HIPAA: Check your Backup and Restore Solution
Despite the huge damage of a data breach in terms of cost, reputation, and business losses, backup and recovery systems are currently in use at only 45% of surveyed healthcare organizations, and more than 38% are not planning to use backup and recovery systems at all.
Why put yourself and your organization under the looming stress and liability of a PHI data breach? A HIPAA-compliant backup and restore solution can ensure your complete compliance and eliminate worry over data loss (not to mention saving you from costly fines and negative press).
HIPAA puts the backup and restore accountability squarely on Covered Entities. According to HIPAA Rules, covered entities “must securely back up retrievable exact copies of electronic protected health information” and must be able to fully “restore any loss of data.” The Security Rule mandates that the backup should be frequent, encrypted, tested and stored offsite.
Furthermore, most CSPs recommend implementing a third-party backup solution to augment the protection they’re able to provide. Google support tells its users, “For non-email data recovery solutions, please consult the Google Apps Marketplace, where one of our partners may have a solution suitable for your needs.” And Salesforce says, “We recommend that you use a partner backup solution that can be found on the AppExchange.”
How do you pick the right Backup and Restore solution? Here’s a list of HIPAA must-haves for e-PHI backup and restore.
HIPAA Check #1 Offsite Storage -> Cloud-to-cloud SaaS model
Choosing a cloud-to-cloud backup provider allows you to continue enjoying the cost-saving benefits that drew you to adopt SaaS applications. Instead of managing backups on-premises, an extremely time-consuming and error-prone activity, consider a cloud-based backup solution. They allow you to save time and money while managing backups effectively and allowing your IT team to focus on strategic endeavors.
HIPAA Check #2 Regular Backups -> Support for Automated and on-demand Backups
Automated backups allow you to “set it and forget it” as your backups will run automatically each day. On-demand backups enable manual backups to support data protection before major database or organizational changes are made.
HIPAA Check #3 100% Restore -> Fast and accurate recovery
We’ve outlined the huge costs of e-PHI data loss. Combine that with HIPAA compliance risk and related fines, and you have a perfect financial storm – unless fast and accurate data recovery is part of your evaluation process. Look for a backup and restore solution that can get your data back from any point in time in just a matter of clicks.
HIPAA Check #4 Audit Support -> Auditability and Immutability
HIPAA compliance requires that you ensure changes to e-PHI are auditable, and that there is an immutable record of data at a backup point in time.
HIPAA Check #5 Encrypt or Destroy -> Data encryption at rest and in transit
HIPAA says that data being transmitted must be encrypted and data at rest must either be encrypted or destroyed. This ensures the privacy and security of e-PHI with robust encryption.
HIPAA Check #6 Third-Party Compliance -> SOC 2 and HIPAA compliance
Every link in the chain related to e-PHI should be HIPAA-compliant and highly secure; and that extends to third-party vendors providing backup solutions.
- Understand the implications of HIPAA on e-PHI
- Identify potential gaps in native data protection by cloud providers
- Overcome these gaps to keep your organization HIPAA compliant