Dr. Office Backup Solution


Xanza

Recommended Posts

I do work for a doctor in my area (D.C.) who was working with a software suite called ChiroTouch. The program stores all patient data in a database located on the local hard drive. Naturally the doctor was worried about data corruption and loss and was in the market for a backup solution. The ChiroTouch software comes with a paid backup solution to a secure cloud server run by the ChiroTouch dev team, however, it costs $59.00 per month per computer (4 computers or $236/mo or $2832/year). Being a small practice this type of expense is prohibitive; enter BTSync. Because of New York state HIPPA laws, the program must operate with at least 128-bit encryption and run behind (if wireless) WPA2 encryption standards. Disabling any outside connectivity via the BTSync setup enables the transfer to be HIPPA compliant and a viable backup solution. Each terminal (HP 420-1000t) comes with a 2TB 5400 RPM SATA 3G hard drive allowing for more than enough space to backup the database (2,000 patients @ 13GB in size). I setup BTSync on all computers and created a distributed backup system (using read-only keys) to all terminals meaning the office would need to suffer simultaneous (x4) catastrophic system failure to remove the possibility of data retrieval. (Or a fire would probably do the trick)

Since the solution uses free software (BTSync) and hardware that was already on site, BTSync is saving this doctor $2832/year in operational costs for as long as he uses the ChiroTouch program. I highly encourage anyone who owns a private practice to invest the time into knowing the positives and negatives of a self hosted backup solution.

I hope this ended up helping someone. :)

Link to comment
Share on other sites

  • 2 months later...
  • 2 weeks later...

 

 

Isn't this prohibited by the law about patient's privacy? I know that the servers aren't public, but I think that they could be easily hackable. 

any server/computer as long as it is connected to the internet is hackable

 

 

No, this is fully compliant with US HIPPA laws. Additionally, the servers aren't net-facing and are specifically denied requests to the open Internet -- both ways. This means that even though the server is connected to a network that has the ability to access the open web, any and all requests that are non-local are denied at the hardware level. This means that you have to manually update the client but there is a zero percent chance that your data can be accessed encrypted or decrypted from anything that's not within the local network. Moving from there it's up to you to secure your local business network -- which for this instance uses WPA2-Enterprise (TKIP) in which each client is given a different encryption key to the server. This means that even if an attacker was able to access the local network by whatever means, the key they used to decrypt traffic wouldn't allow them to see unencrypted data regardless; meaning the data would be protected by WPA2-E TKIP and the BTSync keys. You can even add additional security by throwing shared keys into the mix -- but it's really overkill at this point.

Link to comment
Share on other sites

  • 2 weeks later...

I'm not convinced you really understand the policies and laws regarding this- you don't even spell the acronym correctly.

 

Check this out: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

 

Without understanding how BTsync works, you can't be sure that it is HIPAA compliant since BitTorrent hasn't divulged any info about the inner workings of the system.  

 

A security spokesman that I listen to regularly, Steve Gibson, on TWiT.tv's Security Now has been asking for the details of BTsync for quit some time and Bittorrent hasn't give anything of the sort.  

 

There is even a (rude) forum regarding this topic:

 

http://forum.bittorrent.com/topic/24050-i-apologize-ahead-of-time-can-the-devs-stop-being-assholes-and-release-the-cryptoarchitectural-documentation-please/#entry68854

 

My opinion is that until such details are available, DO NOT USE THIS FOR ANYTHING HIPAA!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.