Healthcare data backup and data recovery are critical components of every health IT infrastructure.
The inability to access data is a serious issue in healthcare. Organizations constantly face the possibility of data breaches, ransomware attacks, and natural disasters that can make it impossible for clinicians to access the data they need to treat patients.
It’s not a question of if a data recovery solution will be needed, but when that need will arise.
A solid remote data backup, a well-executed data recovery solution, and a thorough contingency plan in the event of a cyberattack or natural disaster can mean the difference between a major crippling event and dodging a potential disaster.
Backup and recovery is one of the most critical operations performed in the data center, requiring organizations to maintain current, flexible, secure, and speedy solutions to keep their data accessible at all times.
How can healthcare organizations develop a complete disaster recovery plan that will ensure data access for end-users and prepare them to combat the many threats they are facing?
Developing a HIPAA compliant backup and data recovery plan
Before purchasing solutions, healthcare organizations must lay out a detailed backup and recovery plan. Organizations need to decide what tools to implement, what staff training is required to ensure quick reaction times, and what backup source they are going to use.
“Where backup and recovery is particularly stark is when being down directly impacts the business,” Zetta CEO Mike Grossman told HITInfrastructure.com.
“It’s a significant issue in the context of healthcare where people’s lives are involved. The real issue is, what happens when something goes wrong, what do you do to recover the data, and how quickly can you be up and running again?”
To ensure an organization is capable of quickly coming back online in the event of an outage, the IT infrastructure, providers should understand the distinction between data backup and data recoverability. There is often a misconception that backup and data recovery are one in the same, which can lead to gaps in the action plan.
Data backup is the process of copying the data to a separate location so it always exists somewhere else.
Data recovery is the process of retrieving that backed up data so it can be restored and utilized.
“Recoverability is one of the key challenges for organizations,” Grossman stressed. “Even if the data is stored in an off-premises cloud server, being able to restore the data rapidly ends up being a challenge. When organizations only have backup solutions, they don’t really have a good way of recovering data, or in the disaster recovery context, recover their applications.”
Organizations need a recovery solution that allows them to quickly prevent further damage from a cyberattack. Entities also need to bring applications back online seamlessly so clinicians and patients are never interrupted during an attack.
“A lot of organizations thinking about protection from ransomware and disasters are only thinking about copying data off-site and replicating data,” Webair CTO Sagi Brody explained.
“The replication is the easiest part. When organizations need to cut over to their recovery solution, the applications need to be consumable to the end users in the same way the production infrastructure was. When clinicians log into their EHR, it needs to look and feel exactly how it did before the event.”
For healthcare organizations, HIPAA compliance is a must-have feature in a data backup or recovery vendor.
“The biggest difference between backup and recovery in healthcare is that the data is so inherently private and you have the whole layer of HIPAA compliance,” Grossman explained.
“Healthcare, more than any other sector, has that sensitivity related to data. If vendors want to provide solutions in the healthcare space, they have to be absolutely rock-solid when it comes to issues of compliance.”
Vendors that offer HIPAA compliant backup and data recovery solutions to healthcare organizations are dealt the difficult task of completing audits periodically to ensure their solutions are compliant.
“Vendors have to build a lot of functionalities and safeguards and it’s a big investment, but security, reliability and privacy need to be safeguarded in a way which is demanded and legally required, said Grossman.
Healthcare organizations seeking out vendors should ensure their potential partners are HIPAA compliant and willing to sign a business associate agreement.
Vendors who do offer this service are typically transparent about their HIPAA compliance status. Providers may wish to stay away from vendors who are not forthcoming about their knowledge of or adherence to HIPAA guidelines.
Beginning with backup
Many organizations opt for a phased approach with their backup and recovery systems, starting with data backup before moving to data recovery.
Organizations benefit greatly from keeping a copy of their data beyond the physical confines of their own facility.
The general rule for backing up data is to have at least three different copies of the backup stored on two different types of media with at least one of the backups held offsite.
While this may not be feasible for every organization, it is the ideal way to make sure that no data is lost.
Organizations can use physical mediums for backup, such as tapes, or opt for storing copies of their data in the cloud.
Using tapes to backup data off site ensures that healthcare data lives somewhere else so if the main data center is attacked or physically compromised, the data won’t be lost.
However, offsite physical backups run the same risk as keeping data on premises: if the offsite facility is comprised, the backup is gone. It Relying on physical tapes could also slow down the recovery process: it could potentially take weeks to ship boxes of tapes from a distant facility to the main data center.
A cloud backup is a good complement to a physical backup. The cloud backup is more accessible to the data recovery solution, allowing organizations to bring applications and tools back online quickly.
Traditionally, physical backups such as tapes were considered more secure than storing data somewhere in the cloud. However, cloud storage vendors have been working with healthcare organizations to produce HIPAA-compliant cloud backup solutions, and these solutions are becoming increasingly popular.
“It’s not just a matter of putting a tape in a bunker and calling it a day,” Key Information Systems Director of Cloud Service Clayton Weise told HITInfrastructure.com “You need to be able to access the data at some point. If the data you have is stored on outdated tapes, they may need to be refreshed and brought onto new media. Managing tapes is difficult and cloud provides a similar price to buying, storing, and managing tapes.”
Migrating data to a cloud backup can be a challenging and expensive process, but the investment in time and resources is often worth the trouble.
Organizations should start with a strong understanding of the skills and processes involved before and after the migration occurs, including management and maintenance requirements. Data needs to be backed up as frequently as possible, on a daily, weekly, or monthly basis.
Data that is accessed or created more frequently, such as EHR documentation, may need more frequent backups, while historical data could be on a somewhat slower schedule.
Many cloud vendors offer services to help entities simplify certain aspects of the cloud migration process. Partnering with a vendor for these services can eliminate the need to have an on-premises specialist to manage every aspect of the migration.
Cloud-based data recovery
Cloud-based backup is critical to healthcare organizations which need to keep their data available to end-users during an event. Organizations need to have the reactionary capability to switch over to their recovery solution as quickly as possible.
When organizations are hit with a ransomware attack, the data affected by the attack becomes unavailable. Once the IT department establishes that a data set is unretrievable, i, organizations need to quickly switch over to their uncompromised backup.
Even the best backup solution will be useless for organizations in this situation if it isn’t paired with a strong recovery plan.
In order to sure that the process will be executed correctly when the time comes, the data recovery solution needs to be tested regularly.
However, testing each application’s recoverability is a significant undertaking.
“Healthcare IT departments have to manage 30 to 40 departments including radiology PACS, and MRI systems among others,” said Brody. “They aren’t exactly the best source to tell if things are working properly at the recovery site because they’re not the ones who use the apps and tools every day.”
End-users should be involved in the data recovery testing process. Entities can seek solutions that allow app users to test their own apps. The IT department can put users on a schedule to test their recovery apps once a month and report any inconsistencies or errors.
Cloud service providers can offer recovery services to organizations that do not have the capability to manage recovery on their own.
IT staff members can make mistakes due to lack of experience or heavy workloads if they are not prepared to take on the task of data recovery. The organization can fire that staff member, but cannot erase the fact that their data was still compromised.
Data recovery outsourced to a service provider is backed by a contract and maintained by a managed service provider with all the protection tools needed. Service providers are able to shoulder the data recovery burden, leaving organizations free to manage other tasks.
Choosing a backup and data recovery solution
Backup and recovery are two separate functions, but many vendors offer both services because these processes go hand -in-hand.
Organizations should look to vendors that offer the least amount of disruption to existing IT infrastructure as possible.
“Healthcare organizations shouldn’t have to compromise on network security or standards in order to consume cloud services,” said Brody. “It shouldn’t be an exception to the rule.”
“A successful deployment means that the organization’s CSO and the IT department have a lot less work to do. They consume a service that is wrapped around what they’ve already built, rather than have to change what they’re doing.”
Organizations should ask potential vendors about how the backup up and recovery solutions will integrate with existing systems. In most organizations, IT infrastructure is made up of a patchwork of legacy systems, which can present issues to deployment teams. Organizations need to be sure that their recovery solution will connect to third-party EHRs and other IT systems to guarantee their data will be recovered during an attack.
“The interoperability demand and the interconnecting of different services, coupled with the merging of systems, creates an interesting storm,” explained Brody. “There are also a lot of legacy solutions involved that organizations don’t want to turn off, but they provide roadblocks preventing them from using different types of systems.”
Organizations can consult with vendors and explain their current IT infrastructure to make sure the backup and recovery solutions are compatible.
Cloud scalability is also a point of inquiry for organizations that are adopting backup and data recovery. As healthcare organizations adopt more and more digital tools, they are producing exponentially more data. The backup environment will need to be expanded periodically to manage the higher volume. Entities need to know how much it will cost to expand, as well as how quickly they will be able to expand their cloud backup solution.
Every healthcare organization is at risk for a crippling security event. A complete backup and data recovery solution is vital to ensuring that clinicians and patients are not interrupted during an attack or physical data disaster.
Cloud-based options are a good choice for making sure recovery data is always available without putting too much strain on IT staff. Consulting with the vendors a key step so organizations can confidently switch over to their recovered data.
This article was originally published on February 16, 2018.