[Miniryu]

Does anyone know if there have been any reported privacy concerns with using Mavericks and iCloud? I work in the mental health field, and my company in the past has avoided using Google Drive because they can't guarantee HIPPA compliance.

I haven't updated OS X since Snow Leopard, but I am once again interested (with the price of Mavericks and all ). From what I understand, Lion and up keeps backup copies of documents, even if they have been deleted. This sounds like a privacy risk to me, and when dealing with patient's confidential information I want to be extra careful (We are not even allowed to send client information over email and through text message because the information sits on other people's servers).

Thanks in advance for anyone who can help me out.

[OreoCookie]

Originally Posted by Miniryu 

Does anyone know if there have been any reported privacy concerns with using Mavericks and iCloud? I work in the mental health field, and my company in the past has avoided using Google Drive because they can't guarantee HIPPA compliance.

I haven't updated OS X since Snow Leopard, but I am once again interested (with the price of Mavericks and all ). From what I understand, Lion and up keeps backup copies of documents, even if they have been deleted. This sounds like a privacy risk to me, and when dealing with patient's confidential information I want to be extra careful (We are not even allowed to send client information over email and through text message because the information sits on other people's servers).

There are a few options for you to maintain backups.
(1) External hard drives require the same care as (paper) files: you need to lock them securely, but you definitely, definitely should keep backups -- preferably 2.
(2) Some internet backup services (e. g. Crashplan or Carbonite) offer HIPAA-compliant options, and I can highly recommend these »fire and forget« solutions. I personally use Crashplan.
(3) There are software solutions which encrypt everything on your machine, for instance you can use a Software such as xTwin and Amazon S3 on the back end. This way, only encrypted data lies on the Amazon servers. However, I don't know whether this solution is certified.
(4) Purchase a Transporter: this is not a backup solution, but just a solution that allows you to sync and access data everywhere. Basically, it's a private Dropbox, but the hard drive(s) stay fully under your control. If you want to stop access to the data, you just pull the plugs to your transporters. All the file transfers are encrypted, and it works rather transparently. I have recently bought one and it's more than fast enough for smaller files or things like videos.

[Miniryu]

Awesome! Thanks for the tips- particularly the Crashplan and Carbonite recommendations!

[ghporter]

For portability, I use a Lok-It USB drive. The device is hardware encrypted, and isn't even recognized as a USB device at all unless it's been unlocked.

For general purpose security of patient data, look at the whole-disk encryption products. My medical school requires ALL computers, whether they're "supposed to be" used with patient data or not, to be set up with whole-disk encryption, and that's a great idea; too many opportunities for a computer to go missing, along with 15,000 patient records...

Your first concern should be HIPAA security of live data on your computer, with back up and archiving being a distant second. Losing control of a patient record can get you fined and even jailed, while simply "losing" a record you can't recover is merely a pain. If you can find a back up strategy that does both, you're set.

[OreoCookie]

Glenn raises an excellent point: perhaps you should activate FileFault, that's the name of Apple's disk encryption which is included (for free) in the OS. If you google it and find horror stories, those almost surely pertain to the old version which created an encrypted disk image. The new version of FileVault which has been included since 10.7 uses a modern design and doesn't come with the caveats.

[P]

Originally Posted by OreoCookie 

Glenn raises an excellent point: perhaps you should activate FileFault

Freudian slip?

[OreoCookie]

Hahaha, good catch.

[Miniryu]

Originally Posted by ghporter 

Your first concern should be HIPAA security of live data on your computer, with back up and archiving being a distant second. Losing control of a patient record can get you fined and even jailed, while simply "losing" a record you can't recover is merely a pain. If you can find a back up strategy that does both, you're set.

Maybe I wasn't clear. My concern wasn't with localized data, it was over Apple's move to sync and back up everything over the cloud. I just wanted to make sure that a record of client files weren't being backed-up and stored in iCloud somewhere (the way that photos and music are).

[Spheric Harlot]

Photos and music aren't, unless this is expressly enabled.

[subego]

Another vote for CrashPlan. I've found it far superior to Carbonite. Backup of network volumes is included, and they let you cancel long-term contracts without penalty. At least, they used to. It's been awhile since I've needed to nuke an account, so it may have changed.

They have the external appearance (which is all you can really judge without using audited, open-source software) of doing proper security. If you use the highest level of security they require you to get through multiple dialogs warning you are totally SOL if you lose your encryption key. IOW, they claim not to have a copy.

The one downside to CrashPlan is it needs Java.

[ghporter]

So your real question is whether or not specific data is backed up in the cloud, and/or how you might control that, is that right? If that's it, then you can simply go into your iCloud settings in System Preferences and disable iCloud Sync of Documents and Data. These settings are available on all devices that can connect to iCloud, so you can also set your iPad and iPhone to keep you local data local.

[iMOTOR]

Apple also has a MDM feature built in to OSX server that you could enroll iOS and Mac devices in and centrally prohibit staff from accidentally or deliberately using iCloud.