieval drills' where we would simulate a situation periodically where someone would call the registration clerk, like a lawyer would do, and request some random patient records. I was thinking about putting a recurring event in iCal that would pop up say bimonthly and require them to perform that task. Perhaps on a weekly basis, someone's task is also to check the daily backups and open files at random and make sure the backups are running properly.

 

I was also thinking about cloning each of the entire HDs maybe every couple of months and creating a disk image so that in case the computer HD fails, we could re-image another one quickly and get them back on track. Maybe that's overkill?

 

I'll keep you posted on the progress and thanks so much for the links and resources for services and s.w. and I'll be checking them all out soon. I am still wanting to investigate online storage for the backups so if you think of any other places, let me know and I will compare all the links. Thanks again guys! You rock! :rolleyes:

Share this post


Link to post
Share on other sites
"One problem with any backup process is that they rely on humans, and humans are unreliable." I'm thinking what if the person gets into a car wreck on the way home and the car catches fire? Or the car is stolen while they got groceries on the way home?

I'm thinking more, "Jack is supposed to put a blank DVD in the backup drive every day for the next nightly backup, but he's a lazy jerk and usually doesn't bother." Someone with a baseball bat needs to be checking up on all the Jacks of the world. (Or the automated backup program needs to be able to detect problems and eMail or IM a manager, because Jack isn't going to check the logs, either.) Especially if you're just setting up the system but aren't going to be around regularly during operation. (It's a shame capital punishment can't be enforced in an employment contract. I think baseball bats are underrated as motivational tools.)

Share this post


Link to post
Share on other sites
I'm thinking more, "Jack is supposed to put a blank DVD in the backup drive every day for the next nightly backup, but he's a lazy jerk and usually doesn't bother."

 

or worse yet, but Jack is not lazy Jack but dumb-blonde Jane and just doesn't 'get it' and like - oh my God, like, I didn't know I was supposed to like do that....(I'm really reall sorry, that's bad and not PC at all but I couldn't think of a better way to say it....please...no offense to intelligent real blondes out there)

 

I want to stay away from using daily DVDs because of the amount of physical storage and liability that poses plus extra costs for shredding them safely and the space that will take up in a landfill somewhere else.

 

Has anyone used Box or Xdrive successfully and do you think they are a reliable source?

 

Thanks for the feedback.

Mom

Share this post


Link to post
Share on other sites
Does Mozy play nice with OSX now?

 

They have a beta version which I plan to try out as soon as I have some time. From the read me file it looks like a pretty nice (easy) way to back up.

Share this post


Link to post
Share on other sites
it won't allow me to back up... i hit the start backup button and it doesn't do squat

 

I just installed Mozy and set it to back up a folder. It seemed to just quit without doing anything, but on closer look, it put an icon in my menu bar. When I click on it you can show the status window which shows that it is indeed backing up. So, even though it appears to not do squat it's actually running in the background.

Share this post


Link to post
Share on other sites

well I'd let it sit over night... and every time it said "you do not have a successful backup. Would you like to backup now?

 

and i'd click yes... and it would say the same thing 2 day later... whether the computer was turned off or not.

Share this post


Link to post
Share on other sites
well I'd let it sit over night... and every time it said "you do not have a successful backup. Would you like to backup now?

 

and i'd click yes... and it would say the same thing 2 day later... whether the computer was turned off or not.

Pretty much what I have heard. Mozy has had that beta for a long time and the reviews say it doesn't play nice with macs.

Share this post


Link to post
Share on other sites
Pretty much what I have heard. Mozy has had that beta for a long time and the reviews say it doesn't play nice with macs.

 

I must be one of the lucky ones. It worked fine for me, albeit a bit slow. It took 3.5 hours to upload 407 MB using a cable connection.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing

    No registered users viewing this page.

  • Who's Online (See full list)

    There are no registered users currently online

×