As the speaker for TechTarget's Next-Gen Backup School, one thing I've learned is that many organizations need
to modernize their backups, but aren't quite sure how to go about doing so. That being the case, I wanted to take this opportunity to talk about data backup modernization in a health care environment.
Learn more about data backup solutions
Choosing among data backup solutions for health care
Considerations for cloud data backup in health care
Creating a HIPAA compliant data backup in the cloud
When you are shopping for a backup solution, the most important question to ask yourself is how much data you can afford to lose. When I ask people this question, the answer is almost always that the particular organization doesn't want to lose any data. While there are backup solutions that guarantee zero data loss, such solutions can be extremely expensive. Therefore, you will most likely have to strike a balance between your recovery goals and your budget.
Another consideration that must be taken into account is the HIPAA mandate. HIPAA requires organizations to formulate a data backup plan and a disaster recovery plan. These requirements are somewhat vague. The actual text is:
- Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
- Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
So essentially, HIPAA requires health care organizations to create and maintain data backups and to be able to restore any loss of data. One of the backup solutions best suited to meet these requirements is Continuous Data Protection (CDP).
Through CDP, data is backed up throughout the day rather than running a nightly backup. This approach offers many benefits including more timely protection of your data. For example, if you run a nightly backup that completes each morning at 5:00 AM and you have a failure at 4:00 PM then any data that has been created or modified since the time that the last backup was created is potentially lost. With a CDP solution the amount of data that is lost in a failure is greatly reduced because backups occur on an ongoing basis rather than once each night.
Two main flavors of continuous data protection
Synchronous CDP solutions are designed for zero data loss, but tend to be extremely expensive. Synchronous solutions actually write data to the backup before the data is written to the organization's primary data storage (database, file server, etc.). That way, if a failure did occur, any data existing within the organization's primary storage is guaranteed to have already been backed up.
Most CDP solutions are asynchronous. Asynchronous CDP solutions do not back up data in real time. Instead, data is synchronized to the backup server on a periodic basis. The actual frequency of these synchronizations varies from product to product, but fifteen minute intervals are common.
Another consideration that must be taken into account is the recoverability of your data in the event of a major disaster. Not only does HIPAA require you to be able to recover all of your data in the event of an emergency, but organizations also are required to create an operation plan that enables the continuation of critical business processes while operating in emergency mode. In other words, health care organizations must be able to continue to service patients even if their primary facility is destroyed.
So essentially, HIPAA requires organizations to create and maintain data backups and to be able to restore any loss of data.
The only way to guarantee that you will be able to adhere to these requirements is to store your backups offsite. Of course off-site backup storage presents a number of challenges of its own.
Choosing a backup solution that fits your organization's needs
Many CDP solutions are designed to give you the ability to create and maintain on-premise backups, while also storing backup copies off-site. The most common approach involves periodically copying the contents of a CDP server to tape and then shipping the tape off-site. However, making tape backups and shipping tapes off site is a manual process and it could mean that your off-premise backups are not as up to date as your on-premise backups.
Another option for coping with this challenge is to implement a disk-to-disk-to-cloud solution. There are many different types of disk-to-disk-to-cloud solutions available, but the basic idea is that your backup server stores backups locally, but also uploads your backups to the cloud for safe keeping.
Another option is to use disk-to-disk-to-disk. This approach uses one CDP server to protect another. In other words, you can create a backup of your backup server. In order to be an effective safeguard against a major disaster, the secondary CDP server would need to be located in an alternate data center, preferably far away.
Backups are not a one-size-fits-all solution, so it is important to pick the backup solution that best fits your organization's own unique requirements. Fortunately, the HIPAA requirements are intentionally vague. HIPAA only requires that you are able to create and restore backups, but leaves the actual logistics up to each individual health care organization.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. Write to him at email@example.com contact @SearchHealthIT on Twitter.