Like most regulations, HIPAA doesn't take technology into account, but instead mandates general principles. That means health care providers are on their own in devising HIPAA-compliant backups that will accommodate the increasing complexity of the mixed physical and virtual server environments used for storing patient data.
Developing plans for virtual server backup is another uncertainty, as the health IT world awaits the HIPAA omnibus rule, which outlines how federal regulators plan to enforce new health data privacy and security standards. That rule has been sitting at the Office of Management and Budget (OMB) since March, the typically quick review process having been given a few extensions.
More on virtual server backup
Prescription for health care: Virtualization technology
Choosing data backup options for health IT
Join the virtualization discussion on Health IT Exchange
The HHS Office of Civil Rights (OCR), the rule's author, has yet to reveal which specific pieces of HIPAA's 2009 congressional makeover will take priority, but HIT leaders know that provisions of the law call for backup, disaster recovery (DR) and data access plans. Furthermore, federal inspections of those plans are part of OCR's proposed HIPAA audit criteria.
Preparing for audit compliance should be on IT managers' radars now. Virtual server backup can be thorny on its own, let alone backing up a mix of virtual and physical data to one set of hard drives and tape, said Scott Gould, senior network and systems analyst for the nonprofit Gynecological Oncology Group (GOG), whose data center aggregates de-identified patient files from clinical cancer trials at about 700 locations ranging from solo docs to 20-physician practices.
Gould's story probably sounds familiar to many health care CIOs: GOG's plan is to become more and more virtualized eventually, as legacy software and hardware age out of its networks. For now, however, its network is a mixed bag of virtual and physical servers -- and will remain so for some time to come.
One crucial feature you should make sure a backup system includes is the ability to restore or convert a backed-up physical server to a virtual machine within the backup software.
"We're approximately 80% virtualized now, and we do have the mentality of 'virtualize first, and justify why you can't afterwards,'" Gould said. "That's got us to the point where about 40 of our 50 production servers are virtualized. That percentage will creep up with the next iteration of several legacy systems that currently don't support virtualization but the next generation will." The goal is to get everything except Active Directory and the domain name system, or DNS, virtualized, which would add up to 90% virtualization, he said.
In those mixed environments it can be tough to automate backups, however, and after a problem takes down a server, a mixed environment can complicate and prolong recovery efforts. In fact, GOG chose Symantec Backup Exec to solve numerous issues -- including having two backups of the same files, which wasted time and created storage bloat -- that were caused by running physical and virtual server data in one backup.
Since GOG implemented the program in spring 2011, once-a-day backups take less time and less than half the storage space they would have under the previous system, thanks to Backup Exec's deduplication features, Gould said. The software accommodates the system of hard drive backup coupled with tape backup for off-site storage, the latter of which is rotated once per week. The routine is streamlined compared to the previous system, so restoration of either single files or whole servers is much faster, too, he said.
For other small and medium-sized health care providers looking to upgrade their backup systems as HIPAA enforcement, meaningful use programs or virtualization initiatives drive the expansion of their networks, Gould offered some tips for paring down the list of vendors, regardless of which product they ultimately purchase:
- Be prepared to invest as well in the fastest, most reliable CPU power to run the machines, as well as disk storage that's as high-performing as possible, to go with the backup software application at the same time.
- Consider disk-based media -- instead of tape -- for your first line of defense for a HIPAA-compliant DR system. Disk-based media is more reliable and faster than tape, Gould points out, and it will do a better job of keeping a health care system's data available, especially when the network is a complicated mix of virtualized and physical data.
- One crucial feature you should make sure a backup system includes is the ability to restore or convert a backed-up physical server to a virtual machine within the backup software.
"I think that's something that can drop your DR window substantially, and that's a feature we utilize in our DR plan now," Gould said. "The few of the systems that are physical right now, we would plan on bringing them up in a virtualized configuration as a part of a DR scenario."