Protect Computerized Data With Off-Site Backups

The electronic patient record movement is gaining more momentum because of Katrina. Kindred Healthcare, which uses an electronic record system, lost no records and gained considerable positive press as a result. While electronic records can be safer and more secure, implementing an electronic record system requires planning and action on the part of an organization’s administration well before a disaster strikes.

With an electronic record system, all resident records are stored in a single, compact, centralized database, which allows fast and easy access to all records from virtually any location in the organization-the benefits of which are well known. But by concentrating all records in a single location, risk of loss is increased: If that centralized database is damaged, all the records can be lost, and a Katrina-like disaster is not necessary-it could be as simple as a defective hard drive, a leaky pipe, or a careless computer technician.

Imagine the impact on a long-term care facility of losing all its resident’s records. Even without computerized care documentation, how many facilities could survive losing all of their computerized financial information, including accounts receivable, unbilled claims, personnel records, and payroll processing capabilities?

Off-Site Backups-The Final Line of Defense
Katrina’s first lesson for healthcare information technology managers is to geographically diversify one’s data. Kindred’s records were safe not because they were electronic, but because they were in Louisville, Kentucky, which was a by-product of the records being electronic (if the Kindred corporate data center had happened to be in New Orleans instead of Louisville, the story may have been very different). Unfortunately, the many Gulf Coast hospitals, long-term care facilities, and physician offices that kept their computer backups in the same room-or even the same city-as their main servers found these backups provided them with no added protection.

Off-site backups of computerized data are an organization’s ultimate “fail-safe” protection against catastrophic data loss, but to fulfill that role, off-site backups need to be managed correctly. An effective off-site backup procedure incorporates four characteristics: distance, frequency, security, and accessibility.

Distance. The point of off-site backups is to prevent all copies of an organization’s data from being destroyed in a single catastrophic event. Thus, the more distance between the various copies (that is, the “live” system and each backup copy), the lower the risk. Apply this principle to all backups-store daily backups down the hallway from the server room, or in the building next door. Better yet, divide them between two locations. Then, significantly separate the fail-safe off-site backups from the main server location. Five miles should be the minimum.

But more important than distance is selecting a location that is not subject to the same risks as the main data center location. Before Katrina, the Tulane University Medical Center stored its off-site backups elsewhere in New Orleans but, after the hurricane hit, it was unable to access them when needed-the building was locked up and inaccessible.

Frequency. If an organization’s off-site backups were ever needed to restore its systems, the organization would lose all of the data entered into the systems between the time that the off-site backups were created and the time of the catastrophic event. Clearly, the more frequently backups are sent off-site, the lower the data loss risk. A common off-site backup rotation cycle is a week, and this should be the minimum-losing a week of data would hurt most organizations, but would not be devastating.

Security. All healthcare providers are required to provide proper security for all copies of individually identifiable health information regardless of the media used to hold it or the location in which it is stored. This includes backup copies of computerized data that contain individually identifiable health information. Thus, backup data must be transported securely-ideally, in locked cases and by a bonded courier. Verify the physical security of the backup storage location. Could an unauthorized person gain access to stored backups and leave the building with them? What systems and procedures are in place to prevent this? If a commercial records storage company (or any location not owned or controlled by the organization storing the backups) is used to store off-site backups, it is prudent to execute a HIPAA business associate agreement with the entity responsible for the storage location. To further improve security of backup data, use software that encrypts and password-protects backups.

A simple but often overlooked practice to improve the security of backup data is maintaining up-to-date logs of where all backup copies are located. Such a log will provide a quick alert to missing or misplaced backup copies.

Accessibility. While it is important that off-site backups be secured against unauthorized access, backups need to be available quickly when validly needed. When selecting an off-site storage location, explore all aspects of accessibility: What is the procedure for requesting and obtaining the off-site backups? How rapidly can backups be retrieved when requested? Does access vary by time of day? What if the off-site backups are needed at 3:00 a.m. on a Sunday?

Accessibility considerations must include the ability to make use of off-site backups once they are obtained. If the computer equipment in the data center was inaccessible, damaged, or destroyed, is a computer available elsewhere in the organization that could be used as a temporary server to host the data from the off-site backups? Does this computer have the necessary equipment and software to read the off-site backups? A best practice is to store the necessary device (e.g., tape drive) and software with the off-site backups.

Online Backups
It is difficult to find a balance between security and distance and between accessibility and exchange frequency, which also minimizes the organization’s risk, all at a reasonable cost. Online backup services are an increasing popular alternative that minimizes these conflicts.

With an online backup service, backups are sent over the Internet to a secure, remote data center. If a system needs to be restored, the backup is downloaded via the Internet from the remote data center. Since there are no tapes or disks to be physically transported off-site, backups can be sent off-site every day (some services even offer continuous synchronization with their customers’ servers). The cost of such a service is competitive with commercial record storage firms’ storage charges and even comparable with the cost of internal staff time to prepare and transport traditional off-site backups.

Before signing up with an online backup service, due diligence is required since the online service will have custody of the organization’s most critical data. In addition to checking with current customers and the other usual investigative questions, ask the following:

• Where is the company located?
• Is the backup data encrypted while being transmitted across the Internet? Is it encrypted while stored at the backup service?
• What physical, logical, and administrative security practices are used by the backup service to protect customer data?
• Will the firm execute a HIPAA business associate agreement?
• Is the firm’s data center and data storage infrastructure sufficiently robust?
• In addition to the monthly fee, what additional charges might be incurred?

For most long-term care facilities, the only significant drawback to online backups is the Internet bandwidth required to send backup data to the service. Some testing and calculating will be necessary to determine if a facility’s current Internet service will be sufficient, or if the cost of additional bandwidth will need to be factored into the decision.

Beyond-or Before-Backups
Off-site backups are a necessary fail-safe measure to protect computerized data from the worst-case scenarios. But the use of backups should be avoided, if at all possible, by preventing information technology disasters. Since most information technology catastrophes are created by minor events (compared with Katrina), they can often be prevented. Thus, in addition to off-site backup storage, the following measures should also be in place to protect computerized data from more run-of-the-mill tragedies and disasters:

• Protect all Internet connections and connections to unrelated organizations with firewalls.
• Adhere to good security practices, as outlined in the HIPAA Security Regulations.
• Maintain organized, up-to-date system documentation.
• Use reliable server hardware with as much built-in redundancy as possible.
• Protect servers, routers, switches, and telephone systems from power failures with uninterruptible power supplies (UPS) and, if available, emergency generators.
• Place servers and other critical computer equipment in locations with excellent air flow and cooling, and minimal chance
  of water damage from flooding, leaky pipes, etc.

“Many of their records have been literally washed away,” notes Carol Diamond, MD, MPH, of the Markle Foundation, referring to patient records lost in Katrina. For years to come, patients and providers will be plagued by the loss of information in Hurricane Katrina. The time to safeguard organizational and resident information is now, before a major disaster-or a simple mishap-puts it at risk.