Obtain a Business Associate Agreement (BAA)
Before using CrashPlan PROe in an environment that requires HIPAA compliance, you must obtain a Business Associate Agreement (BAA) with Code42.
Note that your CrashPlan PROe deployment must use an on-premises master server (as opposed to a master server in Code42's public cloud). Without an on-premises master server, you cannot obtain a BAA with Code42.
Configure CrashPlan for use with HIPAA
After obtaining a BAA with Code42, you must take the following steps to configure CrashPlan PROe for use with HIPAA.
- Use an on-premises master server
- Verify enterprise server version is 22.214.171.124 or later
- Disable web restores
- Limit visibility of backup data
Use an on-premises Master server
Your CrashPlan PROe deployment must use an on-premises master server (as opposed to a master server in Code42's public cloud). This ensures that you directly control the encryption keys for your data.
Verify Enterprise Server version
CrashPlan PROe version 126.96.36.199 or later is required to configure CrashPlan in a HIPAA-supported manner.
- To find the current version of your Code42 environment:
- Sign in to the administration console.
- Select Settings.
- Review the Current server version.
- To upgrade an enterprise server from an earlier version, follow our instructions for Upgrading Your Environment. For assistance with upgrading, please contact sales about engaging Code42's PRO Services team.
Disable web restores
The web restore function of CrashPlan PROe temporarily stores data in an unencrypted state on the store point. To prevent users and administrators from performing web restores, assign them a user role that does not include the CrashPlan PROe web restore permissions: restore, restore.personal, restore.limited, and admin.
Performing a web restore temporarily stores data in an unencrypted state at the app level only. If the store point containing the archive uses full disk encryption, the data created during the web restore process would still be encrypted on the media. However, Code42 will not assume the risk of entering into Business Associate Agreements that depend on the Covered Entity’s policies and procedures for media-level encryption. Therefore, Code42 requires that web restore functionality is disabled in order to use CrashPlan PROe to support HIPAA environments.
Create custom user roles
Follow the steps below to create custom user roles that do not permit web restores:
- Sign in to your administration console
- Go to Settings > Security > Roles
- Select a standard role you will use in your environment (e.g., Desktop User)
- Duplicate the role
- Edit the duplicated role and remove all of the following permissions (as applicable):
- (Recommended) Edit the duplicated role's name to ensure you can easily distinguish between default and custom roles
Repeat the steps above for each role you will use in your environment.
Assign custom user roles
After creating custom user roles that do not have web restore permissions, assign the custom roles to your existing users and administrators.
Do not assign the standard roles to any personnel who have access to information protected under HIPAA. Assign only your custom user roles.
Set custom roles as organization default user roles
Code42 provides the ability for you to use custom roles as the default user roless for new users. As a best practice for HIPAA Covered Entities, Code42 recommends setting the custom roles to be the default roles for your organization. This ensures that new users will be created with the appropriate roles that do not have web restore permissions. If you do not set the custom roles as defaults, you will need to manually select the appropriate custom role each time you add a user.
For more information on the steps presented above, refer to Managing User Roles.
Do not use the default administrator
When you set up your CrashPlan PROe environment, a default administrative user account is created automatically. This default administrator has "superuser" access to your entire environment, including the ability to perform web restores.
Instead of using the default administrator user account, create a new administrator user that has roles appropriate to your policies and procedures for supporting HIPAA. See Create Custom User Roles above for details about creating new roles.
To ensure the default administrator account is not used, you might separate the account's complex password into two halves and store them separately.
Limit visibility of backup data
You must ensure that backup data, which could contain electronic protected health information (ePHI), is not visible to unauthorized users or administrators. Choose one of these options to limit the visibility of your backup data:
- Ensure your administrators are authorized to view ePHI
- Use CrashPlan PROe to restrict access to ePHI
As a best practice, Code42 recommends using unique accounts for all administrators and users. This gives you a greater ability to use your logs and the Code42 API to monitor the behavior of personnel.
Option 1: Ensure your administrators are authorized to view EPHI
If your administrators are authorized to view ePHI, they can be permitted to view your backup data. In order to meet HIPAA guidelines about visibility of ePHI, all of your administrators must be authorized to view ePHI.
This is a consideration for your organization's HIPAA policies, not a CrashPlan PROe configuration.
Option 2: Use CrashPlan PROe to restrict access to EPHI
If any of your administrators are not authorized to view ePHI, you can use CrashPlan PROe's security settings to prevent administrators from viewing backup data by following both requirements below.
Requirement 1: Do not use the SYSADMIN role or admin permission
When creating accounts for your administrators, do not grant them the SYSADMIN role, or any role that contains the admin permission. The admin permission grants users the ability to view backup data and perform web restores, both of which could allow use of CrashPlan PROe in a non-HIPAA supported manner.
Requirement 2: Upgrade your device security
Configure the devices in your Code42 environment to use only 448-bit encryption + password. This prevents administrators from being able to access information in users' backup archives (without knowing the users' passwords).
- Sign in to your administration console
- Go to Settings > Device Backup > Security
- Set the Archive Encryption Key to 448-bit encryption + password
Once you upgrade your security level, you cannot downgrade it. Setting an archive key password prevents administrators from being able to access backup archives, but if the user forgets or loses the archive key password, the backup data cannot be restored. This means there is an increased risk for data loss with this method due to the greater potential for human error. See Securing Your Encryption Key With An Archive Key Password for more details.
For more information on CrashPlan PROe security levels, see Device Security.
Reviewing audit trails
CrashPlan PROe automatically logs user activity. To gather information about CrashPlan activity, you can audit your CrashPlan logs in two main categories:
Audit user role assignment
CrashPlan PROe logs changes to user roles in CrashPlan PROe's history log. You can produce an audit record of the relevant sections of the history log by using a text search tool, such as
grep, to search for the following terms:
modified roleto identify changes to permissions granted to each user role
modified userto identify instances of users being assigned new roles
Example entries in the history log showing changes to role permissions:
I 09/12/14 03:15PM Subject[1/admin, orgId:1] modified role: 105/Desktop User - No Web Restore permissions:LOGIN,LOGIN I 09/12/14 03:15PM Subject[1/admin, orgId:1] modified role: 105/Desktop User - No Web Restore permissions:LOGIN,LOGIN,PERSONAL
Example entries in the history log showing changes to role assignment:
I 09/15/14 03:56PM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:Desktop User - No Web Restore permissions I 09/15/14 03:56PM Subject[1/admin, orgId:1] modified user: 4/ruby.stark I 09/15/14 03:56PM Subject[1/admin, orgId:1] deleted user role. user:4/ruby.stark role:Desktop User
You may also use the Code42 API to generate a list of roles and user assignments.
Audit user creation & deactivation
CrashPlan PROe logs user creation, deactivation, and reactivation in the history log. You can produce an audit record of the relevant sections of the history log by using a text search tool, such as
grep, to search for the following terms:
created userto identify instances of user creation
deactivated userto identify instances of user deactivation
activated userto identify instances of user reactivation
Example entries in the history log of user creation:
I 09/15/14 09:40AM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:PROe User I 09/15/14 09:40AM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:Desktop User
Example entry in the history log of user deactivation:
I 09/15/14 09:41AM Subject[1/admin, orgId:1] deactivated user: 4/ruby.stark
Example entry in the history log of user reactivation:
I 09/15/14 09:43AM Subject[1/admin, orgId:1] activated user:4/ruby.stark
You may also use the Code42 API to monitor user creation, deactivation, and reactivation. If you need assistance monitoring CrashPlan with the Code42 API, contact sales about engaging Code42's PRO Services team.
If you have questions or need additional assistance configuring CrashPlan PROe for use with HIPAA, please contact sales about engaging Code42's PRO Services team.