Medical Practice Backups – Secure Your Most Valuable Asset

      Comments Off on Medical Practice Backups – Secure Your Most Valuable Asset

A backup system isn’t the sexiest part of IT and for most people, it’s pretty boring. We plug them in, let them run and forget about them. But medical practice backups are especially important. This is because HIPAA regulations state that patient data must be protected and maintained. If your server crashed and you lost all of the patient data, it wouldn’t be maintained. In addition, ransomware has the ability to encrypt all of your data and demand payment in return for giving access back to you. Backups are your primary defense against attackers, computer crashes, and even robberies. Read on to learn how to protect your data and your practice.

What needs to be backed up?

Your most important data is your patient records. For some practices, this resides on servers in the office. This data includes patient demographics, medical histories, billing information, and much more. This data should be kept secure with multiple copies of it retained on back up systems.

Some practices may be using a cloud-based EMR and their patient data is stored online. The EMR vendor should be maintaining backups of this data. However, it is important that if you are using an EMR that you contact the vendor to find out about their backup policy. In 2018, Allscripts was infected with ransomware and many customers were offline for extended periods. So much so that several practices filed a lawsuit against Allscripts.

Regardless of where your EMR data resides, every practice has other data that needs to be safely backed up. Examples include documents, email files, scanned images, scanned documents, and other files that you may use in the day to day operation of your business. A good rule of thumb is to look at your computer

What makes medical practice backups different from others?

While other types of businesses are also bound by compliance standards, medical practices are bound by HIPAA. HIPAA laws require that all Covered Entities and Business Associates protect and secure all forms of PHI. HIPAA requires that data be Confidential, have data Integrity, and be Available. This is known as the CIA Triad: Confidentiality, Integrity, Availability.  Medical practice backups help to address all three of these items. Backups achieve this by doing the following:

  1. Confidentiality: if the data is encrypted properly
  2. Integrity: if data is lost or becomes corrupted, it can be restored from the backup
  3. Availability: in the event of a crash, ransomware, etc, the data can quickly be restored

Backups help protect medical practices from many different potential problems if they are maintained and tested regularly.  

How often do you test your backups?

Backups are easy to set up and then forget. Because of this, a lot of sites often don’t know that a problem has developed until they need their backups. This is why it is a very good idea to regularly test and monitor your backups. Is someone monitoring the progress of your backup system? Do you get alerts or emails if a backup fails or has issues backing up certain files? Backup systems are now far too important to simply plug them in and forget them until you need them. They must be monitored and tested or they may just be giving you a false sense of security. As a best practice, twice per year, have your IT service do a full restore of your data to make sure that what is backing up is actually usable.

What is a good system for medical practice backups?

To address smart ways of handling backups, we first need to address what could go wrong that would require a backup to be used. Examples include:

  • Office robbery: all of your computers, including your server are stolen
  • Server or workstation crash: hard drive crashes taking the data with it
  • Ransomware: all of your data is encrypted and held for ransom unless you pay the demanded fee
  • Employee mistake: employees can delete files or information
  • Natural disaster: similar to a robbery, you lose all of the computers in your practice (hurricanes, floods, tornados)
  • Malicious attack: whether it’s from an outside source like a hacker, or from an angry former employee, data can be destroyed or damaged

With these in mind, we need to create a system that will address each of them and protect your practice. For this, I recommend the 3-2-1 system.

There are other systems we can add to the 3-2-1 system, such as imaging and BDR systems that allow for instant recovery of a system. But in the end, everything will revolve around the 3-2-1 system.

3-2-1 System

This system works as follows:

  • 3 copies of your data (at least)
  • 2 separate types of devices for your data to be stored on
  • 1 copy of the data is always offsite

Your first copy of your data is the actual data you are using daily on your computer. This is stored in the computer’s internal hard drives. The second copy should be stored on a different type of medium such as an external hard drive, a cloud back up system, or on tapes. This spreads the risk of failure across multiple devices and ensures you always have a good copy of your data. Finally, one copy should be offsite. This includes rotating external hard drives where one is taken offsite periodically or using a cloud-based backup service. For external drives, the key to remember is when rotating is how many days of data could you afford to lose if you had to restore from that data? For example, if you only rotate drives once per week, then when you need to restore, you will be restoring from data that could be as much as one week old. Rotate as often as needed to keep the data you need.

Cloud services

On cloud backup services, be sure to get a Business Associate Agreement from the vendor. As they will have access to your data. this is a requirement.

One final note on cloud backup services. Before engaging with a specific firm, ask what their restore policy is. In the event, you need to restore from your cloud-based data, it could take a considerable amount of time to download. If it is EMR data, it could be many hundreds of gigabytes. This could take days to download and to get your practice operational again. Some vendors will overnight ship you a copy of your data either included with your monthly fee or as an additional charge.

Our data is what drives our businesses today. This is especially true for medical practices. Backups are incredibly important and a necessary component of your planning. Following these steps will ensure that your data is secure and there when you need it.