Feature

Regulations Squeeze Storage

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Email storage lessons learned from Citigroup."

Download it now to read this article plus other related content.

What to retain?
Working with the relevant lines of business, a storage manager should be involved in the classification of data to help set priorities for compliance. For some organizations, the most expedient choices seem to be saving everything or not saving anything at all. "Deleting everything is not appropriate, primarily because it can expose the organization to even more risk," says Peter Gerr, an analyst with the Enterprise Storage Group, Milford, MA. But saving everything--touted by some as the surest way to ensure compliance--can be just as risky.

Retaining all company records will require a significant investment in additional storage capacity, along with the ongoing costs of managing and maintaining that storage. "It's not practical or cost-effective to keep everything," says Gerr. Saving everything can also hamper compliance by making it more difficult to produce information in a timely manner when requested by a regulatory agency. There's also the very real danger of saving too much information--information that may be used to your company's detriment during legal or regulatory proceedings.

Some storage managers may think that they've covered the compliance bases because they have an effective backup system in place. But backup doesn't necessarily equate with data retention for compliance purposes. "Backup is for recovering from failures of one kind or another. Archiving serves a different purpose

Requires Free Membership to View

and has different objectives and performance criteria," says Contoural's Casey. Relying on backups for compliance may make it difficult--or even impossible--to find and produce the requested information in a timely manner.

Lars Linden, a principal at State Street Global Advisors in Boston, MA, an institutional investment firm managing more that $1.2 trillion, is equally dubious about relying on backups. "You'd better darn well be extremely well-funded both in terms of time and dollars," says Linden, because of the effort required to rebuild records from the backup data.

Tape endures, disk gains for retention storage

While tape will continue to be the most favored media for compliance data retention, a survey by the Enterprise Storage Group indicates that the use of disk systems for retention will grow at an even faster rate.
Source: Enterprise Storage Group, May 2003

To be sure, determining storage requirements and procedures for regulatory compliance is a group effort. "It really does require a close working relationship with the clinical units," says Daniel Morreale, CIO of the North Bronx Healthcare Network in New York City, describing his formula for success when dealing with HIPAA requirements. Morreale advises that IT take an active role and ask questions such as: "What [data] are you collecting; why are you collecting it; how will you need to see it now; and what do you anticipate your needs with this data are going to be down the road?"

Developing a written policy for all involved parties to sign off on is a critical step. In some cases, putting together a compliance plan might require interpreting dozens of regulations. For multinational companies, this task can be daunting. Lois Hughes, senior manager of business application systems at Tektronix, says her team had to understand the requirements of the dozens of countries where they do business to put together their retention system. "We have a central retention document that is maintained current for all 27 countries where we do business," says Hughes.

But even without the special demands imposed by a global business model, creating a policy can be taxing. Although his organization primarily heeds only to state regulations, David Taylor, CIO of the Florida Department of Health in Tallahassee, FL, says, "The most difficult thing in the project was developing policy, and getting all the people and partners to agree on the policy, rather than the technical implementation." As with most organizations faced with compliance issues, the Department of Health formed a working group: "We pulled together the legal staff, the HIPAA compliance staff, the security and privacy staff, as well as folks that were administering the system," says Taylor.

While preparing for compliance can be an arduous process, it can be regarded as an opportunity to finally get a handle on storage and data management. "Compliance shouldn't be seen as a corporate tax, but really as an opportunity--a strategic investment, actually," says ESG's Gerr, noting that an effective compliance effort also "helps organizations both improve their ability to manage and protect valuable information."

"First of all, it's good business," says John Halamka, CIO of Harvard Medical School and six affiliated hospitals, in describing his organization's HIPAA compliance efforts and the related benefits they discovered. "The timing was right--we could both achieve what we thought was essential for our users and meet what we imposed on ourselves as HIPAA reliability standards."

This was first published in July 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: