HIPAA TIP: Backup Strategies & Best Practices

Data backup can be defined as making a copy of the organization’s existing data i.e., ePHI, financial, employee information, and storing it somewhere else. The primary reasons for backing up data is its availability should the original data become corrupted, stolen, deleted or otherwise made inaccessible. Data backups are performed under the assumption of data loss, accidental or intentional, and the constant risk that businesses face. Backup solutions are implemented to ensure timely recovery of critical data and limit potential data loss repercussions to the organization.

Other reasons why frequent backups are performed on organizations’ systems:

  • An employee may accidentally delete crucial data without knowing its importance or any potential compliance mandates requiring data retention.
  • Critical data can be lost due to physical disasters such as floods, fire, earthquakes or tornadoes. Physical disasters can make data recovery practically impossible or in some cases completely wipe out the organization’s data.
  • Hacking and ransomware attacks occur ALL the time. Without frequent, comprehensive backups in place, successfully recovering your data may subject the organization to ransomware payments, financial damage to the business, and a potential standstill if you cannot access the operation’s critical data.
  • Opportunities for attacks by viruses, malware and spyware still exist and are some of the major causes of data loss and theft. Even if this is not a targeted ransomware attack, standard virus infections can also cause data loss.
  • In the event of any data loss the organization’s ability to recover quickly and resume business operations is crucial to its success.

Organizations need to have more than onsite backups – ideally when possible follow the 3-2-1 rule: 3 copies of critical data, storing the backup copies on two different devices/platforms, with one being offsite storage.

Keeping backup data in an encrypted format will guarantee an added layer of security; ensure that the retention span/policy meets the requirements for the healthcare industry.

Perform regular tests of the backups – at minimum twice a year or more often depending on how frequently data is changing or being added.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.