Skip to main content
Code42 Support

Configure Code42 for use with HIPAA

Available in:

  • CrashPlan PRO
    • Standard
    • Premium
    • Enterprise
Applies to:

Overview

Code42 for Enterprise can be configured to support compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We recommend using the Compliance Settings feature, which automatically configures the settings to support compliance. However, some customers will need to configure the settings manually, as explained in this article. If you need help deciding between automatic or manual configuration, see CrashPlan And HIPAA Compliance.

Obtain a Business Associate Agreement (BAA)

Before your Code42 environment can be seen as supporting HIPAA compliance, you must obtain a Business Associate Agreement (BAA) with Code42.

Note that if you configure the settings manually, your Code42 for Enterprise deployment must use an on-premises authority server. If you configure the settings manually without an on-premises authority server, you cannot obtain a BAA with Code42.

Configure Code42 for Enterprise for use with HIPAA

After obtaining a BAA with Code42, you must do the following to manually configure Code42 for Enterprise for use with HIPAA.

Use an on-premises Authority server

If you manually configure the settings, your Code42 for Enterprise deployment must use an on-premises authority server (as opposed to an authority server in Code42's public cloud). This ensures that you directly control the encryption keys for your data.

Disable web restores

The web restore function of Code42 for Enterprise temporarily stores data in an unencrypted state on the store point. To prevent users and administrators from performing web restores, assign them a user role that does not include the Code42 for Enterprise web restore permissions: restore, restore.personal, restore.limited, and admin.

Web restore encryption considerations
Performing a web restore temporarily stores data in an unencrypted state at the app level only. If the store point containing the archive uses full disk encryption, the data created during the web restore process would still be encrypted on the media. However, Code42 will not assume the risk of entering into Business Associate Agreements that depend on the Covered Entity’s policies and procedures for media-level encryption. Therefore, Code42 requires that web restore functionality is disabled in order to use Code42 for Enterprise to support HIPAA environments.

Create custom user roles

Follow the steps below to create custom user roles that do not permit web restores:

  1. Sign in to the administration console.
  2. Go to Settings > Security > Roles.
  3. Select a standard role you will use in your environment (for example, Desktop User).
  4. Select Duplicate this role Duplicate role icon.
  5. Select the newly duplicated role (for example, Desktop User COPY).
  6. Select Edit this role Edit role icon.
  7. Deselect all of the following permissions (if selected). Removing these permissions prevents users with this role from being able to perform web restores.
    • admin
    • restore
      Note that cpd.restore is a separate permission that must remain selected to allow users to perform restores from the Code42 app.
    • restore.personal
    • restore.limited
  8. (Recommended) Edit the duplicated role's name to ensure you can easily distinguish between default and custom roles.
  9. Click Save.

Repeat the steps above for each role you will use in your Code42 environment.

Assign custom user roles

After creating custom user roles that do not have web restore permissions, assign the custom roles to your existing users and administrators.

Assign only custom roles
Do not assign the standard roles to any personnel who have access to information protected under HIPAA. Assign only your custom user roles.

Set custom roles as organization default user roles

As a best practice for manual configurations, Code42 recommends setting the custom roles to be the default roles for your organization. This ensures that new users will be created with the appropriate roles that do not have web restore permissions. If you do not set the custom roles as defaults, you will need to manually select the appropriate custom role each time you add a user.

For more information on the steps presented above, see Managing User Roles.

Do not use the default administrator

When you set up your Code42 environment, a default administrative user account is created automatically. This default administrator has "superuser" access to your entire environment, including the ability to perform web restores.

Instead of using the default administrator user account, create a new administrator user that has roles appropriate to your policies and procedures for supporting HIPAA. See Create Custom User Roles above for details about creating new roles.

To ensure the default administrator account is not used, you might separate the account's complex password into two halves and store them separately.

Limit visibility of backup data

You must ensure that backup data, which could contain electronic protected health information (ePHI), is not visible to unauthorized users or administrators. Choose one of these options to limit the visibility of your backup data:

Use unique accounts
As a best practice, Code42 recommends using unique accounts for all administrators and users. This gives you a greater ability to use your logs and the Code42 API to monitor the behavior of personnel.

Option 1: Ensure your administrators are authorized to view EPHI

If your administrators are authorized to view ePHI, they can be permitted to view your backup data. In order to meet HIPAA guidelines about visibility of ePHI, all of your administrators must be authorized to view ePHI.

This is a consideration for your HIPAA policies, not a Code42 for Enterprise configuration.

Option 2: Use Code42 for Enterprise to restrict access to EPHI

If any of your administrators are not authorized to view ePHI, you must configure Code42 for Enterprise's settings to prevent unauthorized administrators from viewing backup data by following all of the requirements below.

Requirement 1: Do not use the SYSADMIN role or admin permission

When creating accounts for your administrators, do not grant them the SYSADMIN role, or any role that contains the admin permission. The admin permission grants users the ability to view backup data and perform web restores, both of which could allow use of Code42 for Enterprise in a non-HIPAA supported manner.

For more information on permissions, see Managing User Roles and Best Practices For Custom Roles And Permissions.

Requirement 2: Upgrade your device security

Configure the devices in your Code42 environment to use only Archive key password. This prevents administrators from being able to access information in users' backup archives (without knowing the users' passwords).

  1. Sign in to the administration console.
  2. Navigate to Organizations.
  3. Click the name of the organization.
  4. From the action menu, select Device Backup Defaults.
  5. Click Security.
  6. Set the Archive Encryption Key to Archive key password.
Upgraded security level considerations
Once you upgrade your security level, you cannot downgrade it. Setting an archive key password prevents administrators from being able to access backup archives, but if the user forgets or loses the archive key password, the backup data cannot be restored. This means there is an increased risk for data loss with this method due to the greater potential for human error. See Securing Your Encryption Key With An Archive Key Password for more details.

You may upgrade device security for your Code42 environment to apply these settings for all organizations.

For more information on Code42 for Enterprise security levels, see Device Backup Security.

Requirement 3: Do not use indexing

File search allows authorized roles to search a user’s backed-up files based on file name, file content, and file metadata to help determine and mitigate risks associated with sensitive information. These file names, contents, and metadata are stored in a plain-text index on your Code42 server. Ensure organizations subject to HIPAA compliance do not use indexing to search archives.

  1. Navigate to Organizations.
  2. Click the name of the organization.
  3. From the action menu, select Edit.
  4. Click Indexing.
    Disabling indexing for an organization
  5. Inherit settings from parent must be unchecked.
  6. Index all archives in this organization must be unchecked.
Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.
Requirement 4: Do not use endpoint monitoring for specific organizations

Endpoint monitoring uses the Code42 app to detect security events on devices in real time, helping you identify potential data leaks or security problems. When security events are detected, the Code42 service records metadata about the files involved, including file name and the full file path as part of the event data. To ensure that administrators cannot access raw information about security events, which include ePHI, do not use endpoint monitoring for organizations subject to HIPAA compliance.

Review audit trails

Code42 for Enterprise automatically logs user activity. To gather information about the activity, you can audit your Code42 app logs in two main categories:

Audit user role assignment

Code42 for Enterprise logs changes to user roles in the history log. You can produce an audit record of the relevant sections of the history log by using a text search tool, such as grep, to search for the following terms:

  • modified role to identify changes to permissions granted to each user role
  • modified user to identify instances of users being assigned new roles

Example entries in the history log showing changes to role permissions:

I 09/12/14 03:15PM Subject[1/admin, orgId:1] modified role: 105/Desktop User - No Web Restore permissions:LOGIN,LOGIN
I 09/12/14 03:15PM Subject[1/admin, orgId:1] modified role: 105/Desktop User - No Web Restore permissions:LOGIN,LOGIN,PERSONAL

Example entries in the history log showing changes to role assignment:

I 09/15/14 03:56PM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:Desktop User - No Web Restore permissions
I 09/15/14 03:56PM Subject[1/admin, orgId:1] modified user: 4/ruby.stark
I 09/15/14 03:56PM Subject[1/admin, orgId:1] deleted user role. user:4/ruby.stark role:Desktop User

You may also use the Code42 API to generate a list of roles and user assignments.

Audit user creation and deactivation

Code42 for Enterprise logs user creation, deactivation, and reactivation in the history log. You can produce an audit record of the relevant sections of the history log by using a text search tool, such as grep, to search for the following terms:

Example entries in the history log of user creation:

I 09/15/14 09:40AM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:PROe User
I 09/15/14 09:40AM Subject[1/admin, orgId:1] created user role. user:4/ruby.stark role:Desktop User

Example entry in the history log of user deactivation:

I 09/15/14 09:41AM Subject[1/admin, orgId:1] deactivated user: 4/ruby.stark

Example entry in the history log of user reactivation:

I 09/15/14 09:43AM Subject[1/admin, orgId:1] activated user:4/ruby.stark

You may also use the Code42 API to monitor user creation, deactivation, and reactivation. If you need assistance monitoring activity with the Code42 API, contact sales about engaging Code42's PRO Services team.

Additional assistance

If you have questions or need additional assistance manually configuring Code42 for Enterprise for use with HIPAA, please contact sales about engaging Code42's PRO Services team.

External resources

For a detailed explanation of HIPAA requirements, please reference the following resources from the U.S. Department of Health & Human Services:

  • Was this article helpful?