By Marty Puranik, co-founder and CEO, Atlantic.Net.
The data backup plan was established as a mandatory stage of HIPAA compliance to create, implement and maintain a set of rules and procedures for healthcare organizations to follow when managing the backup and restore requirements of electronic protected health information (ePHI). A data backup plan is part of the HIPAA Security Rule and encompasses wider contingency planning processes that any chosen business associate (BA) or managed service provider (MSP) must be able to demonstrate a compliant backup service capable of backing up and restoring exact copies of healthcare data when required.
The data backup plan should be integrated within a wider contingency plan because it is designed as a failsafe for the protection of patient data. Most MSPs will already be offering disaster recovery technology capable of moving over data and services to a secondary location almost instantaneously. But backups are often considered the last line of defense in the event of a catastrophic system failure. It allows for data restoration capability to be available in the worst possible scenarios.
When choosing a HIPAA compliant healthcare hosting service, it is important to understand the requirements of the HIPPA Security Rule. It demands a backup solution that adheres to the following criteria:
- Use of data encryption – it is expected that backup data should be encrypted at rest and in transmission. This can be achieved by using storage hardware or operating system level encryption techniques
- User authentication safeguards – this includes using unique multi-factor password protection. This is typically achieved using Active Directory and a token-based security key (such as PKI)
- Role-based access rules – users are restricted access on a need-to-know basis following a least privileged design. These measures will help prevent the use of the backup data by unauthorized personnel
- Offsite storage capabilities – backups must be stored in a separate location than production services
- Secure data center facilities – this applies to the facility security processes such as SSAE 18 SOC1 and SOC2 standards
- Detailed monitoring and reporting functions – backups must be reported upon and alerts generated in the event of failure
In order to meet these requirements, most healthcare organizations choose to outsource critical IT services to a third party. Meeting these criteria then becomes the responsibility of the MSP.
In order to achieve HIPAA standards, the MSP is expected to perform an assessment of the types and quantities of ePHI data to be managed, plus understand how the application stacks are used to store this data.
An appropriate backup schedule will be assigned to the relevant IT systems to ensure data integrity and data security. The schedules can vary, and in some circumstances, a daily backup performed at the end of the business day is satisfactory. In other circumstances, the backups need to be scheduled to the hour or minute.
The MSP will determine what type of backup media is to be used. Typically this is disk-based storage. Once successful backups have been achieved, the restore process must be tested. This will confirm the data integrity but will also test the backup engineer’s ability to restore data and how quickly the process takes to complete.
Typically, the following test procedures would be performed:
- File level restore – the first test would be a file level restore where one or several files are restored to the filesystem. This can be to an original server or to a different location
- VMLevel restore – if virtualization technology is used by the MSP, a full virtual machine restore can be performed. This will spin up a copy of the server which can then be tested for functionality
- Application level restore – a common application restore would be a database from inside a Microsoft SQL server instance or a mailbox from Microsoft Exchange. The test here will be for ensuring data integrity, and checking correct permissions and security configuration has been recovered
It is often recommended to healthcare organizations to delegate the backup and restore responsibilities to a compliant cloud or Backup-as-a-Service (BaaS) offering. To meet requirements, the BaaS is required to use offsite backup technology which will completely offload the ePHI healthcare infrastructure to an external location.
This is most frequently done by using site-to-site replication technology, or can even be achieved by shipping backup tape media to a compliant external location. As backup data is transferred externally over a network it is imperative to determine the network security provided by the MSP.
HIPAA legislation demands compliance on a number of networking techniques. Network traffic must utilize strong AES 256-bit encryption when transmitting externally. Remote client access must be managed by signed SSL certificates. This is usually achieved by using a secure and redundant VPN solution.
So far, we have discussed the compliance and technology requirements of a data backup plan. But to finish I will discuss what needs to be in your plan. Please note that there is no set template for a compliant data backup plan, however, it is essential to establish:
- The type of data being backed up
- Identify the databases containing ePHI
- Identify email systems containing ePHI
- Identify medium / high risk / sensitive files (these are usually stored on a file server)
- Identify patient records (Please note: local US state law protects medical records compliance – not HIPAA)
- Identify images / voice / video files
- Identify the data backup solution to be used
- Disk-based backup technology and replication techniques
- Tape-based backup and offsite store/retrieval process
- Cloud storage and provider solution
- Location of the backup data
- Identify backup media required to remain offsite to protect ePHI
- Identify backup media required to remain onsite for production
- If the backup media remains on-site (such as tape) the location will be physically secure (for example a fire safe)
- Identify backup data sent to an off-site storage facility is secured using technical and physical HIPAA compliant safeguards
- Test the restore process
- Test data restores using approved engineers
- Test the wider contingency plan in a scheduled disaster recovery test
- Conduct lessons learned meeting for any issues found during testing
- Detailed Documentation
- Document the backup policy
- Document the backup schedule
- Document the backup process
- Document the restore process
- Document the disaster recovery process
- Document the contingency plan
- Review and frequently update all documentation
In summary, the data backup plan is a required stage of compliance and must form part of a contingency plan that meets HIPAA standards. Losing data has huge consequences, even-more-so for healthcare organizations who routinely handle sensitive and private data. If access to critical pharmacy systems, lab systems or EHR systems was severed, a healthcare practice would struggle to continue business operations. This risks damaging reputation and ultimately could risk patient lives.