When it comes to health data backup and recovery, healthcare organizations have a huge task on their hands.
First, they must make potentially life-saving patient information easily accessible for those that need it, while at the same time safeguarding that healthcare data and protected health information against loss, theft and corruption – and all while maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA).
There are essentially three types of storage, backup and recovery design concepts healthcare organizations can utilize to solve this problem – onsite, offsite, or hybrid.
It’s essential that HIPAA covered entities in the healthcare industry build a data backup and recovery solution that meets both their operational requirements and regulatory compliance obligations.
Below, we discuss the various options in more detail.
Onsite Storage, Backup and Recovery
Onsite storage refers to healthcare data being stored in your organization’s premises, usually in some sort of data center or computer room.
One of the main benefits of onsite storage is its fast response and low latency – when you need to access a file or a patient’s medical records, you can do so quickly without having to rely on a strong internet connection.
This is also true when it comes to backup and recovery.
Backups can be quickly made onto tapes, disks, or other forms of storage media – and, should data get lost, stolen or be otherwise corrupted, IT staff can quickly grab the backup and load the lost data back onto the organization’s main servers and networks.
There are downsides, however.
For starters, the costs of managing, maintaining and routinely upgrading on-premises backup infrastructure are high.
On-site storage means that you have to shoulder the expense of purchasing a physical hard drive or server, plus the salary (or salaries) of an in-house IT professional to manage the system and implement regular security updates, firmware upgrades and software patches.
Consideration must also be given to future expansion – at a point, you will need to purchase additional infrastructure and pay for additional staff to manage it.
Then there is the problem of storing your data backups in the same physical location as the primary data sources.
If a disaster strikes your office – be it cyberattack, fire, flood, or break-in – your backups will be affected, too, meaning you will likely be left with no recoverable data to resume business operations post-disaster.
Should such an event occur, you will also be in violation of HIPAA and can expect penalties, fines and lawsuits.
Offsite Storage, Backup and Recovery
Offsite backup and disaster recovery solutions – also known as cloud backup or remote backup – are fantastic solutions for HIPAA covered entities.
For starters, the infrastructure is already in place and ready to use.
Healthcare professionals simply access a platform managed and maintained by the backup and recovery provider over the internet – there is no initial outlay for infrastructure and no ongoing maintenance costs.
The third party is responsible for the hardware, software and recovery solution.
Cloud solutions are also easily scalable – in fact, storage can be immediately expanded on demand and you only ever pay for what you use.
Perhaps the most important benefit, however, is the fact that your backups are stored in a remote location.
This means that should a data disaster strike your office, your backups will not be affected – all of your data will be recoverable almost instantly if required with no lasting business impact.
The only thing you need to be concerned about is the level of security the cloud backup provider offers and whether or not it is HIPAA compliant.
This is important.
Under HIPAA, any cloud services provider a healthcare organization works with becomes a “business associate” – and business associates are obliged to comply with HIPAA Rules as well.
Healthcare Data Backup and Recovery Best Practices
So, which is best – onsite or offsite backup and recovery?
Actually, the best solution is a hybrid model of data backup known as the 3-2-1 method.
Here’s how it works.
You create three (3) copies of your data, two (2) of which are located on different devices, with one (1) of them located offsite with a HIPAA compliant data backup and recovery provider.
Why is this the best method?
Because this way you have all bases covered.
Onsite backup ensures you always have quick access to your data in the event of a small matter such as your computer crashing.
Offsite backup, meanwhile, gives you full protection against localized onsite disasters – such as data breaches, natural disasters and human error, including the accidental deletion of files.
HIPAA makes it clear that covered entities must ensure data protection by establishing and implementing “procedures to create and maintain retrievable exact copies of electronic protected health information” (CFR 164.308(7)(ii)(A)).
In addition, they must be able to “restore any loss of data” (CFR 164.308(7)(ii)(B)) in the event of a cyberattack or other catastrophe that causes damage to computers or servers where PHI is stored.
When relying on onsite storage alone, this isn’t possible.
Cyberattacks targeting the healthcare industry are on the rise, computers crash, systems fail and you or a staff member can accidentally delete a file at any time.
So, while on-site storage is convenient in the case of small matters, it’s important to understand that in order to achieve true business protection and HIPAA compliance, offsite backup and recovery solutions are the only solution.
HIPAA Compliant Data Backup and Recovery Providers
As outlined above, any cloud backup and recovery provider a healthcare organization works with must be able to demonstrate HIPAA compliance and sign a business associate agreement (BAA).
Not all solution providers are HIPAA compliant, so it’s important that you do your homework when selecting a partner to work with.
At Central Data Storage (CDS), we specialize in providing HIPAA compliant data backup and recovery solutions for healthcare organizations.
We offer fully supported, encrypted, cloud-based and HIPAA compliant backup and disaster recovery solutions specifically designed for HIPAA covered entities.
Our solution even automates your backups, so you don’t need to worry about performing them yourself.
Our solution is designed to get your business back up and running in two hours, with a full data restore complete within 24 hours should a disaster strike. Your entire file history – every version – is always protected and can be recovered quickly to any device when you need it.