Home » Readers Write » Currently Reading:

Readers Write: Hurricanes Michael and Florence Remind Us Why We Need a Data Backup Plan

October 15, 2018 Readers Write No Comments

Hurricanes Michael and Florence Remind Us Why We Need a Data Backup Plan
By Marty Puranik

image

Marty Puranik is president and CEO of Atlantic.Net of Orlando, FL.

The immense flooding of Hurricanes Michael and Florence across the Florida Panhandle and southeastern areas of the Carolinas, respectively, is yet another business reminder of the omnipotent power of natural disasters. The devastating chaos and aftermath of the massive storms bring into sharper focus a humbling affirmation of the critical need to safeguard health data.

The data backup plan is a mandatory stage of HIPAA compliance requiring healthcare organizations to create, implement, and maintain a set of rules and procedures to follow when managing the backup and restore requirements of electronic protected health information (ePHI).

The data backup plan encompasses wider contingency planning processes that include your chosen business associate (BA) or managed service provider (MSP). The company engaged to remotely or on-site manage your plan must demonstrate a compliant backup service capable of backing up and restoring exact copies of ePHI. 

In choosing a backup service for business continuity and HIPAA compliance, it is critically important to understand the HIPAA Security Rule requirements. This rule demands a backup solution that adheres to the following criteria:

  • Use of data encryption. Backup data is expected to be encrypted at rest and in transmission. This encryption is achievable by using a storage hardware or operating system-level encryption techniques.
  • User authentication safeguards. Applying unique multi-factor password protection is accomplished using Active Directory and a token-based security key such as PKI.
  • Role-based access rules. Users are restricted access on a need-to-know basis following a least-privileged design. These measures help prevent access to backup data by unauthorized personnel.
  • Offsite storage capabilities. Backups must be stored in a separate location to production services.
  • Secure data center facilities. This measure applies to the facility security processes such as SSAE 16 SOC1 and SOC2 standards.
  • Detailed monitoring and reporting functions. Backups must be reported upon and alerts generated in the event of failure.

Moreover, leaving any best-laid plan involving patient data to chance opens to the door to security risks. Proactively test your data backup plan to ensure the MSP’s systems work harmoniously in any unexpected situation. Testing procedures can include:

  • File-level restore. A file-level restore involves one or several files restored to the file system. This can be set up on the original server or to a different location.
  • VM-level restore. If the MSP deploys virtualization technology, a full virtual machine restore can be performed. The server then can be tested for functionality.
  • Application-level restore. A common application restore is a database from inside a Microsoft SQL server instance or a mailbox from Microsoft Exchange. This test guarantees data integrity and verifies that correct permissions and security configuration are recovered.

I often recommend to providers to delegate the backup and restore responsibilities to a compliant cloud or backup-as-a-service (BaaS) offering. The MSP determines the type of backup media to use, which is usually disk-based storage. Once successful backups are achieved, the next step is the restore process for testing to validate the data’s integrity. The testing also assures the backup engineer’s ability to restore data in tandem with the precise speed of timing to complete the process.

Integration within a wider contingency plan is also essential as a failsafe for the data protection. Most MSPs offer disaster recovery technology capable of failing over data and services to a secondary location almost instantaneously. However, be aware that backups are often considered the last line of defense in the event of a catastrophic system failure. The contingency plan authorizes instant data restoration capability in the worst possible case scenarios.

To meet HIPAA security rule requirements, the BaaS platform incorporates offsite backup technology that will offload entirely the ePHI healthcare infrastructure to an external location. The offloading is most frequently performed through site-to-site replication technology or even by shipping backup tape media to a compliant external location. Since backup data is transferred externally over a network, determining the network security being provided by the MSP is imperative to prevent breaches.

Hurricanes Michael and Florence clearly bring into focus the need for emergency preparedness to protect the security of patient data. Indisputably, losing data has huge consequences for healthcare providers who routinely handle sensitive and private ePHI. For example, if access to a critical pharmacy, lab or EHR system is severed, a medical practice struggles to recover and continue its business operations. Reputations are damaged. More importantly, patient lives are put at risk.

Like insurance plans, a data backup plan is there when you most need it as an integral part of your overall business strategy. Before the next natural disaster strikes, what is your backup plan?

View/Print Text Only View/Print Text Only


HIStalk Featured Sponsors

     







Subscribe to Updates

Search


Loading

Text Ads


Report News and Rumors

No title

Anonymous online form
E-mail
Rumor line: 801.HIT.NEWS

Tweets

Archives

Founding Sponsors


 

Platinum Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gold Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Reader Comments

  • Billy Bonka: I find it interesting that you pick on Epic for Share Everywhere and Lucy, while completely ignoring the impact of Care ...
  • JeanneC: Much of health care is driven by a "Show me the Business Case" model, not a "What is the best way to employ information ...
  • Fred: Epic does this from time to time; puts out apps it doesn't really care if anyone uses or solves any real problems, so th...
  • MAD: Pointing the finger at Epic Systems is not fair the issue is getting data out of the legacy systems that process is brok...
  • oofda: I wonder how many doctors would buy an EHR that didn't help them bill accurately or allow them to get their mad money fr...
  • Frank Poggio: Yep...get off the billing kick. Epic, Cerner and Meditech all started in the Lab. Did not do billing till they had hundr...
  • Oof: Every time I read the complaints from physicians about how the system was build mainly for billing, I have a "Get Out" h...
  • Yosemite: Yosemite is my favorite national park. The Valley is so stunning that photos taken from the scenic overlook Tunnel View...
  • Mr. HIStalk: They do, but unless diarrhea is involved, we're then talking about intermittent monitoring for men. It's just not fair!...
  • Tarō Gomi: But as you know... everybody poops!...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.

Sponsor Quick Links