Faced with overburdened legacy systems, IT budget constraints, and relentless cyber security threats, many healthcare businesses are turning to cloud backup as an optimal way to securely and affordably protect electronic protected health information (ePHI) and other business-critical data. Cloud backup eliminates the need to manage daily pickup and storage of tapes and other physical media, ends vulnerabilities associated with media loss or theft, and offers the business continuity benefit of redundant, offsite storage.
But with more and more offerings in the marketplace, what cloud backup features are most important for the healthcare industry? This eGuide offers guidance to healthcare businesses on what to look for in a cloud backup service provider and what “red flags” to avoid.
Healthcare is turning to cloud backup for sensitive ePHI but, with so many offerings, what system should you be looking for and what red flags need to be avoided?
By Tim Hannibal, founder and CEO, VaultLogix
Faced with overburdened legacy systems, IT budget constraints, and relentless cyber security threats, many healthcare businesses are turning to cloud backup as an optimal way to securely and affordably protect electronic protected health information (ePHI) and other business-critical data. Cloud backup eliminates the need to manage daily pickup and storage of tapes and other physical media, ends vulnerabilities associated with media loss or theft, and offers the business continuity benefit of redundant, offsite storage.
But with more and more offerings in the marketplace, what cloud backup features are most important for the healthcare industry? This eGuide offers guidance to healthcare businesses on what to look for in a cloud backup service provider and what “red flags” to avoid.
Backup Challenges for Healthcare Providers
As healthcare IT environments become increasingly complex and more files are digitized, many healthcare organizations face significant data protection challenges, particularly around ePHI. To mitigate risks to the business and its patients from human error, system failures, hackers, and natural disasters, a reliable, comprehensive backup/recovery solution is a cornerstone of any IT strategy in healthcare.
Whether contemplating an in-house or outsourced backup/recovery solution, or a combination of both, healthcare organizations must address the following pressing challenges.
Mobile device support
Clinicians and other staff are gaining major productivity advantages from anytime/anywhere access to data on laptops and tablets. But can they securely and consistently backup these diverse and proliferating mobile endpoints?
Complex, unreliable backup systems
Many healthcare IT environments currently rely on a mix of several backup systems across different parts of the infrastructure (e.g., tapes, optical media, external hard drives), which increases costs and reduces backup reliability and confidence. But can they verify that all sensitive data is being backed up and can be restored?
Growing variety of data
Healthcare organizations need backup/recovery plans that encompass procedures for all their systems, including databases, email servers, and virtual machines. But can backup solutions handle the great and growing variety of data in a reliable and automated manner?
Bandwidth/scalability
Data growth is of ubiquitous concern, especially in regulated industries like healthcare where compliance mandates can complicate retention requirements. Furthermore, healthcare environments can ill afford to compromise system performance due to slow backups “clogging the pipes.” How can organizations cost-effectively ensure long-term scalability for backing up exponentially expanding data volumes, without compromising the performance and reliability of business-critical applications?
HIPAA compliance
The new HIPAA Omnibus Rule introduces strict new guidelines that relate directly to data backup/recovery (see below). Are backup procedures in compliance with the new mandate?
IT security
The healthcare sector is disproportionately impacted by cybercrime, with 94 percent of healthcare organizations reporting one or more data breaches since 2010, and 45 percent reporting more than five significant breaches during that time. Will backup data be secure both in transmission and when “at rest” within the provider’s infrastructure?
How the HIPAA Omnibus Rule Impacts Cloud Backup
The US Department of Health and Human Services (HHS) Office for Civil Rights enforces compliance with the new HIPAA Omnibus Rule, which implements a number of provisions from the Health Information Technology for Economic and Clinical Health (HITECH) act. The new HIPAA rules went into effect on March 26, 2013 and organizations that maintain and/or transmit ePHI must now be in compliance.
The new rules usher in stronger patient privacy and security protections and an enhanced scope for enforcement. Compliance violations are likely to be costly: up to $1.5 million per year in fines, not to mention damage to image and patient trust.
As in previous versions of the HIPAA rule, covered entities and their business associates must:
-
Ensure the confidentiality, integrity and availability of all ePHI that a covered entity creates, receives, maintains or transmit.
-
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
-
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
-
Ensure compliance by its workforce.
The above guidelines require a range of technical safeguards that relate to data protection, such as access controls, audit controls, and cyber security. Also included are contingency plans for disaster recovery that ensure patient data is still available after a primary data loss.
In addition, the new HIPAA Omnibus Rule mandates major changes that place a far greater compliance burden on cloud backup providers. In particular:
-
Any company that receives maintains or transmits ePHI – and that means any cloud backup provider that does business with healthcare clients – is now explicitly classified as a HIPAA business associate.
-
Under the new rules, business associates are now directly accountable to the government for ePHI security breaches or non-compliance.
-
Business associates are now responsible for notifying the covered entities they serve of any inappropriate disclosure of patient data, based on strict and objective standards around risk and harm.
What these changes mean, in short, is that any prospective cloud backup provider must be willing to sign a business associate agreement. If they’re not, scratch them from your list of prospects.
What to Look for in a Cloud Backup Solution
Following are some of the key capabilities that healthcare organizations should look for in a cloud backup solution.
Support for HIPAA compliance
It goes without saying that any cloud-based backup, archiving, and recovery procedures used in a healthcare environment must meet HIPAA mandates and the requirements of your business associate agreement, so that compliance is not compromised.
While some cloud backup vendors may state that they are “HIPAA compliant,” it is more meaningful for service providers to meet the SSAE 16 SOC 2 Type II standard. This independently audited attestation of controls and procedures related to security, availability, processing integrity and confidentiality/privacy is the “gold standard” for service providers. SOC 2 Type II certification encompasses HIPAA requirements for data protection and offers assurance that the proper safeguards are in place for your backup/recovery process to comply with HIPAA.
Dependability and ease of use
Healthcare companies want to focus on healthcare services, not IT services. A single, integrated interface for backup/recovery of diverse types of data across heterogeneous physical and virtual servers, laptops, and PCs is vital to backup efficiency and dependability.
Choose an end-to-end, highly automated solution that is easy to deploy and can protect your ePHI whether it’s on a server, a PC, or a physician’s laptop. The solution must likewise be easy to use, so that non-technical staff can backup and recover their own files, as well as easily verify that backups were successful.
Security
Particularly in regulated industries like healthcare, security concerns remain the number one stumbling block to adoption of cloud-based services, including cloud backup. In cloud backup scenarios, data is sent over the Internet to a hosted web server at a third-party site, where it then resides on storage devices.
To ensure HIPAA compliance, sensitive health data must be encrypted both in transit and wherever it resides offsite. Encrypting ePHI lessens the likelihood that it will be “viewed” or “acquired” for breach notification purposes. Ensure that prospective cloud backup providers offer 256-bit encryption end-to-end for all your data.
Data center availability is another key factor that impacts security. Most cloud backup providers will have a redundant data center infrastructure – but do all their data centers offer Tier 4 availability, which include strict access controls, including biometric access control methods?
Retention
Retention of multiple document versions, as well as retention for specific time periods, is vital to regulatory compliance in healthcare. Many healthcare businesses keep nearly all their data indefinitely “to be on the safe side” of the regulations.
Retention policies should be implemented carefully to reduce storage costs and streamline access to information when you need it. Make sure that prospective cloud storage providers can offer flexible, configurable retention schedules for different types of data, as well as the ability to “archive” older data to lower-cost media while still being able to recover it in a reasonable period of time should it be needed for eDiscovery or a regulatory audit. Also ensure you can store an arbitrary number of revisions/iterations of documents.
Reporting
Two levels of reporting are important for secure and compliant cloud backup, not to mention peace of mind:
-
Backup logs and reports for every backup, so you can easily monitor and verify that your backups are trouble-free and your data is protected and restorable.
-
Real-time reporting, including e-mail notifications and web-based status and informational reports, so you are proactively alerted to potential problems.
Performance, scalability and flexibility to meet future requirements
Every healthcare organization needs a flexible cloud backup solution that can cost-effectively expand and adapt as your needs grow and change. This includes local backup options as well as archiving, so you can optimize accessibility to today’s most critical data while saving costs on storing older, less valuable, and/or less frequently accessed data.
Performance is also critical in healthcare environments to ensure acceptable service levels for patients. Many low-end cloud backup providers restrict upload and download rates, which can slow backups to a crawl and frustrate recovery attempts when every second counts. Similarly, recovery support should be fine-tuned – down to single files whenever possible – to accelerate operations and minimize delays.
Offering flexibility also means eliminating restrictions to moving your data elsewhere should the need arise. Check the contract fine print. What service levels are being agreed to? Will the vendor help or hinder your efforts to move data out of its repository? Support for the Cloud Data Management Interface (CDMI) and other emerging standards is a good sign that a provider is not attempting to “lock in” customers.
Conclusion
Keeping data protected and available is central to any healthcare organization’s IT strategy, and a critical component of patient care. Data protection, disaster recovery and “emergency mode operations” planning are also mandated by HIPAA. Given the costs associated with implementing and maintaining HIPAA compliance, as well as the prohibitive cost of non-compliance, leveraging solutions like cloud backup that reduce compliance costs as well as overall IT cost and risk makes strong business sense for many healthcare companies.
About the author
Tim Hannibal founded VaultLogix in 2002, and has more than 20 years of management and sales experience. As the CEO and founder, he funded the startup phase of the organization, arranged additional financing, and guided the company to profitability. He continues to assist VaultLogix prosperousness through industry insight, innovation, and strong leadership.
Tim has experience with various technology products and services, including telecommunications, internet, data protection and storage. Prior to VaultLogix, he was the Vice President of Sales and Marketing at Cleartel where he helped to manage and develop the company’s growth. Tim began his career at Worldcom, where he spent nearly a decade driving sales during the company’s integration of nine mergers and acquisitions.
Tim received his bachelors of art from Massachusetts College of Liberal Arts.
