HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996
The HIPAA law of 1996 basically charged the Secretary of the US Department of Health & Human Services to develop rules and regulations for the protection of individual rights in the health care industry.
The subsequent Administrative Simplification amendment from the US Department of Health & Human Services created four major rules for the health care industry:
Standardization of electronic patient health, administrative and financial data transactions
Unique health identifiers for individuals, employers, health plans and health care providers
Security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.
Privacy rules governing the use and management of individual personal and medical information.
While Oak Tree Storage is concerned about all the HIPAA requirements internally as well as for our clients, our electronic services are designed to help you meet these requirements in two ways: first, by providing for the electronic data backup, restore and (in certain cases) disaster recovery functions that are part of your HIPAA compliance processes; and second, by ensuring that our services, data, equipment and facilities themselves conform to the HIPAA requirements in terms of privacy and security in the following sections of the laws:
Access
For more specific information on these safeguards please refer to the Security/Privacy section of our website.
Oak tree cannot and does not make any claim of privacy, security or any other HIPAA compliant or other requirements for any data, files, databases, images on any media whatsoever, nor any other electronic or manual information created, maintained or filed in its clients’ offices, but can assure its clients of the privacy and security of any information properly backed up to our backup servers.
For disaster recovery server users, your encrypted data is installed on a server and only you and/or others that are authorized personnel of your designation will have access to this server, its applications, facilities and data. Such access has various security measures and are clearly explained in our User Manuals for your information.
For any further clarification of the HIPAA requirements, see the following references:
The Law: (PUBLIC LAW 104-191; AUG. 21, 1996; HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996): http://aspe.hhs.gov/admnsimp/pl104191.htm
HIPAA Information (HHS): http://www.hhs.gov/ocr/hipaa/
US Department of Health and Human Services; US Office of the Assistant Secretary for Planning and Evaluation; Administrative Simplification in the Health Care Industry: http://aspe.hhs.gov/admnsimp/
US Govt Dept of Labor – HIPAA: http://www.dol.gov/dol/topic/health-plans/portability.htm
To discuss Oak Tree’s HIPAA compliance further, please contact Oak Tree Storage, LLC at custserv@oaktreestorage.com.
The Sarbanes-Oxley Act of 2002 (“SOX”) is a highly complex and dynamic set of rules designed essentially for the financial protection of individuals, although it focuses on record-keeping, reporting and auditing functions for corporations. It establishes different compliance dates and rules for different-sized companies, and has different rules for private versus public companies.
While Oak Tree Storage, LLC, meets any and all SOX requirements that apply to it, it provides the means for its clients to meet the SOX requirements for internal processes and controls to the extent that the SOX rules (for companies meeting its compliance and reporting criteria ) require your organization to have functions and processes in place to minimize or eliminate “…all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s [your] ability to record, process, summarize, and report financial data and have identified for the issuer’s [your] auditors any material weaknesses in internal controls;…” (“Title III, Section 301, Sub-section 3, Paragraph A: ‘Section 10A of the Securities Exchange Act of 1934 (15 U.S.C. 78f) is amended by adding at the end the [preceding] to: ‘(m) STANDARDS RELATING TO AUDIT COMMITTEES.— ‘ For the indexed, full text of the Sarbanes-Oxley Act of 2002, see:
http://thomas.loc.gov/cgi-bin/query/z?c107:H.R.3763.ENR:%20For a brief, informative summary of the Sarbanes-Oxley Act of 2002, see:
http://www.aicpa.org/info/sarbanes_oxley_summary.htmTo discuss how Oak Tree’s services help you meet your specific compliance requirements, contact us at custserv@oaktreestorage.com.
To ensure the security and privacy of your data, Oak Tree provides two forms of encryption for your data:
1. All your data on Oak Tree servers is pre-encrypted – by you – with one of three industry-standard encryption methodologies (your choice of AES, TripleDES [a/k/a DES3] or TwoFish) based on an encryption key that only you, the client, possess (Oak Tree will not accept retention, maintenance or even knowledge of any client encryption key). These encryption keys are 128-bit symmetric key encryptions and are used by the major banks, brokerage firms and insurance companies throughout the world as well as the U.S. Government (see note below). This encryption occurs on your computer equipment before your data is transmitted over the internet to our highly secure facility. This world-class security is reinforced by using your choice of two different encryption modes.
2.Once encrypted, you data is sent to the Oak Tree servers via Oak Tree transmission services utilizing industry standard Secure Sockets Layer methodology using a randomly generated 1024-bit RSA public key to further secure the actual transmission of your already-encrypted data. The strength of the encryption depends on the key size you use during the transmission process (usually preconfigured on your computer) but is highly secure even with the smallest allowable key. This protects your already-encrypted data transmission from any and all possible intrusions or hacking.
In addition, during the initial encryption and compression procedure on your computer/server, a random number (technically consisting of an initial vector, salt and iteration count) is randomly generated and applied to each file when it is encrypted.
Oak Tree uses the AES encryption method by default. The Advanced Encryption Standard (AES) feature allows added support for still further security with your choice of Cipher Block Chaining (CBC) or Electronic Cook Book (ECB) modes.
The U.S. National Institute of Standards and Technology (NIST) created AES, which is a Federal Information Processing Standard (FIPS) publication that describes an encryption method. AES is a privacy transform for Internet Protocol Security (IPSec) and Internet Key Exchange (IKE) and has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key, which AES has a variable key length – the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. (Oak Tree does not support the longer lengths, as they typically consume far more CPU time than most servers can make available for administrative functions.) A 128-bit key size has 2128 – or about 3.4 x 1038 – possible combinations. It is estimated that it would take 8.77 x 1017years on very large computers to test all possible combinations.
According to the U.S. National Security Agency – US Government, CNSS (NSA (National Security Agency) – Committee on National Security Systems: Policy No. 15, Fact Sheet No. 1 National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information; June, 2003:
“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level.”
“Subject to policy and guidance for non-national security systems and information (e.g., FIPS 140-2), U.S. Government Departments and Agencies may wish to consider the use of security products that implement AES for IA applications where the protection of systems or information, although not classified, nevertheless, may be critical to the conduct of organizational missions. This would include critical infrastructure protection and homeland security activities as addressed in Executive Order 13231, Subject: Critical Infrastructure Protection in the Information Age (dated 16 October 2001), and Executive Order 13228, Subject: Homeland Security (dated 8 October 2001), respectively.”
Finally, each client user has the option of specifying an exclusive list of specific IP addresses from which their data may be accessible. This provides the added security of limiting locations that may access the Oak Tree servers. NOTE: You should be careful and thorough if using this option, as internal IP addresses will not function across the Internet, and any error in this regard might prevent proper access to your data. Be sure to consult a telecommunications expert before selecting this option.
While the remote possibility always exists that your data might be “physically” intercepted by expert hackers during its transmission, its “logical”, or data content is fully protected by this highest-level double-encryption, and will appear as indecipherable nonsense characters to anyone without your encryption key, which is required to decrypt your data. (For this reason, it is essential that you never lose your encryption key, but keep it in a secure location in your office or home.)
In addition, Oak Tree utilizes and maintains virus, spyware, malware and other intrusion prevention, detection and auto-removal software and other processes to ensure your data is highly secure and redundant. However, Oak Tree software does not scan your data for such intrusive software during its backup processes. Please keep in mind that certain data, in addition to programs, can harbor certain types of viruses. This includes Excel spreadsheets (.xls) and Word documents (.doc) embedded in macros. If these exist in your data, they will be encrypted and backed up along with your data.
Oak Tree further utilizes its own highly secure, state-of-the-art firewall with highly secure settings at its data center for further server protection. In addition, a CRC (Cyclical Redundancy Check) is performed on all data transmissions to ensure the completeness of the data being transmitted. This is a sort of “characters-transmitted” check-digit calculation performed by Oak Tree software on your (sending) server, and then again on our (receiving) server, as each small “piece” of encrypted data is transmitted. This ensures that all the “pieces” of encrypted data you sent from your server are exactly the same as the “pieces” of encrypted data we received at our server. In the event any one or more CRC’s don’t match, those “pieces are re-sent from you server to ours. If this re-transmission occurs too often, the connection is dropped and re-established, and the process starts over again. In the event of a persistent problem, our administrators will contact you directly.
Oak Tree’s physical facilities, in which it maintains its equipment, are highly secure, state-of-the-art technology environments. (See our website section for more details on our Data Center.)
Your encryption key is used to encrypt your files. It resides only on your computer (in an unreadable format) and is known only to you. It never appears in digital form in plain text format anywhere. It is never transmitted anywhere across the network. If this key is lost, your backup files can never be recovered. Although technically Oak Tree has access to all files you stored on our backup server (in encrypted mode), we have absolutely no knowledge of their contents, nor do we have any means of determining it.
Therefore: Please make certain you document your encryption key in a VERY SAFE PLACE where it will be well-protected and never lost. (It is maintained on your computer, but in pre-encrypted form – not plain text, and is indecipherable.) If you cannot enter your encryption key when you need to restore any of your data, you will NOT be able to recover your backup files and your data will remain irretrievable until and unless you enter your correct encryption key.