Xanza Posted August 13, 2013 Report Share Posted August 13, 2013 I do work for a doctor in my area (D.C.) who was working with a software suite called ChiroTouch. The program stores all patient data in a database located on the local hard drive. Naturally the doctor was worried about data corruption and loss and was in the market for a backup solution. The ChiroTouch software comes with a paid backup solution to a secure cloud server run by the ChiroTouch dev team, however, it costs $59.00 per month per computer (4 computers or $236/mo or $2832/year). Being a small practice this type of expense is prohibitive; enter BTSync. Because of New York state HIPPA laws, the program must operate with at least 128-bit encryption and run behind (if wireless) WPA2 encryption standards. Disabling any outside connectivity via the BTSync setup enables the transfer to be HIPPA compliant and a viable backup solution. Each terminal (HP 420-1000t) comes with a 2TB 5400 RPM SATA 3G hard drive allowing for more than enough space to backup the database (2,000 patients @ 13GB in size). I setup BTSync on all computers and created a distributed backup system (using read-only keys) to all terminals meaning the office would need to suffer simultaneous (x4) catastrophic system failure to remove the possibility of data retrieval. (Or a fire would probably do the trick)Since the solution uses free software (BTSync) and hardware that was already on site, BTSync is saving this doctor $2832/year in operational costs for as long as he uses the ChiroTouch program. I highly encourage anyone who owns a private practice to invest the time into knowing the positives and negatives of a self hosted backup solution.I hope this ended up helping someone. Quote Link to comment Share on other sites More sharing options...
Tajnymag Posted October 13, 2013 Report Share Posted October 13, 2013 Isn't this prohibited by the law about patient's privacy?I know that the servers aren't public, but I think that they could be easily hackable. Quote Link to comment Share on other sites More sharing options...
TheDurtch Posted October 14, 2013 Report Share Posted October 14, 2013 any server/computer as long as it is connected to the internet is hackable Quote Link to comment Share on other sites More sharing options...
Xanza Posted October 27, 2013 Author Report Share Posted October 27, 2013 Isn't this prohibited by the law about patient's privacy? I know that the servers aren't public, but I think that they could be easily hackable. any server/computer as long as it is connected to the internet is hackable No, this is fully compliant with US HIPPA laws. Additionally, the servers aren't net-facing and are specifically denied requests to the open Internet -- both ways. This means that even though the server is connected to a network that has the ability to access the open web, any and all requests that are non-local are denied at the hardware level. This means that you have to manually update the client but there is a zero percent chance that your data can be accessed encrypted or decrypted from anything that's not within the local network. Moving from there it's up to you to secure your local business network -- which for this instance uses WPA2-Enterprise (TKIP) in which each client is given a different encryption key to the server. This means that even if an attacker was able to access the local network by whatever means, the key they used to decrypt traffic wouldn't allow them to see unencrypted data regardless; meaning the data would be protected by WPA2-E TKIP and the BTSync keys. You can even add additional security by throwing shared keys into the mix -- but it's really overkill at this point. Quote Link to comment Share on other sites More sharing options...
mndudek Posted November 4, 2013 Report Share Posted November 4, 2013 I'm not convinced you really understand the policies and laws regarding this- you don't even spell the acronym correctly. Check this out: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ Without understanding how BTsync works, you can't be sure that it is HIPAA compliant since BitTorrent hasn't divulged any info about the inner workings of the system. A security spokesman that I listen to regularly, Steve Gibson, on TWiT.tv's Security Now has been asking for the details of BTsync for quit some time and Bittorrent hasn't give anything of the sort. There is even a (rude) forum regarding this topic: http://forum.bittorrent.com/topic/24050-i-apologize-ahead-of-time-can-the-devs-stop-being-assholes-and-release-the-cryptoarchitectural-documentation-please/#entry68854 My opinion is that until such details are available, DO NOT USE THIS FOR ANYTHING HIPAA! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.