Some organizations that handle sensitive data may have legal obligations to backup and store data using a secure methodology. There also may be retention rates that must be adhered to. Some organizations such as healthcare, financial and accounting organizations may not be aware of the exact rules they must follow. Meeting the requirements can be complicated and cumbersome, but it is not impossible.
Many organizations adhere to a very old backup methodology of backing up 2 weeks of data in a rotation and then overwriting the data on the third week. While this practice is cost effective and has been around for a long time, it may no longer meet the needs and legal requirements of an organization. If your company has accounting records or patient records you need to take a close look at the backup, retention and disaster recovery policies enforced by HIPAA, HITECH, and Sarbanes-Oxley.
Some regulations that the Sarbanes-Oxley Act refers to pertains to financial accounting for investor accounts so it is important to understand the types of data your organization is handling and which part of the law affects your business. It is important that if you think you may handle some types of data but you are unsure of your legal obligation for backup and retention that you find someone who has a good understanding of technology and the law to review this for you.
For healthcare organizations there are specified retention rates for patient data as well as an offsite storage mandate and the data must be recoverable and recovery must be tested periodically. All organizations should have a disaster recovery policy and test their methodology at least once per year to ensure data is recoverable and usable.
If you are responsible for backup and disaster recovery within your organization and you are unsure about your legal requirements I have provided some links for you to follow so you can read up on the laws and requirements. Although they may seem complex and in some cases they may be expensive to adhere to, it is not impossible.
- http://www.hbma.org/news/public-news/n_the-truth-about-hipaa-hitech-and-data-backup
- http://www.mythics.com/about/blog/sarbanes-oxley-act-sox-compliance-requirements-for-it-security
- https://www.sec.gov/rules/final/33-8180.htm
- https://www.micromd.com/hipaa-hitech-security-compliance-emr-pm-data-back-up/
- https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf
References
- Final Rule: Retention of Records Relevant to Audits and Reviews. (n.d.). Retrieved February 16, 2017, from https://www.sec.gov/rules/final/33-8180.html
- Overview of HIPAA and HITECH Data Security Requirements. (n.d.). Retrieved February 16, 2017, from https://www.micromd.com/hipaa-hitech-security-compliance-emr-pm-data-back-up/Sarbanes-Oxley
- Act (SOX) Compliance: Requirements for IT Security. (n.d.). Retrieved February 16, 2017, from http://www.mythics.com/about/blog/sarbanes-oxley-act-sox-compliance-requirements-for-it-security
- The Truth about HIPAA-HITECH and Data Backup. (2012, March 29). Retrieved February 16, 2017, from http://www.hbma.org/news/public-news/n_the-truth-about-hipaa-hitech-and-data-backup
