7 Questions to Ask Your Development Partner About Healthcare Data Backup and Recovery

More than 600 USA healthcare organizations and 18 million patient records was affected by ransomware in 2020, costing around $21 billion. This loss is an indication for healthcare facilities to strengthen data backup and recovery process to avoid downtime and to get back to normal working as fast as possible post attack or any disaster.

To incorporate a robust data backup and recovery plan for healthcare organizations, get a clarity on how, what, and why of the data backup and recovery process by understanding answers to seven common, yet essential backup and recovery questions. Here are the questions you need to ask about healthcare data backup and recovery to your development partner.

1. Where are the Backup Copies of Data Stored?

Storage option consist of either cloud or on-premise storage. Each of these storage options have their own pros and cons.

In an on-premise storage, data is store on local hardware such as computers, servers, or other such types of devices. The healthcare facilities are responsible for both expenditures and maintenance of the storage hardware.

On-premise storage comes with the ability to keep away hackers from accessing data, thus assuring security. It can keep data offline and deter cyberattacks as hackers prefer remote access for convenience. This type of storage can be used offline and doesn’t hamper productivity at all, also it saves internet costs.

However, on-premise storage requires high maintenance, thus increasing costs, and its difficult to scale with on-premise as new hardware needs to be installed for more storage and scaling. On the other hand, in case of cloud storage, there’s no need to buy or maintain hardware as cloud storage is taken care of externally.

Cloud computing in healthcare comes with a subscription model that allow organizations to pick what’s needed and pay for what’s used. Furthermore, cloud makes data backup a seamless process by automating it, however cloud storage can spiral out of control when it comes to scalability.

2. What is the Schedule/Frequency of Healthcare Data Backup?

The more essential a data is, the more frequently healthcare organizations need to run backups, and have backup at varied secure locations. As per HIPAA regulations, criteria are included under data backup and recovery and is referred to as – data backup plan and retention period – this includes administrative, technical, and physical safeguards.

HIPAA rules require the service provider/hospital facilities to incorporate a full backup schedule for the whole healthcare organization that encompasses patient data and all systems that handle ePHI.

A healthcare organization looking to develop a healthcare application is required to backup data daily and maintain monthly, weekly, and annual archives. This data is secured and stored on a physical media (tape or disk) or cloud solutions, and is encrypted for further protection.

Consider automating the backup process by scheduling periodical backups and allow them to run at estimated intervals. It is recommended to set backup daily at midnight, and on weekly basis on Fridays at midnight.

Arkenea has over 11 years of experience in developing healthcare applications. Get in touch with us today for a free consultation and quote.

3. Does Backup Have a Backup Plan?

Consider implementing at least three backup plans to overcome adverse situations. Usually, the three types of backups used are – full, differential, and incremental. In a full backup, all the selected data is cloned such as folders, files, hard drives, SaaS applications, and more. Differential backup involves backing up data that was changed or made since the last full backup.

Lastly, Incremental backup involves alterations and additions since the recent incremental backup and consists of no duplicate files. Further, it’s recommended to follow the 3-2-1 backup strategy, which means 3 (1 primary and 2 copies) backups of data copies, 2 types of storage, and 1 off-site storage.

4. Who Will be Responsible For Backing Up Data?

Healthcare organizations are required to backup ePHI, administrative information, and other relevant data, however manual backups are time consuming, expensive, and resource-intensive, especially while struggling to juggle between varied tasks throughout the day. In this situation, its recommended to hand over complete responsibility of data backup and recovery to a third-party vendor.

That said, despite a third party vendor is responsible for managing data backup and recovery, ensure that they are backing up systems frequently and check whether vendor follows data protection and compliant practices. Furthermore, all staff members can be trained in data backup and recovery, thus taking responsibility for the data generated.

5. How the Development Team Can Ensure Compliance?

Technologies are evolving continuously, however the development teams can ensure that the fundamental principals and rules mandated by HIPAA compliance remains. These include –

1. Data encryption

2. Scanning security vulnerabilities

3. Ascertaining appropriate access controls

The development team can review codes for vulnerabilities periodically, and the SDLC (Software Development Life Cycle) incorporated ensures that the software encrypts data and provides the essential access controls.

Furthermore, the development team can ensure compliance by using compliance as a code, meaning utilizing automated tools to check code in order to create compliance in the development. By implementing compliance checks, policies, and auditing during development, compliance is no longer a burden that development teams need to tackle all the time.

Ensure compliance by assuring the following points –

1. Define compliance rules, policies, and control workflows.

2. Review in-house development team controls such as developer access rights and peer reviews.

3. Create and configure code in CI/CD pipeline.

6. How to Ensure Security of ePHI?

There are several ways in which ePHI can be breached due to its complex lifecycle. Healthcare data (ePHI especially) isn’t static and flows across many stakeholders, and travels across touchpoints where its shared, collected, stored, updated, and more. The third party vendor is also involved in the data lifecycle.

To ensure complete security of ePHI, take appropriate preventive measures and apply the effective ones to the ePHI lifecycle. Take aid of data governance and visibility to understand, map, and have visibility of ePHI. Once analyzed how the ePHI fits and flows, its easier to protect it.

Furthermore, consider implementing access controls which are policy based, and use risk based and second factor authentication. Include ‘least privilege’ policy for securing ePHI in healthcare facilities. Security and data audits are holistic measures to protect data, as logs can pin point security problems and provide intelligence to ameliorate data governance.

Reduce overhead terms by securely eliminating the ePHI that’s not needed anymore, also backup frequently. Its recommended to use backups that are ransomware resistant. A fundamental facet of ePHI protection strategy is training and awareness about security risks, scams, phishing, consequences of password sharing, and more.

Looking for a healthcare software development company that adheres to HIPAA compliance and can provide quality integrations and functionalities? Look no further, just get in touch with Arkenea – a leading healthcare and software development company in the USA.



Author: Chaitali Avadhani
Chaitali has a master’s degree in journalism and currently writes about technology in healthcare for Arkenea. Expressing her thoughts and perspective through writing is one of her biggest asset so far. She defines herself as a curious person, as she is constantly looking for opportunities to upgrade herself professionally and personally. Outside the office she is actively engaged in fitness activities such as running, cycling, martial arts and trekking.