You know how every time you go to a new doctor, you have to sign this form (does anybody read it?) that talks about your rights to privacy for your medical records? Vendors of medical services have their own requirements to live up to, and Box has announced that it is complying with those regulations, in hopes that it will become more widely used as a file transfer medium in the healthcare industry.
“Compliance with the Health Insurance Portability and Accountability Act means that Box provides file redundancy to prevent data loss in a disaster, restrictions on employees’ access to documents, a breach-notification policy, data encryption and other features, ” writes GigaOm’s Jordan Novet.
In addition, the company now has ten new healthcare applications. Box is doing this by partnering with a number of other vendors. According to Jasmine Pennic at HIT Consultant Media, those applications are:
- Clinical documentation: Drchrono, a cloud and web-based HER application accessible from iPads and iPhones; and Umbie DentalCare, a dental care web-based practice management system for dentists available on the desktop and tablet.
- Care coordination: TigerText, an encrypted SaaS platform for secure text messaging in a clinical setting; Doximity, an online professional network designed for U.S. physicians; and mMedigram, a secure group messaging app for the hospital environment; PostureScreen Mobile, posture analysis screening and evaluation software for mobile devices.
- Interoperability: MedViewer, a DICOM viewer for viewing, communicating and sharing medical images on iPhone and iPad; iPaxera PACS Viewer, a PACS viewing app designed for iPad, iPhone and iPod; and Medi-Copy, which provides Release of Information (ROI) request services and creates electronic copies of patient medical records.
- Access to care: HealthTap, which provides users with personalized health information and free online and mobile answers from physicians.
Box is also supporting the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act, and is investing in drchrono.
Compliance requirements include the following, writes Patrick Ouellette in Health IT Security.
- Data encryption occurs in transit and at rest
- Restricted physical access to production servers
- Strict logical system access controls
- Data file access granted by customers
- Audit trail of account activities on both user and content
- Formally defined and tested breach notification policy
- Training of employees on security policies and controls
- Employee access to customer data files are highly restricted
- Redundant data center facilities to mitigate disaster situations
Support for HIPAA and HITECH could also help the cloud storage company improve its reputation for security and privacy overall; various incidents have sometimes led to such services, rightly or wrongly, being seen as insecure. In particular, noted GigaOm, it may make Box more attractive to enterprise users, as well as for a planned initial public offering.
Moreover, HIPAA support could also make it easier for healthcare providers to implement BYOD, writes Ouellette. “Clinicians would now be able to set up secure cloud folders for a patient’s medical records or collaborate on a patient’s diagnosis with the Box mobile application in a compliant manner,” he writes.
HIPAA requirements can be pretty arduous; for example, the Boise-based WhiteCloud Analytics healthcare analytics software company, had to have a separate set of doors, through which one can enter only by being buzzed in, due to HIPAA requirements.
Chances are, this isn’t the first such announcement. Now that Box has come up with the idea, one can expect that other cloud storage vendors — like Dropbox, Microsoft’s Skydrive, Google’s Drive, and so on — will soon follow suit. Microsoft’s Office 365 already supports HIPAA and in fact the company has also announced improvements in its HIPAA support.
You’d think that, when planning a new data center, “Not Underwater” would be a primary criterion, but apparently that’s not true.
At least, that’s the observation GigaOm’s Barb Darrow recently made of a Digital Realty survey of managers’ data center plans. “Despite the angst that superstorm Sandy and Hurricane Irene caused data center providers and their customers in the New York metro area over the last two years, businesses still want to expand their data center capacity in that low-lying, suddenly storm-surge-prone area,” she writes.
Apparently the familiar is more comfortable than the unknown. According to the survey, two-thirds of respondents would rather see the data center in the city where they work, and target locations, other than New York were Los Angeles (earthquakes and fires), Dallas (tornadoes), Chicago (blizzards), the San Francisco Bay Area (earthquakes again), and Phoenix.
“Of course, when two 100-year storms hit the same area within two years of each other, you might start evaluating new locations,” Darrow writes. “Then the question becomes what areas are not susceptible to natural disasters,” echoing what she wrote at the end of last year about Fidelity Investments setting up a data center in the far-from-water, far-from-earthquakes, yet tornado-prone Omaha, Neb.
And recall that last June, just a little ol’ thunderstorm took out Amazon Web Services.
The most important reasons given for data center expansion, Digital Realty notes, are (in order of priority) the need for increased security, energy efficiency, new applications/services, and more space. It isn’t clear whether “Not Being Under Water,” “Not Being on Fire,” or other variations on “Not Being Destroyed” were choices. (To be fair, when respondents were asked to provide multiple reasons for expanding data centers, “disaster recovery/Sarbanes-Oxley” came in second after “security.”)
The other interesting factor that cropped up was the data sovereignty issue. As you may recall, this is becoming more of a thing as an increasing number of countries, including the U.S., claim some degree of access to data stored on their shores, regardless of the data’s country of origin or the residence of the company that owns it.
“Geopolitical location of data” was extremely important to 50 percent of respondees, though it was slightly beaten out by data authenticity and security, physical security, control over the facility, and the total cost of the technology. “The two factors in data sovereignty (data authenticity/security and geopolitical/legal location) are the most important considerations for 29% of the respondents,” Digital Realty noted.
Physical security — that is, Not Being Underwater, Not Being on Fire, and Not Being Destroyed — was apparently a consideration for only 14 percent of respondees.
Got your party scheduled? The traditional foods made? Your gift list ready? Sunday is World Backup Day!
Now in its third year, the event — deliberately scheduled for the day before April Fool’s Day, to ensure your data is backed up in the case of a prank gone awry — is intended to encourage people to make sure their data is backed up, much like the days that daylight saving time starts and ends get piggybacked by Change the Batteries in Your Smoke Detector Day.
Last year, I didn’t find out til afterwards, but this year, I found out in plenty of time to celebrate it properly.
As of Thursday, almost 4500 people had pledged to observe the day, which not only includes making backups of your own data and checking your restores, but also alerting your friends and family.
Vendors such as Carbonite and Kroll also released surveys associated with backups. The Carbonite study found that 30% of small businesses believe their backup plan is insufficient, 45% said their organization had experienced data loss, and 14% were never able to restore their lost business information.
Small businesses often lack a formal disaster recovery plan is because they do not have the budget, the survey showed, but there’s an average cost of about $9,000 for a small business to recover their data after a failure, Carbonite said.
Surveying its own users, Kroll Data Recovery found that of the 81% who do have backups now, 53% use an external hard drive, while 15% used tape and 15% used online or cloud backup services. And while 60% of its customers did have a backup running at the time of the data loss, it wasn’t current or was operating incorrectly, Kroll warned.
World Backup Day now also has posters and t-shirts, as well as a Tumblr. In addition, the event asks people to take pictures of themselves celebrating. “Be sure to take pictures or videos of you promoting World Backup Day!” reads the website. “Just send them to firstname.lastname@example.org, tweet us @WorldBackupDay, or submit them to our Tumblr!” There’s also a Facebook page, an Instagram feed, and a Pinterest page.
In addition, there’s a full press kit, which includes an infographic.
All kidding aside, it’s not a bad time to re-examine your backup strategy; a number of vendors actually do have World Backup Day Sales.
There’s even a contest.
And as a bonus, this year’s World Backup Day is also followed the next day by my favorite holiday, Cheap Chocolate Day, though you can’t always count on that happening, plus some people hold out for the traditional February 15 for that one.
AIIM, which is currently having its annual conference in New Orleans, has also released its annual report, “Information Governance — records, risks and retention in the litigation age,” where it surveyed a number of professionals in the industry about their attitudes toward issues such as E-discovery.
The report, which is freely downloadable, surveyed 512 information professionals.
Legal holds and E-discovery were the fourth most likely element to be included in an information governance policy, with almost 50% saying it was included (plus almost 20% who included it in an “all of the below” choice).
“Only 18% have a sufficiently comprehensive policy that covers all of these areas,” AIIM warns. “Taking these into account, over 80% in total have included information retention and access restrictions in their policy. While 75% include data protection of personally identifiable information, this is likely to be a legal requirement for almost any organization that keeps personnel records of employees. Only 57% are dealing with “information in motion” i.e. laptops, USB sticks, etc. Only 49% have a policy on mobile access and only 27% are covering cloud-based file shares.”
In terms of email storage, about 55% of respondents said that employees were expected to manually declare or save important email messages as records, while more than 30% said they expected there were multiple copies of messages on various systems,
That said, while the content may be electronic, E-discovery mechanisms are still manual, the survey found, with 53% of respondents saying they are still reliant on manual processes for E-discovery searches across file shares, email and physical records. However, only about 5% either automatically classified important email messages as records or used outsourcing or the cloud for email archiving.
That’s even more so for social media interactions. Almost 35% said they believed there are social interactions that could be important but that they were not currently recording them; about 22% said they didn’t do social; and about 18% said they weren’t looking at the issue. 34% reported that they have used their social business records for purposes such as staff disciplinary action, staff dismissal, or resolving a customer/citizen dispute or complaint.
For E-discovery, more than 60% of respondents said they needed to deal with re-trial request by attorneys (eg, US –style), about 25% for judge-directed disclosure (eg, UK-style), about 15% for no defined disclosure (civil law, eg, France, Germany), about 30% for competition/anti-trust, fraud, or trading investigation, and more than 20% said “All of the above.”
“We asked if respondents feel that their organization has a consistent and effective E-discovery mechanism across all of their physical and electronic records,” AIIM writes. “Overall, only 9% have achieved this, but a further 29% are optimistic that they are getting there. Another 24% have plans, but 20% consider the task to be simply ‘too difficult.’”
However, in what may be some incentive, the survey also asked respondents about the consequences of their lack of an E-discovery system. In the last three years, 14% of organizations have suffered from embarrassing data loss, 21% have disciplined or dismissed employees for non-compliance with governance policies, 31% have had issues with their regulators, and 18% have been questioned in court about their records, AIIM finds. “As might be expected, larger organizations score nearly double in many of these areas with, for example, 28% suffering from embarrassing data loss — an arguably bigger disaster for a large organization or well-known brand than a small one — and nearly half having issues with auditors or regulators,” AIIM writes.
How do you carve an elephant?
Simple. Take a block of wood and carve away everything that doesn’t look like an elephant.
How do you make a virtualization company? Simple. Take VMware and carve away everything that doesn’t look like a virtualization company. And then you spin it off.
EMC CEO and Chairman Joe Tucci announced today that the company was forming the Pivotal Initiative, comprising Pivotal Labs and Greenplum from parent company EMC, and Cloud Foundry, Spring and Cetas from VMware. It will be headed by former VMware CEO Paul Maritz, who was named chief strategy officer at EMC in July 2012, when speculation arose as to his future role. His role as chief strategy officer at EMC will now be shared with VMware CEO Pat Gelsinger and EMC COO David Goulden.
Altogether, Pivotal, which will technically come to life on April 1, is 69 percent owned by EMC, 31 percent VMWare, with about 1,250 employees and $300 million in revenue, though Maritz predicted it could be a $1 billion business in five years.
“What the newly minted Pivotal Initiative brings to the table is Greenplum’s parallel query and data processing strengths; Gemfire’s ability to rapidly ingest events (lots and lots of events); Cloud Foundry’s application development and deployment strengths and Spring’s Java rapid application development framework,” writes Barb Darrow in GigaOm. Cloud Foundry, which is a platform as a service that currently runs on VMware, will now also run on Amazon Web Services, she added.
The companies had signaled their intention to form the spin-off in December and said more details would be available in the third quarter. With 18 days left in the quarter, apparently they figured they’d better get on the stick. Darrow said at that time that the effort, which had long been predicted, was the companies’ attempt to better compete in the cloud space.
“Last December, while others in our industry suggested that VMWare was shedding its components that weren’t performing to help its bottom line and to keep the company focused on its highly successful virtualization business, we said that that was nonsense — that there was something much bigger at play (especially because EMC’s precious assets Greenplum and Pivotal Labs were involved), that EMC would be spinning off a new company and that its business would be Big Data Apps,” agreed Virginia Backaitis in CMSwire.
Bloomberg also talked about the stock aspects of the move, noting that VMware’s stock has been falling and that Pivotal might eventually have an IPO.
The upshot is that VMware will also be able to focus more on its virtualization business. It said it expects to boost its annual revenue growth as high as 20 percent in coming years, according to Reuters.
It’s not the first time that we’ve learned that our data on a cloud storage system isn’t necessarily private, but it’s a useful reminder.
William Steven Albaugh, 67, was arrested after police found “numerous files of child pornography” on his Verizon online storage locker and several thumb drives, the Baltimore Sun reported. “Detectives began investigating Albaugh after Verizon Online notified the National Center for Missing and Exploited Children that Albaugh, a subscriber, had stored images of children engaged in sexual acts on the online cloud storage system, police said.”
We already learned, in 2011, that cloud storage systems such as Dropbox would turn over files if requested by law enforcement. We also learned that some systems such as Dropbox, when a file is uploaded, check to see if it’s already online, and, if so, just save a pointer to the original copy. While this saves space, it also means that, in theory, law enforcement could upload any number of files it’s illegal to own — such as copies of movies — and if the stored file length is less than the original file, it means someone has it on the system already.
In the process of that, we learned, if we didn’t know already, that in 2010 New York Attorney General Andrew Cuomo made an agreement with several online services such as Facebook and LiveJournal to check uploaded images for child pornography. “Through its investigations, the Attorney General’s Office has created a database of more than 8,000 hash values that are associated with images of child pornography,” the Attorney General’s office wrote at the time. “The database can be used to identify the corresponding child pornography images through the fingerprints and stop that picture from ending up on a site.” The office also said it would continue working with other online services to encourage them to do the same thing.
Apparently, at least one of them was the Verizon Online Backup and Sharing cloud storage service.
Media outlets have pointed out that this was all clearly spelled out in the terms of service. “Like many types of online storage or media services, Verizon’s Online Backup and Sharing states in its terms of service that the company is ‘required by law to report any facts or circumstances reported to us or that we discover from which it appears there may be a violation of the child pornography laws,’” writes the International Business Times.
Because, of course, we all read every word of our terms of service.
If this sounds familiar, it may be because, as of last July, four out of the five cases concerning whether people have to provide the key to their encrypted storage also have had to do with child pornography, according to the Electronic Frontier Foundation’s attorney Marcia Hoffman.
Look, there isn’t any question that child pornography is bad. But there’s a saying, “Hard cases make bad law” — that is, an unpleasant case can lead to a harsher general law that can end up being more widely applied. (We don’t know whether law enforcement is more likely to push the envelope of legal search because they so badly want to catch child pornographers, or because they think people will be less likely to criticize their methods because the crime is so heinous.)
If it’s determined through these cases that checking people’s files as they are uploaded to a cloud storage service is an acceptable practice, it has the potential to apply to all files and all people, not just ones we don’t like.
In the meantime, it sounds like we’d better be sure to read our terms of service carefully.
The storage industry is exciting. No, really. People are throwing millions of dollars at storage startups, which apparently seem more secure to them than things like Facebook.
“In Silicon Valley, data centers are heating up with startups like Pure Storage and Nimble Storage pulling in massive funding rounds and Michael Dell announcing a storage-focused investment fund,” writes Christina Farr at VentureBeat.
- Nexenta, a software-based storage company, received $24 million this week in its fourth round of financing from new investors Four Rivers Group, Presidio Ventures, and UMC Capital with participation by existing Nexenta investors Menlo Ventures, TransLink Capital, Javelin Ventures, Sierra Ventures, Razor’s Edge Ventures, and West Summit Capital. Its previous round, in January 2012, raised $21 million. In the process, the company also got a new CEO and CMO. It has experienced triple-digit growth for three consecutive years and reportedly has more than 5,000 users.
- Skyera, a flash startup, closed $51.6 million in second round financing led by Dell Ventures a week ago. It was founded in August, 2012.
- Pure Storage, another flash vendor, got $40 million in its fourth round of funding in August, 2012. The latest funding round was led by Mike Volpi at Index Ventures, with participation from Greylock, Redpoint, Sutter Hill, angels from VMware and DataDomain, and others, according to VentureBeat.
- Nimble Storage, a startup that provides data storage, backup, and disaster recovery, closed a $40.7 million second round of funding in September, 2012. First round investors Accel Partners, Sequoia Capital, Lightspeed, and Artis Capital participated, alongside newcomer GGV Capital. It was founded in July, 2010.
Dell’s $60 million fund, run by its investing arm Dell Ventures, was founded in July, 2012 to seed $3-$5 million in five to 10 promising startups, with Dell maintaining an equity position. This was not new to Dell; it was an early investor in VMWare and flash memory startup Fusion-io (whose chief scientist is Apple co-founder Steve Wozniak). (Skyera is also setting itself up as a competitor to Fusion-io.) This is on top of Dell itself acquiring more than two dozen storage companies.
“What’s happening in Flash memory is kind of an interesting place to start because if you think about the relationship between servers and storage and how sort of performance occurs and apps are distributed, not what we’re able to do is put large amounts of memory — we’ve actually designed this ourselves into our 12th-generation servers that we’re shipping now,” Dell told Fortune in announcing the fund. “Put several terabytes of memory directly in the server. We acquired a little company that gives us cache coherency across a large number of servers. And so you start to rethink what is a server, what’s storage, what’s the network when you have virtualization and now you have 50 virtual machines, 100 virtual machines, 500 virtual machines in one. So, the storage world is really getting shaken up a tremendous amount.”
A funny thing happened on the way to Backblaze’s automated backup product — it sort of turned into a storage design company.
The company has been known for some time for its storage designs, which, instead of making real real big storage, uses a whole whole lot of commodity storage devices hooked together into “pods,” with as much of the extraneous stuff stripped off as possible. This reduces costs and is more scalable than large storage systems that require forklift upgrades to be expandable.
Backblaze has been getting so well known for its storage system that other companies, such as Netflix, have taken to using it as well, and several vendors have started selling storage systems based on the Backblaze designs.
The system has its flaws — such as, if the company has trouble finding commodity disk drives — but in general it works pretty well. (Facebook has also taken to designing its own disk drives, as well as servers, for a similar reason: economies of scale make it more efficient to design its own hardware.)
The system works so well that the fact that Backblaze has designed a new generation of the storage pods it uses has itself made the news, because so many organizations – Vanderbilt University, Crispin Porter + Bogusky, Rensselaer Polytechnic Institute, NASA’s Jet Propulsion Laboratory, and Shutterfly, along with Netflix — have been using the Backblaze designs.
“In the world of high-volume storage, we’ve come to a place similar to the PC market decades ago when it was cheaper to just buy the parts and build your own than it was to buy a pre-assembled computer,” writes GigaOm’s Derrick Harris.
Version 3.0 of the storage pods now have a capacity of up to 180 TB — up from 135 TB, because they’re based on 4 TB, rather than 3 TB, commodity drives. In addition, a number of the other components have also been replaced. The result is a drive that is more reliable, easier to manage — and cheaper than the 135 TB second-generation systems it replaced.
Backblaze also releases the specs of the system — including a parts list, prices and all, right down to the screws, as well as very detailed instructions — to enable other companies to use its designs as well. That is, if they can. “To obtain these prices we do purchase them in quantity,” Backblaze warns.
Disclosure: I am a BackBlaze customer.
House on fire image via Creative Commons
We’ve all heard how “three moves are equal to one house fire” (a sentiment so old it’s attributed to Ben Franklin’s Poor Richard’s Almanack in 1757). Apparently the modern equivalent is that “three migrations equal one disk crash.”
That’s the finding of a December 2012 survey by Gridstore, which found that, for medium-sized businesses during a major storage upgrade:
- 55% experienced business and end user disruption
- 32% experienced failed upgrade process where migrations didn’t complete
- 9% lost data or access to data during the migration
While there’s admittedly problems with the survey methodology (Gridstore surveyed only its own customers, we don’t know how many were asked, we don’t know how many responded, we don’t see a full copy of the survey), one thing seems clear: Migrations are fraught.
And it’s not just the migration itself, but preparing for one. The survey found that businesses preparing for purchasing new storage faced either high business disruption or stopping business for forecasting capacity (almost 40%), slow or complex purchasing cycles (almost 25%), requiring multiple approvals (almost 35%), and complexity or time required to evaluate (almost 30%).
On the other hand, not doing anything wasn’t any better, with respondents reporting that, before an upgrade, they suffered consistent disruptions from limited performance (35%), limited bandwidth (about 15%), limited capacity (about 15%, with another 10% reporting it as a “putting out fires” situation), or reliability (about 25%).
What particularly makes this a problem is that midsized organizations are reportedly doing an awful lot of migrating — 71% of the survey respondents reported that they were adding storage and capacity every 6 to 12 months.
Next time you plan an upgrade, maybe you’d better add a fire extinguisher.
What is storage?
“The privacy group is filing an amicus brief asking the high court to accept an email privacy case from South Carolina that’s exacerbated confusion over what courts consider electronic storage,” writes the political journalism site Politico. “In the filing, submitted on behalf of nearly 20 privacy advocates, EPIC tells the Supreme Court that email privacy rules and definitions have become increasingly unclear, thanks to the rise of cloud computing, and Congress has yet to step in to fill the gap.”
The whole issue of what “storage” is became an issue last fall, when a South Carolina Supreme Court ruled that, under the Stored Communications Act (SCA), email in a Yahoo! account should not be considered protected from unauthorized access because email sitting in the cloud was not “stored” the same way as it would be sitting on one’s own computer — which was protected.
This means that was also true for anyone who uses a cloud-based email system — not just Yahoo, but also Gmail and a plethora of other systems. Not to mention some components of the federal government itself that have moved to cloud-based email, EPIC notes in its brief.
The original case was a domestic dispute — a husband was cheating on his wife, and the wife’s daughter-in-law figured out the husband’s e-mail password and logged in to his personal account to read the e-mails between the husband and his paramour, wrote Orin Kerr in The Volokh Conspiracy legal blog. “The daughter-in-law found the e-mails and shared them. The husband filed suit under several laws including the Stored Communications Act, 18 U.S.C. 2701, which only allows a civil suit if the e-mails accessed were in “electronic storage.””
The Supreme Court may get involved because this decision conflicts with a similar case by the Ninth Circuit Court in 2004, wrote Andrew Hoffman at the Information Law Group blog.
“The Jennings opinion establishes a split with the Ninth Circuit’s opinion in Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), which found that emails that had been received, read, and left on the server were stored “for purposes of backup protection” and therefore within the ambit of the SCA,” Hoffman wrote.
This is a problem because it’s not good for different courts to have different ideas of what does and doesn’t constitute a legal issue, Hoffman wrote. “Thus, until the split of authority is resolved, the same conduct will disparately subject some individuals to civil liability, depending on the interpretation of the SCA applied by the court. Such disparate interpretations could create an incentive for forum shopping and pose conflict of law questions, when multiple states (and even nations) could be involved in an email hacking case. Such disparate interpretations may also pose problems for employers investigating suspected employee misconduct involving webmail.”
Just to show how confused the South Carolina court was, its judges couldn’t even agree on why the email wasn’t stored, but instead had three different opinions, Kerr wrote.
Aside from the issue of protection, the issue of defining what storage is is important because it is the primary difference between the Stored Communications Act — the law under which the original suit was filed — and the Electronic Communications Privacy Act, according to EPIC.
A related question is “What is a backup?” because some of the legal arguments also hinged on whether the email retrieved from the account was the “only copy” or a backup — a question that is kind of irrelevant in cloud storage, which may feature multiple replicated copies of data, EPIC writes.
“A wealth of personal and private messages are now stored remotely in the cloud, and their protection depends on the interpretation of ‘electronic storage’ under ECPA,” EPIC writes.