Hurricanes Michael and Florence Remind Us Why We Need a Data Backup Plan
By Marty Puranik
Marty Puranik is president and CEO of Atlantic.Net of Orlando, FL.
The immense flooding of Hurricanes Michael and Florence across the Florida Panhandle and southeastern areas of the Carolinas, respectively, is yet another business reminder of the omnipotent power of natural disasters. The devastating chaos and aftermath of the massive storms bring into sharper focus a humbling affirmation of the critical need to safeguard health data.
The data backup plan is a mandatory stage of HIPAA compliance requiring healthcare organizations to create, implement, and maintain a set of rules and procedures to follow when managing the backup and restore requirements of electronic protected health information (ePHI).
The data backup plan encompasses wider contingency planning processes that include your chosen business associate (BA) or managed service provider (MSP). The company engaged to remotely or on-site manage your plan must demonstrate a compliant backup service capable of backing up and restoring exact copies of ePHI.
In choosing a backup service for business continuity and HIPAA compliance, it is critically important to understand the HIPAA Security Rule requirements. This rule demands a backup solution that adheres to the following criteria:
- Use of data encryption. Backup data is expected to be encrypted at rest and in transmission. This encryption is achievable by using a storage hardware or operating system-level encryption techniques.
- User authentication safeguards. Applying unique multi-factor password protection is accomplished using Active Directory and a token-based security key such as PKI.
- Role-based access rules. Users are restricted access on a need-to-know basis following a least-privileged design. These measures help prevent access to backup data by unauthorized personnel.
- Offsite storage capabilities. Backups must be stored in a separate location to production services.
- Secure data center facilities. This measure applies to the facility security processes such as SSAE 16 SOC1 and SOC2 standards.
- Detailed monitoring and reporting functions. Backups must be reported upon and alerts generated in the event of failure.
Moreover, leaving any best-laid plan involving patient data to chance opens to the door to security risks. Proactively test your data backup plan to ensure the MSP’s systems work harmoniously in any unexpected situation. Testing procedures can include:
- File-level restore. A file-level restore involves one or several files restored to the file system. This can be set up on the original server or to a different location.
- VM-level restore. If the MSP deploys virtualization technology, a full virtual machine restore can be performed. The server then can be tested for functionality.
- Application-level restore. A common application restore is a database from inside a Microsoft SQL server instance or a mailbox from Microsoft Exchange. This test guarantees data integrity and verifies that correct permissions and security configuration are recovered.
I often recommend to providers to delegate the backup and restore responsibilities to a compliant cloud or backup-as-a-service (BaaS) offering. The MSP determines the type of backup media to use, which is usually disk-based storage. Once successful backups are achieved, the next step is the restore process for testing to validate the data’s integrity. The testing also assures the backup engineer’s ability to restore data in tandem with the precise speed of timing to complete the process.
Integration within a wider contingency plan is also essential as a failsafe for the data protection. Most MSPs offer disaster recovery technology capable of failing over data and services to a secondary location almost instantaneously. However, be aware that backups are often considered the last line of defense in the event of a catastrophic system failure. The contingency plan authorizes instant data restoration capability in the worst possible case scenarios.
To meet HIPAA security rule requirements, the BaaS platform incorporates offsite backup technology that will offload entirely the ePHI healthcare infrastructure to an external location. The offloading is most frequently performed through site-to-site replication technology or even by shipping backup tape media to a compliant external location. Since backup data is transferred externally over a network, determining the network security being provided by the MSP is imperative to prevent breaches.
Hurricanes Michael and Florence clearly bring into focus the need for emergency preparedness to protect the security of patient data. Indisputably, losing data has huge consequences for healthcare providers who routinely handle sensitive and private ePHI. For example, if access to a critical pharmacy, lab or EHR system is severed, a medical practice struggles to recover and continue its business operations. Reputations are damaged. More importantly, patient lives are put at risk.
Like insurance plans, a data backup plan is there when you most need it as an integral part of your overall business strategy. Before the next natural disaster strikes, what is your backup plan?