How to Craft the Perfect IT Backup Plan
Data protection and redundancy are likely nowhere near the top of your task list as you manage your medical practice. There are a host of priorities that are more to the forefront, with good reason: patient care, staffing, supplies, and daily operations. Yet, on a list of issues that could be most damaging to practice operations, loss or compromise of data is near the top!
Don’t Be A Statistic
It would be to your advantage to rethink the priority your practice places on data backups. The two main causes of data loss for healthcare companies are natural disasters and data breaches. If a practice is unprepared for those crisis, it could result in major financial and operational consequences.
- In 2018, there were 108 natural catastrophes resulting in such loss in the US.
- Forbes quoted a study from the Federal Emergency Management Agency (FEMA) that found that 40% of businesses never reopened after a disaster and those that “lost their IT access and infrastructure for a minimum of 9 days after a disaster filed for bankruptcy within 1 year.”
Concerning breaches, the statistics are even more sobering:
- According to a recent study, 88 percent of all corporate ransomware attacks in 2016 were targeted at the healthcare industry.
- By October of this year, the total number of breached healthcare records in 2019 had passed the 38 million record mark. That number is equal to 11.64% of the population of the United States.
The damage inflicted on the victims of these breaches just continues to paint this grim picture:
- The average cost of a data breach to a single entity is $3.92 million as of 2019.
- It is estimated that by 2021 the loss of data and related failures will cost healthcare companies nearly $6 trillion. That number is double what it was in 2017. The referenced study states, “From a statistical point of view, it is the most significant transfer of wealth in human history.”
- A study from the Gartner Group further found that 43 percent of companies were immediately put out of business by a “major loss” of computer records, and another 51 percent went belly-up within two years following such a loss. That leaves only 6% of companies able to survive a major loss of data.
To ensure that your practice avoids being added to similar statistics, it is worth taking a step back from the daily grind and completing some quick, practical steps that can bring long-term peace of mind.
Whether you are recognizing the need for such measures for the first time or already have a system in place to backup your data and want to make sure it is the most secure and efficient possible, read on! No matter what happens to your data, it can be recovered and restored without catastrophic consequences to your practice or patients as long as you have a solid plan.
In the years that PEAKE Technology Partners has been helping healthcare companies improve their IT performance, we have developed a proven backup plan. That framework has been tried and tested, and is laid out for you below. Alternately, you can contact a PEAKE Solutions Engineer, and we can take you through this plan and partner with you in creating the perfect solution for your healthcare business.
Know Where You’ve Been
Before moving forward with implementing a new plan or making improvements to an existing one, you need to start by reviewing where you are now. Is your business’ data stored in one place or does your practice currently use multiple methods to store your backup data?There are a range of methods practices can use to store data, which we will cover fully further down. This is important, however, because, while where your data is located now will not necessarily preclude you from your method of choice moving forward, it will inform you and your IT team how to best make the transition to a better system.
Six Stops to Success
Now that you’ve looked at where you’ve been and where you are now when it comes to data and back-up system integrity, you know you need to make a change. But where do you start? Below is our six stop framework. Each category is a vital stop on the road to making up a complete backup plan. If you leave out one and you have a hole in the ship – when a storm comes, it’s going down. So take time and care to review the questions and think of what’s right and true for you and your practice; and if you find you don’t know all the answers, reach to a consultant or MSP like PEAKE Technology Partners for assistance.
1. Retention: How long until old versions of backed up files are deleted?
For Line of Business (LOB) applications, where the application itself maintains an audit trail and backups within the database, two weeks is usually good enough. These types of applications might be, for example, an Electronic Health Records (EHR) or Enterprise Resource Planning (ERP) system. Every company has one or more of these systems that are unique to their industry, customized for their processes, and critical for day-to-day business operations.
These LOB applications often maintain all historical data inside the LOB application itself, and there is less need to keep old versions of the database around. For that reason, PEAKE evaluates retention needed on a case-by-case basis working together with the LOB application vendor to determine appropriate retention.
For file shares, one year is better – especially for items where you may find yourself looking for that thing that you know you did ages ago, but maybe someone deleted it, and “oh gosh!” you really don’t want to redo it.
2. Frequency: How often is the system backed up?
The system should be backed up nightly, at a minimum. Backups will need to be performed more frequently for business-critical systems such as an EHR. We recommend scheduling hourly backups for these crucial systems.
3. Automatic v. Manual: How is the backup initiated?
Manual backups = no backups. Any system that requires manual or human steps is bound to fall apart. This includes anything where you have to rotate tapes or drive your backups offsite. Stick with automatic backups.
4. Image v. File-Level: What type of backup software should be used?
There are two types of backup software: File-Level and Image-Level backup systems, and there are Pros and Cons to each.
File-Level software checks for new versions of files and backs up a copy. The pros of this type is that the software is cheaper than the alternative, requires less computer resources to run, and uses less storage space. The cons are that there is a significantly longer Disaster Recovery (DR) time. This does not backup the whole server! If the server crashes, you will need to first rebuild it from scratch, and then restore the files. Also, there is more room for human error. This only backs up the files you choose to back up. If you add a new folder and forget to add it to backups, you’re going to figure out your mistake too late. Also, with this type of backup software, you can not reliably backup database-type applications where multiple files need to all stay in sync in order to avoid corruption. This includes EHR and finance applications, among others.
An Image-Levelprogram checks for new bits on the server and captures a point-in-time backup of the entire server, including all data, OS, applications, and configurations. The pros are that this software has the ability to restore backups to different or new hardware, reliably backs up database-type applications, there is less room for human error as the entire server is backed up automatically, and it boasts a rapid DR recovery time. The speed of that recovery time enables a practice to restore the server to exactly how it was running before the issue occurred without the need to call up vendors and get anything reinstalled. The cons are that this type of backup software is more expensive, requires more computer resources, and uses more storage space.
5. Onsite or Offsite: What happens if your server room has a disaster from fire, flood, theft, or server corruption?
Offsite copies should include the most recent versions of your onsite backups. Don’t think about what you might really need in a disaster, just make sure that all your backups also have a copy available offsite. Additionally, an offsite backup location must be in a physically separate building (e.g. it can’t burn down in the same fire and won’t get hit by the same hurricane). It must also be segregated in terms of network access and permissions. Cryptoviruses and ransomware actively seek to destroy backups. Make sure they can’t reach your offsites by using narrowly scoped permissions, unique passwords for offsites, and firewall rules to limit what can reach the offsite network. Lastly, consider where you restore to if your server infrastructure is destroyed. Have a plan for procuring new hardware, leveraging Cloud computing, or having a “warm” offsite server room.
6. Recovery Times: How quickly do you need to be able to restore your data?
Consider your ideal recovery time in the following scenarios.
- Deleted file on a fileshare?
- Corrupted database or crashed server?
- Complete disaster (fire, flood, theft, ransomware) in the server room?
Remember, quicker recovery = more expensive.
Take it for a Test Drive
That’s it. Once you’ve used the above questions to artfully and thoughtfully craft the perfect plan for your practice’s data backups, you need to test it out in non-crisis situations. You never want the first time you are trying a new plan or strategy to be when you are in the middle of a storm. When trying it out, here are some things to remember:
Have a written plan for recovery. A disaster is a high-pressure situation that can cause panic and mistakes. A written script for recovery reduces mistakes.
Test the various recovery scenarios. In addition to making sure your backups are valid and work, make sure the time it takes is within your recovery time targets.
Learn from the test. Do not be afraid to review your plan after your testing is completed and adjust your backup infrastructure and written plan as needed.
For more information on IT efficiency for your medical practice, visit peaketechnology.com or call us at 866.37.PEAKE. Our team of Healthcare IT experts have perfected the PEAKE process to ensure our clients maintain seamless support from their technology and reliable technical support from our helpdesk.
About the Author
Alex Cotsalas is the Director of Professional Services at PEAKE Technology Partners supervising the escalation Service Desk team and all project implementations. In his spare time, Alex enjoys mowing his lawn or hanging up Christmas lights, depending on the weather.