HIPAA Compliant Solutions for Data Backup
The need to become HIPAA compliant is driving physicians to examine
every process and system in their offices. Backing up data has
become a high priority as a result of the HIPAA security requirements
not only for backing up and protecting data, but being able to
document the entire process.
There are a number of methods for backing up data, each with its
advantages and disadvantages. As in all technology, more secure
and automated processes continue to evolve.
Years ago, backing up to floppy disks was a widely acceptable
practice. But doctors soon learned that the disks cannot hold
enough memory for unattended backups. Each backup could require
hundreds of disks and storage is unreliable.
-
Today, the most widely-used method for
backing up data is the traditional tape backup. Tapes
provide a relatively high storage capacity and eliminate the
need to sit and watch the backup and change storage acceptance
devices. However, the higher quality comes at a higher price.
Getting started requires an average initial investment of around
$2,000 to purchase the drive and the backup software. Then,
a rotating backup routine recommends using 19 tapes per year
at an average cost of $40 a tape. Often, a practice will just
tape over and over on the same tape only to discover that it
has worn out and the last recognizable backup may be a year
old. Tape backups also require an off-site storage solution
-- where to keep the tapes in the event of a data loss, system
crash or even greater disaster? A practice must address how
quickly those tapes can be retrieved and the data restored in
such an emergency.
-
Some practices have tried removable storage
drives -- though this is not very common. While a large
floppy-disk drive or removable hard-disk equivalent drive are
better than nothing, they are not highly recommended because
of high pricing, cumbersome off-site storage issues and storage
capacity limitations that make unattended backups impractical.
-
One method of backup that has become more
popular is a CD backup. CD formats include recordable
(CD-R) and rewriteable (CD-RW). Recordable CDs, once recorded,
cannot be written over and can be read from any CD-ROM drive.
Rewriteable CDs can be rewritten, but can only be read by the
newer CD-ROM drives. This method of backing up is fairly inexpensive
as the price of CDs continues to drop. But CDs don't hold as
much storage capacity as a tape backup method. DVDs, an upgrade
to CDs, hold up to 18 gigs of data. But with CD or DVD, the
issues of off-site storage and limited shelf-life remain.
- Another method of system wide backup is drive imaging.
Using this concept with commercially available software, entire
hard drive partitions are mirrored to another physical hard drive
either in the same PC housing or to another hard drive on the
network system. This type of backup procedure is extremely essential
in disaster recovery if there should be a hard drive crash or
an insidious virus/warm attack on the PC. This form of backup
is generally not used on a daily basis but does become the critical
first step in data recovery in the event of a system wide crash.
Dynamic data such as critical patient accounting and EMR records
are generally backed up using another format and medium and therefore
would be the secondary step in a recovery process. It is not enough
to have only dynamic data backed up as this will not restore your
entire operating system and other software applications that could
be critical to your practice.i.e. word processing, desktop publishing,
graphics and imaging applications, etc.
-
A new solution to providing both high
quality security and off-site storage has evolved with the growing
access to communications bandwidth -- online data backup.
The online backup service is completely automated. The software
is installed on the PC or server and compresses and encrypts
the data prior to transferring it to a Data Center via a direct
port. The backup occurs at night, the data is safely stored
off-site in its encrypted format and it can be restored at the
push of a button in the event of a disaster. The backup software
has a selection feature that allows the customer to decide which
files to be backed up, enabling cost-effective selection of
data files only. And the backup success is monitored by data
center experts. Typically, there are no upfront costs for the
software and many services offer a free 30-day trial. Monthly
pricing is based on the amount of compressed data stored on
the provider's servers and is typically less expensive than
the cost of tapes. For example, a typical two-physician practice
using practice management software on a Windows-based operating
system might have 50 - 200 megs of compressed data. In such
a case, the monthly online backup cost would range from $20
to $40.
Note: one of the most critical elements
in implementing and testing a data disaster recovery program
is going through the process of data restoration on a trial
basis. All too often, we encounter commercial organizations
including medical practices who claimed to have backup procedures
in place. However these organizations have never tested data
restoration to authenticate and validate the most important
step of data recovery. Oftentimes tapes (or other media) are
out of sequence or improperly labeled. Or, disaster recovery
startup diskettes for Windows 2000, Windows NT have not been
properly maintained and will not initiate the recovery process.
-
With HIPAA compliance deadlines looming, physicians
must evaluate their backup process and make plans to write a
contingency plan. This plan should include information about
how thebackup process is done, who handles the tapes or CDs,
where they are stored off-site, how quickly they can be retrieved
in the event of a disaster, the rotation process -- everything
related to backing up the data, protecting it, storing it and
recovering it. There are backup services that have geared their
company structure to meet the stringent requirements of HIPAA
and will even provide a written contingency plan free as part
of their backup process. Practices that haven't just purchased
tape drives or expensive equipment would do well to consider
looking into online backup solutions.
Accudata Systems can assist you in the evaluation
as well as implementation process of data disaster recovery.
|