Backup And Recovery For Healthcare

How healthcare organizations can implement secure, compliant backup and recovery to protect their data, and their patients’ data.
Laura Ianinni
May 31, 2023

In healthcare, information is both abundant and immensely important. Year after year as the volume of healthcare data increases, the need to protect medical records more effectively and efficiently against loss or corruption becomes increasingly critical. With so many opportunities for malicious or accidental loss of data – if an employee makes a mistake, if a ransomware attack successfully encrypts and locks down data stored in the network, or if a natural disaster causes server damage – it is not a question of whether a healthcare organization will experience data loss at all, but rather how will they recover and move forward when it inevitably does happen?

The term backup and recovery refers to the process of creating and safely storing copies of data that can be used as "backups" if the original data is lost or corrupted, thereby protecting organizations against the many ramifications of data loss. Recovery using backups generally involves restoring the data to the original location, or to another secondary location where it can be used in place of the damaged or lost data. Backup and recovery solutions work by creating point-in-time copies of data, files, and servers, and storing these copies in a secondary storage platform that is isolated from your local devices, so that they can be recovered if needed.

The purpose of backup and recovery is to solve three key issues organizations must consider in their daily operation, which are:

1) Any computer or operating system could potentially crash, often without warning

2) Anyone, no matter their training or experience, can make an error

3) Disasters are unavoidable and tend to occur when you least expect it and at a time when you are least prepared for the fallout

This is why it is so vital for organizations to plan ahead, and to ensure they are employing the right solutions to combat this.  

Why Do You Need To Backup Your Data?

There are three key backup and recovery use cases in the healthcare sector. These are:

To Ensure Compliance With Data Protection Standards

Depending on your region, you may be required to backup your data in order to comply with different data protection regulations. Regulations place certain demands on organizations – for example, laying out requirements for data protection, privacy, and retention. Some will have requirements regarding the level of encryption, while others will stipulate what data should or should not be retained. Any backup and recovery solution you employ will be subject to compliance regulations every bit as much as your production, so it is vital that you ensure the solution you choose can provide the security and compliance support that your business requires.

The most common compliance standards that healthcare organizations must comply with include the EU’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS) if you are conducting financial transactions that may be subject to scrutiny under the terms of the Sarbanes-Oxley Act of 2002, and the Healthcare Insurance Portability and Accountability ACT (HIPAA).

The HIPAA Security Rule mandates in requirement 45 CFR § 164.308 that all covered entities (i.e., health plans, healthcare clearinghouses, and healthcare providers) implement a compliant data backup plan. The data backup plan should establish and implement procedures to create and maintain retrievable, duplicate copies of electronic protected health information (ePHI). This requirement is a section of the Code of Federal Regulations which contains the Administrative Safeguards for the HIPAA Security Rule, and covers things like the security management process, security awareness training, and contingency planning in the context of preventative measures against the theft, loss, or unauthorized disclosure of ePHI.

To comply with this rule, organizations must be able to retrieve any data that is secured and backed up quickly and efficiently, which is a requirement that comes from a related provision of the contingency plan requirement called the disaster recovery plan requirement.

To Protect Against Data Loss Caused By Cyberattack, Human Error, And Natural Disaster

Disasters are unavoidable and can strike at any time, often at the least opportune moments. These disasters could be natural disasters like floods, fires and earthquakes; power outages; human error; cyberattacks; or even – as we found in 2020 – an unexpected and entirely unprecedented global health crisis like a pandemic.

Every day, healthcare organizations handle sensitive information, including personally identifiable information (PII) and protected health information (PHI). Due to the complex and sensitive nature of this information, meaning healthcare organizations are at risk of suffering staggering data breaches that can cause significant financial and reputational damage to both themselves and their customers and patients. To get a good idea of the scale of this issue, we can look at a study conducted by the Ponemon Institute in 2022 which revealed that of the 641 IT and IT security practitioners in healthcare organizations that were surveyed, 89% had experienced cyberattacks in the past 12 months. Respondents also estimated that their most expensive cyberattack in the last 12 months ranged from between $10,000 to over $25 million.

On May 14th 2021, the Irish Health Service suffered a massive cyberattack that ground much of their operations to a halt. This ransomware attack involved a criminal group using malware to gain entry to a computer system, at which point they encrypted large volumes of important data and demanded payment for decrypting the stolen data. This attack affected nearly every aspect of the healthcare system – which was already struggling under the burden of COVID-19 – and led to significant disruptions in patient care. Specific cases of this disruption include cancer patients experiencing delays in radiation treatment. With no backup and recovery plan in place, healthcare staff had to revert to pen and paper, with the number of appointments in some areas dropping by 80% in response to the disruption.

The best way to deal with this type of situation is to be prepared, which is where backup and recovery comes in. Healthcare organizations in particular are under pressure to ensure their data is securely backed up and can be easily recovered and quickly accessed, so that any operations that could be negatively affected by the disaster are able to continue with minimal disruption. As such, data backup and recovery in healthcare is vital for recalling data after an accident, natural disaster, or cyberattack that might overwise have wreaked havoc on patient care.

To Secure Cloud Data

Many productivity and collaboration providers (Microsoft 365 and Google Workspace included) operate on a shared responsibility model, which is a security and compliance framework that dictates that the cloud provider is responsible for monitoring and responding to security threats that relate to the cloud and any underlying infrastructure, but end users – including individuals and companies – are in charge of protecting data and other assets they store in any cloud environment. This idea of shared responsibility is often misunderstood when the assumption is made that the cloud provider is fully protecting all cloud workloads, applications, data etc. This misunderstanding can lead to vulnerabilities arising, like failing to backup data natively. It is the company’s responsibility to backup their own data to optimum security – the most reliable way to do this is with a third-party tool.

What Features Should You Look For In A Backup And Recovery Solution?

Healthcare organizations should implement a secure and compliant backup and recovery solution to protect their data and operations in the event of data loss. The best backup and recovery solutions offer the following capabilities:

Point-In-Time Backups

With point-in-time backups, database administrators can recover and restore data, files, or databases from a specific point in time. This is an important capability for when something goes wrong and the live database is corrupted, or if someone accidentally changes or deletes something they shouldn’t, as is means everything can be restored to the last known good point - as if the mistake never happened. The prerequisite for point-in-time recovery is that the backup process must be capable of logging all database transactions in detail, and those backups must be created as often as is needed, whether than be daily or even hourly.

Backups of multiple media types

Healthcare organizations will often need to store data that comes in a variety of different formats, so it is important that backups and recovery solution employed is capable of storing and managing these various media types, as well as have the ability to export them in their original format (including images files, such as medical scans).

Granular Search And Recovery Capabilities

With a granular search tool that combines filters with a keyword search, specific files can be restored and recovered in seconds from a single backup, thus significantly reducing the recovery time and the footprint of the backup on storage resources. Strong search tools also allows administrators to retrieve specific files directly out of a single backup, rather than having to restore an entire virtual machine or do a secondary redundant backup just to recover a single file. You need to be able to restore individual files, as well as do a full system backup. Some solutions will only be capable of doing one or the other, so it is important to make sure any solution you consider specifies these two capabilities. You should also be able to restore data either to its original location or to somewhere else; so, if, for example, a user was to leave the company and you need to restore one of their files, you won’t want to restore it to the laptop they are no longer using and will instead want to restore it to another user’s. It is important, also, to be able to restore data in its original format, rather than just receiving a "read only" version of it. Essentially, you want a solution with the flexibility to restore exactly the data you need, in the format you need it, to the place you need it.

Retention periods and storage limits

The retention policy feature is offered by most backup and recovery solution and help to ensure that backups are retained as long as they are needed, and that old backups which are no longer needed are expired to save storage cost and prevent exceeding storage limits. Backup and retention length is straightforward for organizations in regulated industries, like healthcare, as there are regulatory requirements that stipulate the length of times backups should be retained. Retention periods and storage limits should be tailored to your organization’s needs and should support adherence to any necessary compliance requirements.

Compliance

Healthcare organizations are under increasing pressure to properly secure their data, from employee records to customer or patients’ personal information. These regulatory standards may have rules regarding how long data is stored or who can be given access to certain information, often with very steep penalties for breaching these rules (disclosing patient personally identifiable information to anyone who is not that patient can lead to medical staff losing their licenses and jobs, for example). A robust backup and recovery solution securely encrypts and archives all necessary records, which is helpful when it comes to compliance and auditing requirements, and could also be beneficial in the event of litigation.

Additional security features

There is no such thing as a perfect cybersecurity defense against all ransomware and malware, but the more multifaceted and varied your defenses are the better chance there is that attacks attempting to infiltrate your organization will be thwarted. So, it is important for backups and recovery solutions to support the use of additional security measures, with things like multi-factor authentication (MFA), encryption, and role-based access controls, etc. acting as additional barriers against cyberattacks.

Compatibility

Be sure the solution you choose offers integrations for the applications already in use at your organization. So, if you’re working with Microsoft 365, ensure the solution offers an integration natively that will sync with your Active Directory to make deployment more straightforward. You may also want to look for a vendor that offers onboarding support to help you with this, or you may want to go with an MSP like Constant Edge, who  can support you through the deployment and configuration of your solution.

Ease of deployment, integration, and scalability

One of the advantages of employing a specific backup and recovery solution instead of cobbling together products from various hardware, software, and cloud vendors to do the same job is that it is more straightforward, less fuss, and far easier to deploy and manage. Your chosen solution should be able to integrate seamlessly with your environments, and in today’s business environments where organizations are expected to grow quickly it is also important to ensure that data storage or data centers are up for the challenge of increasing or decreasing resources according to demand.

Our Recommendation

Data backup and recovery is crucial for healthcare organizations, ensuring they can recover efficiently in the event of data loss caused by a cyberattack, disaster, or accident.

Constant Edge has partnered with CloudAlly, a market-leading backup and cloud data protection platform that is trusted by over 16,000 organizations globally, to provide backup and recovery for healthcare organizations.

CloudAlly is a market-leading cloud-to-cloud backup and recovery solution that adheres to industry standard best practices for information security management and is both ISO 270001 compliant and HIPAA compliant. They offer a suite of products designed to operate efficiently with cloud applications like Google Workspace, Microsoft 365, Sharepoint, OneDrive, Salesforce, Box, and Dropbox.

Secure Backup And Flexible Recovery

With the CloudAlly platform, the process of activating backups for new users and of creating backups for all existing users daily is fully automated, which facilitates consistent data storage that doesn’t require admin users to take time out of their day to manually initiate backups. CloudAlly also lets you set backup tasks to run automatically, or trigger in-demand backups as they are needed, and the platform manages non-destructive restores to the same and different users, and can facilitate data being exported to a local archive or download.

CloudAlly offers unlimited data retention and anytime, anywhere data restoration that allow users to restore from any point-in-time at a granular level, with historical snapshots, cross-user restore, non-destructive restore, and the option to recover entire mailboxes. This supports adherence with the stipulation of the HIPAA regulation, which requires that all data you are securing and backing up must be fully recoverable. The ability to roll back to a point where data was unaltered is also great for maintaining a high standard of patient care, as fast data recovery means any disruptions caused are quickly remedied.

Finally, CloudAlly secures data using the AES-256 encryption standard, which is so advanced and complex it would take hundreds or even thousands of years for even the most advanced modern computers to crack it.

Visibility And Auditing

Admins gain extensive visibility into backup status across the whole of the network with CloudAlly.  With the activity viewer, they can oversee events, applications, locations, and status easily, and can also be able to identify specific user activity or data quickly using the search and filtering function. This straightforward navigation cuts out a lot of potential for wasted time and allows for a more streamlined experience, which is vital in an industry like healthcare where time is of the essence so often.

Another highly useful feature offered by CloudAlly is auditing. The platform automates the logging or critical information such as changes in permissions, sign-in failures, setting changes, deactivated users, and backup history, giving admins an extensive overview of all possible instances of attempted infiltration or potential vulnerable areas. It also allows you to make detailed audit reports with just the click of a button. For a sector as closely regulated as healthcare, this is an extremely important capability.

Access Controls

Controlling access is vital, particularly for organizations in industries like healthcare where they are responsible for high volumes of sensitive and private information. CloudAlly works well to support strong security by requiring all users to verify themselves with two-factor authentication before being granted access. Users are assigned role-based permissions from the admin control panel, which controls their access rights to different activities and applications including viewing the account settings page, managing notifications, and restoring backups. Users can carry out their daily tasks without ever inadvertently or deliberately overstepping their permissions and accessing information they should not be able to see. CloudAlly tightens security even further on actions that create the most potential for vulnerability by requiring users to put in an export request before downloading any content, to ensure that only valid parties can carry out data exports.

Protect Your Patients With Constant Edge

As internet security measures develop and improve, threat actors will always be developing new tactics to circumvent those new innovative security measures. As threats evolve, organizations will face higher risks of cyberattacks, and will need to be prepared to protect themselves. Securing data is no easy task and does come with many challenges, but it is important to maintain data integrity – especially in highly regulated industries like healthcare.

Breaches are costly in more ways than just the financial, they can also diminish the trust of users, customers and patients who entrust the organization with their information and may find themselves suddenly in danger of being targeted by fraudsters who have access to their personal data. Ultimately, the most important thing in healthcare is patient care and protecting patients, both by ensuring their personal information is properly secured and by being certain that healthcare organizations are not at risk of being brought to a grinding halt by data loss caused by human error, malicious attacks, or natural disasters. Healthcare organizations must be prepared to recover fast to ensure that no disruptions are allowed to drag on and affect patients negatively.

A backup and recovery solution is a valuable tool that can help to prevent these outcomes. They support organizations in solidifying their security efforts by periodically creating or updating copies of network data, storing these copies in multiple more remote locations, and using the copies to resume business operations in the event of data loss, whether it be due to data corruption, file damage, cyber-attack, or natural disaster.  

If you represent a healthcare organization looking for a secure, compliant data backup and recovery solution, we can help. Constant Edge has a team of data protection specialists who understand the importance of backup for healthcare organizations and can advise you on the best solution to meet your – and your patients’ - needs. Get in touch with our team to learn more.

Contact us