If the computers in your workplace crashed today, what would that mean for your organization?
If you have a good recovery plan, the process would be frustrating but manageable.
If you don’t have such a plan, a disaster like that could kill your ability to function and put patients in danger.
The simple fact is that data matters in healthcare, and you need to understand how you can take care of it.
Today, you’re going to learn about data backups and recovery and how they fit into your role as a healthcare service provider.
Losing data is always bad.
Regardless of your industry, or even in a home computer that has nothing to do with work, you never want to lose data.
Working in healthcare raises those stakes for two reasons.
The first is that healthcare data management is carefully regulated.
We’ll cover legal requirements and compliance in the next section, but suffice it to say that data loss can incur fines and other penalties when you work in healthcare.
The other issue applies to health services.
If you lose critical health data, it impacts care, and in the worst cases, it can lead to deadly outcomes for patients.
Outside of worst cases, losing data still hurts.
It can cost your company money in terms of recovery and coping with the loss.
It hurts patient confidence.
At a basic level, it takes focus in the office away from patient care by forcing you to spend more time and energy on technology.
Yet, many providers find legal requirements the most compelling aspect of data integrity.
If you lose patient data, it could make you liable for damages.
It could incur fines, and it could even shut down your business.
Let’s look at the legalities of data requirements in more detail.
If your work is covered by HIPAA, then you take on risks of both civil and criminal penalties.
While HIPAA is deep and complicated to justify multiple discussions, we can simplify the conversation for the moment.
If you know you’re doing something wrong and then get caught, that’s a criminal violation.
If you violate HIPAA in ignorance, then it’s a civil violation.
Civil violations range from $100 to $1.5 million per infraction.
While there are many types of infractions possible, in terms of data loss, HIPAA sets clear rules on minimum data backups.
Each organization must back up patient health data every 24 hours, at least.
Each organization also has to keep a documented backup and recovery plan, and you’re responsible for backup and recovery testing.
If you fail to meet these requirements, you could find yourself in violation and facing fines.
Clearly, you want to find reliable, actionable ways to stay on top of data backups while maintaining compliance.
In order to do that, you need to understand your options.
This little crash course will cover the essentials so you can start looking into informed backup decisions for your organization.
There are many ways to approach backups, but we can group them into a few easy categories.
First, you can choose between digital and physical backups.
HIPAA requires digital backups, and physical copies of healthcare data follow additional regulations.
On top of that, physical copies are cumbersome and hard to use.
That’s why healthcare has mostly phased them out over the last 20 years.
All of that said, some practices do keep carefully chosen physical copies of some of the most critical information that they might need.
As for digital backups, you’re making a digital copy of any information you use in the practice.
That includes patient health information, but it can also include financial records, employee information, business contacts, and a whole lot more.
The point is that you can digitally copy everything that goes through your computer systems.
But, we can divide things further.
Digital backups can be manual or automatic (automatic is the preferred way to maintain HIPAA compliance and reduce risks).
They can also be stored locally or off-site.
It’s worth noting that HIPAA requires every organization to keep backups in a secured, off-site facility, but you can have onsite storage in addition to your offsite resources.
This is where your decisions really tend to focus.
Far and away, the easiest way to meet HIPAA offsite storage requirements is through the use of professional cloud services.
These services use your internet connection to securely back up your data at regular intervals.
If something is lost, you can restore it as long as you can access the internet.
On top of that, the cloud providers take on responsibility for securing data, testing backups, maintaining integrity, and the rest.
Every IT expert in the business will recommend that you include cloud solutions in your backup and recovery plan — especially because you work in healthcare.
Yet, there’s a keyword that you keep reading that merits more attention: internet.
The fatal weakness of cloud backups so that they only help when you have internet access.
In the case of a physical disaster (say a storm knocks out the internet in your area), or a number of other cases, locally stored backups can save the day.
This brings us to the rule of three.
Generally speaking, it’s best to have three copies of everything.
The first copy is the original.
You will have that just by providing healthcare services.
The second copy is your cloud backup.
The third copy is one you make locally and keep onsite.
That third copy can still be automated, but it does represent an additional investment.
On top of paying for cloud services, you will spend money on hardware and software to maintain the local backup.
To summarize, the generic answer to whether you should use cloud or onsite backups is that you should have both.
If you really have to choose between the two, onsite backups do not fulfill all of your HIPAA obligations.
Data recovery revolves around the plan.
Hopefully, you never need it, but if and when the moment comes, a proper plan of action will save you time, stress, and fallout.
At all points, your IT providers should be helping you in crafting your data loss prevention plan, but you need to understand elements of it in order to properly contribute to planning.
Arguably more importantly, you need to understand how the plan works so you can provide better leadership in the event you have to carry it out.
Every recovery plan, whether you are in healthcare or not, breaks down into the same essential components:
Risk assessment is the beginning.
You can’t really craft a plan until you understand what you’re trying to accomplish, and a risk assessment shows you what can go wrong along with how.
You should have a professional risk audit to get started.
After that, you work with your IT to figure out how you are going to back up your data.
You can go back through automation methods, cloud services, local backups, and the options you learned about previously.
Once you know how you will create backups, you need to craft a plan to use them if and when they are needed.
For this, you typically come up with a set of procedures for each of the most common types of data disasters.
You can branch out and create detailed instructions for more than the categories listed below, but they can get you started:
Part of your recovery strategies includes a plan of communication and notification.
HIPAA requires you to inform patients if their information is compromised.
Even if you face a disaster that does not involve HIPAA, it’s important to inform stakeholders when a significant problem arises.
There are two tips that prove invaluable in disaster communication.
Be prompt with communications, and stick to what you know for sure.
This usually requires frequent updates as information emerges, and that’s the safer approach.
You don’t want to exacerbate a disaster by adding trust issues from poor communication, and it’s virtually always better to say that you are still investigating things than it is to make a claim that proves false later.
The last two aspects of your recovery plan focus on testing and maintenance.
Anything involved in backing up and recovery procedures needs regular testing — usually monthly.
The plan itself should be tested annually, usually by running drills.
The good news is that it supplements recovery training for your staff.
This is where outsourcing helps a lot.
Any cloud services are automatically tested by the cloud provider.
Your primary focus is to build a testing plan and set of procedures that cover your responsibilities.
You have seen many HIPAA mentions up to this point, but we’ve focused more on goals and tips for data and backups than specific HIPAA requirements.
Now is the time to get a little deeper into HIPAA itself.
After all, this set of regulations creates the largest separation between healthcare and any other industry — at least as far as backups are concerned.
HIPAA compliance for the backup process is pretty specific.
Basically, it can’t give access to the wrong people.
This means your backups should use direct lines of communication.
It also means you have to control physical access to the backups and lines of communication.
If someone taps into your data lines and steals information, you are responsible.
So, physical security and proper communication lines protect you here.
If you stick with industry standards for your communication (namely WPA3 comparable protection), you will meet HIPAA requirements.
Encryption and security measures are mostly covered in the HIPAA Security Rule.
It covers a whole lot more than backups, so we can zoom in on those specifics right now.
First off, HIPAA requires that all copies of your patient health information be encrypted.
Cloud providers are already good at this, so as long as your service agreement provides adequate encryption, you’re set.
Specifically, any encryption must live up to 128-bit security or better.
Second, HIPAA requires you to control access to the backups themselves.
This means accounts that can access your backups must be password protected.
On top of that, you are professionally responsible for who you give such an account.
If an employee uses their account to improperly access HIPAA-protected data backups, you face the violation.
Here’s the short version.
Ensure that data access is only given as needed.
Each healthcare role has different access needs, and your system has to account for that.
It’s not an insurmountable problem, but it requires diligence to ensure that no one gets inappropriate access.
You’ve covered a lot of ground today.
There isn’t too much left to cover, but we can start to summarize the lessons above with a few easy, actionable tips.
Data management boils down to two things: good IT and consistent practices.
You inevitably put a lot of trust in your IT providers.
If they do a good job, you’re in good hands.
If not, you have many worries on your plate.
Tips to find good IT partners would fill a whole other article, so here’s the core truth.
A good IT partner can explain what they are doing and why, and they should be able to do it in a way that makes sense to you.
It’s the same way people vet healthcare providers.
If your provider cannot communicate with you, you’re unlikely to form a good partnership.
Pair that with a solid credential check, and you’ll be in good shape.
Aside from that, it’s a matter of consistency.
You and your staff have to follow the backup procedures consistently.
Any cut corners will bite you later.
Make it a habit early, and you will be ok.
Here’s the final verdict.
Your IT provider is really a partner in all of this.
Work with them to cultivate options.
They can ensure that whatever you pick is up to the task of protecting you, keeping you functioning, and keeping you within compliance.
Data backup and recovery is a front-loaded problem.
Once your plan and systems are in place, you just have to maintain them, and most of that will fall on your IT staff and service providers.
Have the conversation.
Find your IT partner.
Build a secure future.
For all of that, MainSpring is here to help.
What starts with a simple conversation could lead to a wonderful relationship that protects your organization for the long term.