With the recent ransomware attack of WannaCry, it is apparent that timely backups are not only essential, but are also required according to HIPPA (45 CFR 164.308(7) (ii) (A)). Data backups are required to be recoverable. An entity must be able to “restore any loss of data” (45 CFR 164.308(7) (ii) (B)).
A backup simply copies and archives the data stored on a computer and in the event of data loss, the original content can be recovered. There are two purposes for backups: recover or restore. In the event of data corruption or deletion, backups recover data. If a hard drive crashes or a natural disaster occurs, backups restore data.
There are two categories of backups: online or local. Online or cloud backups involve sending a copy of the data to an off-site server hosted by a third-party service provider. Local backups may be stored on the following media types:
External Hard Drive | *CDs/DVDs |
Solid State Storage (like a USB Flash Drive) | Magnetic Tapes |
Computer on the Network |
*The use of CDs/DVDs to back up is not recommended because they can become brittle with age or are damaged; thus, rendering the backup useless.
Backups are performed manually, semi-automated, or fully automated. Backups are created by using an incremental, differential, and/or a full backup, whether cloud-based or local.
Manual Backup – Choose files and folders each time a backup is performed and manually copy (or drag-n-drop) the data to a CD/DVD or an external hard drive, etc.
Semi-Automated Backup – Utilizing backup software, selected files and folders are copied automatically when running the software. The downside is remembering to run it each time.
Fully-Automated Backup – After scheduling backup software, selected files and folders are automatically copied. The software runs regularly without further user interaction.
Incremental Backup – Creates copies of all files or parts of files since last backup. An incremental backup would only contain the changes made from the previous backup (incremental or full). This is the quickest method and storage requirements are low; however, restoring is more difficult.
Differential Backup – Creates copies of all files that are different from the last full backup. It is quicker than a full backup and easier to restore than the incremental backup.
Full Backup – Complete backup of every selected item. Restores quickly. Backing up is slow and storage requirements are high.
Backup frequently. Set a schedule and stick to it to maintain HIPAA compliancy.
Use fully automated software to perform backups. If manual or semi-automated backup software is used, remembering to run the software could lead to human error. Backup software can use a great deal of system resources. Schedule the backup software to run after work hours to alleviate system resources.
Perform incremental backups through the week and a full backup at the end of the week. To restore data, the full backup and all incremental backups to the day of disaster are required. That is, if full backups ran on Sunday and the day of data corruption is Thursday, the full backup and the incremental backups from Monday through Wednesday are required for restoration.
Perform differential backups through the week and a full backup at the end of the week. To restore data, the full backup and the last successful differential backup is required.
Periodically test backups (45 CFR 164.308(7) (ii) (D)). Backups that do not function properly are worthless. Test backups at regular intervals to ensure your data is valid in the event of a disaster. If possible, test on a second system with an identical configuration or restore to a virtual machine instead.
Safe storage of backups is as essential as the backup itself. This means the data must be protected from exposure to danger or risk. In the event of a disaster, you must be able to retrieve a replicable copy of the data. In order to maintain the integrity and confidentiality of ePhi in all backups, use encryption. Additionally, store backups offsite in the event of a natural disaster such as fire, flood, or tornado. Safe storage can potentially be achieved by utilizing as many of the following methods deemed necessary.
Fireproof safe in an offsite location | Third party vendor |
Offsite location (i.e. safe deposit box) | Online or Cloud |
Do I need to backup my cloud-based EHR? The short answer is yes; cloud-based EHR has to be backed up in order to ensure a replicable copy of the data is available. Who is responsible for backing up the cloud? According to the HIPAA Omnibus Rule, the cloud providers are directly responsible. The clinic is responsible for testing to ensure they have a viable backup.
Whether you use the cloud, online services, in-house services, or something else, remember your data, in this information technology era, is your digital life. Your backup is your lifeline. Safeguard it as you do your own life.