By Heidi Biggar
If you’re in the healthcare or financial industries, regulatory compliance has likely become a significant issue over the past couple of years.
You may also be overwhelmed by the vast number and types of technologies that are available-in the storage arena alone-that claim to be the answer to your regulatory compliance problems. Although many of these technologies can play a role in regulatory compliance, many do not-and others (e.g., e-mail archiving software) may need to be used in conjunction with other vendors’ technologies (e.g., records/content management software) to be truly effective.
For our Special Report this month, InfoStor contacted a number of companies in the healthcare and financial services industries to find out what they are doing to address regulatory compliance issues today. We think you’ll be surprised by the varied approaches users are taking to comply with increasingly stringent regulatory requirements.
For some users, regulatory compliance is a complex task, requiring significant-and sometimes costly-changes to business processes and underlying storage infrastructures, but for others it is more straightforward, requiring only the use of write-once, read-many (WORM) media to ensure that data is retained in an unalterable format.
For more information about compliance issues, technologies, and trends, we also recommend reading our three-part series on compliance, which ran on the covers of our September, October, and November issues last year.
Partners In Health
Issue: HIPAA compliance
Solution: Quantum DLTIce
As Partners In Health’s MIS coordinator Yusuf Karacaoglu can attest, regulatory compliance does not have to be complicated. In fact, it can be downright straightforward. For PIH, it boiled down to two words: WORM tape.
Partners In Health (PIH), a non-profit organization providing healthcare to underprivileged people in Guatamala, Haiti, Mexico, Peru, Siberia, and the US, has been able to meet HIPAA requirements by backing up its five primary data sites weekly to a single Quantum SDLT 600/DLTIce tape drive at its Boston headquarters.
“Before implementing SDLT 600/DLTIce our data wasn’t secure,” says Karacaoglu. “It could be altered-and that wasn’t good.”
PIH deals with a lot of sensitive data-from patient records to critical research data-that must not only be secured for privacy reasons (i.e., HIPAA compliance) but also be made readily available to clinical workers, physicians, and researchers around the globe to ensure continuity of care.
Karacaoglu says that its Quantum SDLT drive implementation met both of these stipulations: PIH data that is written to the tape drive is unalterable and it can be quickly accessed when needed. According to Karacaoglu, PIH is able to recover data about 10 times faster with the SDLT 600/DLTIce tape drive than it could with its previous storage technology, which consisted of a single 4880 tape drive.
“The 4880 required me to split the data in order to back it up,” says Karacaoglu. “Now I can back it up all at once to one device [the SDLT 600].”
As an added bonus, PIH has also seen a significant improvement in backup speeds due to the SDLT technology. Data that previously took eight hours to back up can now be backed up in about 1.5 hours, according to Karacaoglu.
PIH’s Boston server currently houses about 300GB of data. Karacaoglu estimates that he backs up about 45GB of data from the company’s various remote sites via FTP each week. The company has VPN access to all remote locations and also uses remote access software from Microsoft to facilitate data access among these sites.
Backup tapes are kept on-site for two to three days before they are moved off-site for archival purposes. PIH is an all-Windows shop. As for other HIPAA issues, Karacaoglu says he doesn’t have any and doesn’t anticipate any in the near term.
Issue: SEC 17a-4 compliance
Solution: Permabit Permeon Compliance Vault/iLumin Assentor
For nearly five years, Seattle-Northwest Securities, an investment banking firm and the largest underwriter of bonds in the Pacific Northwest, met SEC 17a-4 regulations with a combination of optical disc storage and e-mail archiving software.
But growing data volumes forced the securities firm recently to re-evaluate its compliance strategy. In July, the company began the transition from optical disc storage to WORM disk for compliance purposes; its e-mail archiving component remained unchanged.
According to Chu Abad, Seattle-Northwest Securities’ vice president of IT: “We had been using optical disc because, for a long time, it was the only technology available for regulatory compliance. We began evaluating new products because we needed more capacity.”
Abad says that while capacity was an issue with the optical systems the company had deployed, he was otherwise happy with optical disc technology. In fact, he was looking for a solution that was very similar to optical but with a greater storage capacity. Additionally, he required a solution that would integrate well with the company’s existing e-mail archiving software and with Microsoft Exchange. Other criteria included an open architecture, scalability, and affordability.
In terms of compliance, Abad says the disk/e-mail archiving combination had to meet SEC 17a-4 requirements for data preservation, data accessibility, indexing, and redundancy. (For a list of SEC 17a-4 requirements, see the table on p. 26, in the sidebar, “A closer look at HIPAA and SEC 17a-4.”)
Based on recommendations made by iLumin-Seattle-Northwest’s e-mail archiving software provider-the investment firm decided to evaluate three disk-based products: EMC’s Centera, Network Appliance’s SnapLock, and Permabit’s Permeon Compliance Vault. Abad says that all three products, though different in some respects, addressed his needs “somewhat.”
After a thorough evaluation of all three products, Seattle-Northwest decided on Permabit’s Permeon Compliance Vault, which had no volume limitations, met the various SEC requirements, and had a flexible architecture that could support growing data volumes, according to Abad.
The product was implemented last summer and is currently used to store all new archival data. For cost reasons, Seattle-Northwest opted not to migrate existing data off optical storage onto the Permabit platform. “Besides, we’re only required to keep e-mails for three years, which means we’ll be able to retire the optical system after three years,” explains Abad.
As for other compliance-related technologies, Abad is also looking into document-retention software to help him determine how much capacity he will need in the future.
Seattle-Northwest is a Windows-centric environment. The firm generates approximately 1,000 e-mails each day and currently uses about 0.5TB of the Permeon Compliance Vault’s 2TB total capacity. Late last year, Seattle-Northwest went through a mandated SEC audit, which Abad says it passed with flying colors.
Bronson Healthcare Group
Issue: HIPAA compliance
Solution: Network Appliance NearStore R200 Series running SnapLock/SnapMirror
Similar to Seattle-Northwest Securities, Bronson Healthcare Group, a community-owned not-for-profit healthcare provider in Kalamazoo, MI, was looking to give its existing compliance platform, which consisted of magneto-optical (MO) discs, a capacity boost.
Also like Seattle-Northwest, Bronson Healthcare was otherwise happy with its existing optical platform, which met HIPAA requirements for permanence and integrated well with Bronson’s picture, archive, and communications systems (PACS).
“We deal with terabytes of data, and magneto-optical was no longer cost-effective for us,” says Scott Dent, manager of network and infrastructure services for Bronson’s medical imaging department. WORM disk, not WORM tape, met his growing data requirements.
Bronson evaluated Network Appliance’s NearStore (running SnapLock and SnapMirror software), EMC’s Centera, and StorageTek’s DiscStor. Dent says he opted for the NetApp platform for several reasons-most notably because it integrated well with Bronson’s PACS system, met HIPAA requirements for patient data security, and was a familiar platform. (Bronson had already installed NetApp NAS filers.)
“EMC’s Centera didn’t have the same integration with our PACS system,” explains Dent. “And we already had Net-App filers, so it made sense to take advantage of the ability to manage both platforms with one application.”
Bronson implemented two NetApp NearStore R200 series filers, both running NetApp’s SnapLock and SnapMirror software. SnapLock is a WORM-based technology that allows users to lock volumes to ensure data integrity or permanency (in accordance with HIPAA regulations); SnapMirror allows Bronson to replicate data between two NearStore R200 filers from its primary location to an off-site location seven miles away.
These features aside, Dent says he also likes the R200’s ability to endure multiple drive failures within the same volume or RAID grouping without losing any data.
As for the future, Bronson plans to move document imaging data onto the NearStore R200 platforms and to address other HIPAA requirements (e.g., independent user authentication) from an application standpoint. But for now the organization is using the Network Appliance solution for HIPAA compliance issues related to its medical imaging efforts.
Dent says he moves around about 1.5GB of medical imaging data between the two NetApp systems daily. Both boxes are currently configured with 16TB of storage capacity.
(For more information about specific HIPAA requirements, see the table on p. 24, in the sidebar, “A closer look at HIPAA and SEC 17a-4.”)
State Street Global Advisors
Issue: SEC compliance
Solution: EMC’s Centera and Documentum software
For State Street Global Advisors (SSGA), an institutional investment banker, regulatory compliance is no trivial undertaking. With $1.4 trillion in assets under management, the firm’s compliance strategy is constantly under scrutiny by internal business line managers and external federal agencies, most notably the SEC.
To better meet compliance requirements today and in the future, the firm is currently in the process of transitioning its compliance strategy from one that centers on data backup and archival to one that is information-centric, which involves records/content management. The firm believes that in making this shift it will not only be able to better comply with various regulations by making information more readily accessible and manageable, but also potentially save significant money by reducing the amount of data that is actually stored on its EMC Centera systems. Content management software not only identifies this information, but also assigns appropriate retention policies for compliance purposes.
Explains Bob Shinn, head of State Street’s data/information life-cycle management (ILM) and storage business: “We’re moving from a data archiving situation to data records management. The industry and businesses we service are becoming painfully aware of misconceptions about how backup meets, or doesn’t meet, regulatory needs.”
One way to look at the situation is to consider the difference between backup and content/records management, says Shinn.
Backup gives you a lot of points of data access, but it provides little information about the data; content/records management, in contrast, allows you to “cherry pick” the information that you need in a streamlined fashion and according to business objectives, he adds.
Rather than having to go through the painstaking archival process of restoring data from tape and then applying that data to the application in order to get a record, Shinn opted to use content/records management software in conjunction with WORM disk to identify records and then apply policies to the records based on business objectives and regulatory requirements.
To get to this point, State Street Global Advisors is using a combination of outsourced professional services, WORM disk, and content management software.
State Street hired GlassHouse Technologies, an independent consultant and provider of storage services, to oversee the process and help define State Street’s vision and strategy for ILM and compliance, as well as make sure that its efforts are aligned with business objectives.
In terms of hardware and software, State Street implemented two EMC Centera systems in an active-active configuration-one at its Boston headquarters and the second at its off-site disaster-recovery site in Westboro, MA-as well as EMC Documentum’s content management software.
Before implementing the Centera/Documentum solution, State Street used tape and some optical devices, along with IBM’s TSM software, to meet compliance requirements.
A closer look at HIPAA and SEC 17a-4
Also known as the Kennedy-Kasselbaum Act, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations and businesses that deal with patient health information to take steps to simplify and standardize data exchange and to protect the confidentiality and security of all health data managed by the organizations.
All entities that handle, maintain, store, or exchange private health or patient-related information, regardless of size, are subject to HIPAA.
What are the requirements?
Though HIPAA’s requirements affect a broad range of areas, the focus for this audience is primarily on the Security Rules. The final Security Rule, which was published on February 20, 2003, provides a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
The Security Standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information. It applies not only to the transactions adopted under HIPAA, but also to all individual health information that is maintained or transmitted.
Additional requirements relate to disaster recovery, comprehensive user authentication, data protection, security, and audit trails.
What are the penalties for non-compliance?
Patients have the right to file a formal complaint with the US Department of Health and Human Services (DHHS) if they believe a covered entity has violated HIPAA requirements. DHHS has the authority to investigate and penalize covered entities. There are civil and criminal penalties associated with HIPAA noncompliance. Potential consequences include
- Civil penalties-$100 per violation, up to $25,000 per person, per year, for each requirement or prohibition violated;
- Criminal penalties-For knowingly violating patient privacy, the following federal criminal penalties apply:
- Up to $50,000 and one year in prison for obtaining or disclosing protected information;
- Up to $100,000 and up to five years in prison for obtaining or disclosing protected information under false pretenses; and
- Up to $250,000 and up to 10 years in prison for obtaining or disclosing protected information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.
Compliance with HIPAA requires a comprehensive effort within an organization, including the development of many internal policies, ongoing training and audits of personnel and practices (see table, left).
In an effort to protect investors from fraudulent or misleading claims in the securities industry, the SEC in 1934 enacted the Securities Exchange Act, a set of laws that required records be made and kept for the purposes of review and auditing of securities transactions.
In 1997, the Commission amended the primary rule 17a-4 to allow broker-dealers to store records electronically, including electronic communications and messaging such as e-mail and instant messages.
Primarily broker-dealers and those individuals that trade securities or act as brokers for traders are subject to the regulations. Organizationally, these include banks, securities firms, stock brokerage firms, and any financial institutions that deal in the trading of securities of any type that are governed by the SEC. These include any entities that also fall under the jurisdiction of the National Association of Securities Dealers (NASD).
What are the requirements?
For brokerage firms, SEC 17a-3, the requirement to make records, and SEC 17a-4, the requirement to keep records, are most relevant. Specific rules surrounding retention, non-rewritable storage, and ease of retrieval and viewing are highlighted by 17a-4.
(NASD 3010 and 3110 refer to and inherit the same requirements of 17a-3 and 17a-4 as applied to the NASD, demanding the creation of policies and retention of reviewable customer records and transaction data.)
What are the penalties for non-compliance?
Criteria for compliance are strict and penalties for violation severe. By having an inadequate procedure and systems in place for the retrieval of e-mail as defined by SEC 17a-4, the SEC fined five of the largest investment banks in the world more than US$8 million dollars. Goldman, Sachs & Co., Citigroup Inc.’s Salomon Smith Barney, Morgan Stanley & Co., Deutsche Bank Securities Inc., and US Bancorp Piper Jaffray Inc. all agreed to pay and to review and report on procedures for e-mail retention. These penalties foreshadow potential penalties of more than US$1 billion, and up to US$500 million for some brokerages.
The following are simplified requirements for SEC 17a-4 and NASD 3010/3110. For a more detailed list of requirements, see table, right.
Firms must enact policies or implement technologies to enable
- Written and enforceable retention policies;
- Storage of data on indelible, non-rewritaable media;
- Searchable index of all stored data;
- Readily retrievable and viewable data; and
- Storage of data off-site.
Editor’s note: This material was excerpted from documents produced by ZipLip (www.ziplip.com).
Answers to commonly asked questions about e-mail compliance
Q: My CEO doesn’t think that archiving corporate e-mail is important for regulatory compliance, nor does he take personal responsibility for compliance.
The SEC, NASD Investment Advisors Act, HIPAA, and Sarbanes-Oxley all specifically recognize e-mail as a business record. In fact, 70% of all important business content is in, or accessible via, e-mail. CEOs can no longer ignore the requirements, or the penalties, both to themselves and to their company.
Q: The SEC auditors only come around every four years or so. I have plenty of time to deploy a solution and prepare for compliance.
Companies will never know when SEC auditors are going to show up. The SEC chairman has announced that the SEC is going to be more “preventive and anticipatory” in their audits and no longer wait for cause.
A compliance solution is also critical as companies will never know when they might be involved in a lawsuit unrelated to SEC or NASD auditing/compliance. A proper compliance solution will lower search and discovery costs and help minimize exposure.
Q: We’re already archiving in Exchange; isn’t that enough?
The SEC does not consider simply storing messages in Exchange to be compliant due to the ease of alteration or deletion of e-mail messages in Exchange. Also, Exchange does not properly record all types of e-mail messages required for compliance, including key types such as Blind Carbon Copies (BCCs) and group list aliases.
One of the key requirements of archiving for compliance is not just to store messages, but also to be able to search quickly and comprehensively in response to an audit or subpoena. Audits or subpoenas typically give companies very short time limits to produce requested communication. Exchange search capabilities are extremely limited, lack depth and granularity, and are simply not up to the task.
Q: I just want to meet the minimum requirements for compliance now and will consider upgrading down the road.
Waiting a year to implement a robust solution is playing with fire. Most compliance archival solutions store corporate mail in a proprietary format, which locks you in to their solution for the long-term, or will incur very high fees to migrate data to a future archival solution. A rigid and lesser-quality solution will be unable to move with the times and keep up with changing regulations.
Note: This is an excerpt from a larger set of FAQs by chief compliance officers. ZipLip has spent the last year accumulating data from more than 500 companies in regulated industries, including financial and healthcare, and at various compliance conferences in 2004.