Backup and Recovery Best Practices v1.0



Backup and Recovery Best Practices

For practices that house and maintain their servers and EHR system on site:

Losing vital patient or practice data can be catastrophic for your business. In order to protect your data it’s important to carefully consider your backup and recovery strategy. There are three important phases to any iron clad backup and recovery plan: Asses, Implement, Review

Assess

Take a careful look at your data. This includes practice management (scheduling, billing etc.) as well as all patient electronic health records. Where is your data kept, on what servers, in what room? How much of it is there? How much do you expect to grow in the next 4-5 years?

Think about what you can afford to lose. How long can you afford to not have access to your data? Refer to your Business Impact Analysis.

Look at storage options. There are many options available: additional servers, Network Attached Storage (NAS), magnetic tape. Choose the option with the most storage for the least cost that meets your target for time to recovery. For example, tape may take longer to recover from than disk.

Implement

Create backup policy and procedures. Most likely you’ll want to do a weekly full back up with nightly differential backups. Depending on how often your data changes you may want to back up more frequently. For most practices nightly backups will be sufficient.

Furthermore, backups should be encrypted[1] and stored securely in limited access rooms. Be sure to keep a copy of the encryption key with the offsite copy of your disaster recovery plan.

Safely dispose of old backup media. All old computers should be wiped with a program that writes “0”s and other garbage data to old hard drives before recycling. Similarly all magnetic tapes should be degaussed or physically destroyed before disposal[2].

Review

Periodically verify your backup. Choose a couple of files you’ve backed up previously and restore them to see if the files are intact. This should be performed once a quarter.

Revisit your policies and procedures once a year. Ask if they are still appropriate for your practice. What changes should you make, if any? This will help ensure that you are protecting your data to the best of your ability.

For practices who don’t keep their servers or EHR system on site:

What to do if your EHR is hosted by an off-site vendor, often referred to as Software as a Service (SaaS) or an Application Service Provider (ASP):

Ask that vendor questions!

1. Do they have a backup plan that you can see? Can you have a copy?

2. What is their backup method?

3. What is there guaranteed time to recovery? (How fast can they restore your data in the event of a disaster?)

4. How frequent are their backups?

5. What is their guaranteed recovery point? (What’s the most data you can lose in a disaster?)

6. What is the recovery process? (Do you manage it yourself through the web? Do you call a help desk or technician? Do you submit a ticket?)

7. How does your Service Level Agreement (SLA) address and guarantee the answers to the above questions?

8. What is the restitution process if they don’t meet their guarantees?

Any reputable vendor should be able to provide you with this information. If they can’t or won’t then you should consider another vendor.

Conclusion

With a little planning and common sense you can ensure the safety and availability of your vital data while maintaining the privacy of your patient’s information.

Updates to Document

|Date |User |Section |Content |Version |

|12/29/2010 |CoP |All |Document Creation |v1.0 |

| | | | | |

| | | | | |

| | | | | |

| | | | | |

-----------------------

[1] Follow the guidelines found in NIST 800-111” Guide to Storage Encryption Technologies for End User Devices”.

[2] See NIST 800-88 “Guidelines for Media Sanitization” for further details and guidance.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download