A data breach in the dental practice can be catastrophic-unless your files and systems are backed up correctly.
In a previous article, we talked about dealing with a ransomware virus. HIPAA has numerous rules regarding ransomware, the most critical being that they consider it to be a breach, and you must take appropriate steps to ensure this doesn’t happen. However, more importantly for most offices, the question remains: Once your files are locked, how do you recover the data?
You can pay the ransom, if you want; in most cases the ransom is less than the lost time and productivity and in almost all cases, you’ll get the unlock key. However, this isn’t always true, and if that’s the case, you’ll need to restore from a good backup. The backup protocol you have will make or break this process. I highly recommend a two-pronged approach, with both a local backup and online backup. Let’s examine both of these.
The key factor with a local backup is related to how quickly you can recover from the data being lost/server down, etc. Most backups are file and folder only; they back up the data but not the program files, settings, networking, etc. If you had to restore a server, you’d need to get another server in the office (and they don’t typically have servers on the shelf of your local Best Buy!), reinstall all the programs, reconfigure the entire network, download the data and then reboot everything-a multi-day process, at best.
Instead, what I would suggest is a disk “image.” An image is a snapshot of the entire server: files, programs, settings, networking, everything. If you had to restore an image, you’d create a virtual environment, point to the image and within minutes, you’re back up and running. It’s the easiest and fastest way to recover from a server going down or a ransomware virus.
However, this isn’t enough. What if there was a fire? Theft? Flood? Having a great local backup won’t help you if all the hardware is lost. HIPAA also requires that your backup be “retrievable,” which by all definitions means offsite. The cheapest option is to use external hard drives. You’d have to encrypt them to meet HIPAA compliance, but would remove the drive with the data each night. The problem is, like any process that requires human intervention, there are ways the process can break down; you could be backing up the wrong files, you may forget to bring the drive home, the drive can be full, etc.
Instead, most offices are now using a cloud-based backup. The data is automatically sent offsite to a secure facility, it requires no intervention from the staff and it can be easily tracked.
It’s also important to understand that HIPAA has other rules associated with backups. You must test and verify the backup on a regular basis, and like all HIPAA rules, you must document your compliance with this rule. The easiest way to test your ability to recover a backup? Turn off the server and see how long it takes before you’re up and running. It might be a surprise (and not the good kind) for many of you.
With all the ransomware and other ways that dental offices can lose data, there is no time like the present to re-evaluate your backup protocol to makes sure you can recover quickly and are meeting current laws and regulations.