By William Palisano, Owner of Lincoln Archives, (Bill@lincolnarchives.com, 716-871-7040, ext 105)
Among other requirements, per “45CFR 164.308 – Administrative Safeguards” covered entities MUST perform : (1) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (2) Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (3) Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (4) Establish (and implement as needed) procedures to restore any loss of data. (5) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (6) Implement procedures for periodic testing and revision of contingency plans. (7) Perform a periodic technical and nontechnical evaluation.
So, for basic compliance under HIPAA, you have to have a backup & recovery plan, and you must test it, document it, and revise it periodically. Aside from the law, it’s just good business practice, because as you know ‘stuff happens’. I’ve worked with medical practices for 21 years and have seen a lot of different ways it’s been done. Some I do NOT recommend:
(1) Assuming RAID Technology is the same as backing up your information. RAID is a system of storing the same data in different places on multiple hard drives within a server or disk storage array. If a hard drive goes down, the system can re-build it exactly, thus no loss of that drive’s data. (Also, re-building a drive can be extremely time consuming). This is a very good technology for hardware failure. But, it is NOT the same as backup. (2) Someone (or a s/w automatically) copying files to an external hard drive, and that drive stays right next to the server or primary storage device (it needs to be in a different location). (3) Or, same scenario but someone takes the drive home, to a safe deposit box, etc. but the data WAS NOT ENCRYPTED before being written, and leaves office: A BIG No-No. Any time data leaves the primary server or storage repository and leaves the protection of the facility, its security, its firewalls, etc., it must be encrypted. Period.
Other scenarios that work, are fairly inexpensive, simple, and are low touch. (1) You can buy an external tape drive, automatic backup s/w, and tapes for a few hundred dollars (Tapes cost less than external hard drives. Hence, multiple generations of backups will cost less vs. buying multiple ext. hard drives). If you go this route: MAKE SURE YOUR SOFTWARE ENCRYPTS YOUR DATA before written. Also, keep a minimum of five (5) full backups (four of them off-site; 1 in tape drive and ROTATE). (2) A better strategy includes adding weekly, monthly and annual backups. Repeat: encrypt then get backups off-site. Bank vaults/safe deposit boxes are “OK”, but try to get tapes out after hours: not likely. There are companies that are very good at providing backup tape rotation and storage services, and some scenarios can be very cost effective (Google: “backup tape vaulting Buffalo”).
And then, there’s ‘the cloud’. There are plenty of local providers (Google: “cloud backup buffalo, ny”). These scenarios can be fully automatic, low touch, highly secure and cost effective. Some require only software installed (no hardware necessary) which encrypts and then streams data off-site to providers secured vault for true Disaster Recovery protection. Some use a backup appliance (pre-configured and do all the work) attached to your network. These systems can be quickly deployed, installed, configured, and up and running. If the provider is good, he/she will assist in creating a backup and recovery strategy (selecting critical data to protect, how many generations of each file, scheduling the backups, creating a retention program), and he/she will test the backups (and more importantly test the restores). He/she can also document the tests which meets HIPAA requirement). Another benefit is that these solutions are typically scalable (as your data needs grow, the solution accommodates it; primarily non-appliance solutions). Many charge only based on the amount of data protected or stored. Hence, there is no up-front cost (Cap-Ex), rather, a pay-as-you-go model (Op-Ex). You can change your strategy on the fly; increase or decrease your protection (and costs). Very flexible.
Btw: if your data is hosted somewhere else, it doesn’t mean it’s backed up to another off-site location. It’s just not at YOUR site and is still subject to risk. You need to ask your provider that question – it is critical (even Amazon, Google, Yahoo go down, lose data and have to restore from backups). A good cloud backup provider can actually backup your data from your hosted site (and restore to an alternative site), just in case…). So, regardless of which way you protect your data, just make sure you do. Test it, and document it. An ounce of prevention…