Backing up patient data: Can you pass the test?
Dr. Stacey Simmons was very surprised when she learned her dental practice’s data was an easy target. She believed her data was backed up and protected. She’s warning her fellow dentists to avoid her mistakes.
Just because you’re not in dental school anymore doesn’t mean you get to stop taking tests. So let’s get to it. This test should be easy . . .
Read these questions to see if you can not only answer them, but do so with positivity. (Hint: That’s the key to passing.)
- Do you back up your data? (This assumes your office is electronic.)
- Are you absolutely sure your data is being backed up?
- When was the last time you checked to see if your data could be extracted and subsequently used from your backup?
- In the event you need to retrieve your data, do you know where the data will go and how long it will take to retrieve it?
- Is your data backup system HIPAA
- Are you sure about your answers? I thought I was, and, well, let’s just say that this was one test I did not pass. Nope, not even close.
I was told by an IT expert, “Ummm, Dr. Stacey, did you know that your last complete and confirmed backup was over a year ago, and even then, there is no verification of data acquisition or ability to retrieve it?” Wait. What? No. That can’t be right. Really?
This unfortunate (yet ultimately fortunate) revelation came about when I was approached by a recently hired IT person whom I’d known for years. He worked with the dental equipment supplier that more or less outfitted my office. To be honest, when he told me he was going out on his own and asked if I would like to switch to his services, I was somewhat reluctant. I assumed everything was under control and I didn’t want to add another bill to pay.
However, after marinating on the idea, with 16 computers in my office, I concluded that at some point something would go wrong or need attention. It was inevitable, and I wanted to ensure there was no disruption in the flow of the day-to-day production and workings. I’m a dentist, not a computer guru. I rely heavily on those with the knowledge and skills that I don’t have to make the “office-go-’round.”
Once my new IT specialist analyzed everything, here’s what he found:
- My firewalls were not up to date and effective. Hackers and computer viruses are constantly evolving, and I was an easy target.
- My server, or hard backup, was almost at its max. Due to the amount of data stored on it, if something happened, I had no way to download an offline backup because I didn’t have anything large enough to contain the data.
- Several of my computers were outdated, and due to software changes and upgrades, etc., they were slow and inefficient, which annoyed everyone in the office.
- In the event of a disaster, I would not have been in a good place. Sure, all of my insurances were up to speed because I’m golden in that regard, but what about the data?
Patient data is one of the most valuable assets we have in our practices. Why? Because it is comprehensive medical information that allows us to do our jobs and treat our patients. The information is massive, valuable, and desirable to many because it can be sold. Despite this, I’ll admit that the value and importance of this asset is often overlooked. Why? Because it’s not tangible and we assume all is well with a click of a button. This is where I went wrong.
Where does one even start when assessing the process of backing up data?
Get the right person for the job
Let’s face it. We’re dentists and our time is best spent doing what we do—being dentists and treating patients. While YouTube is a tremendous resource for all of you DIYers, it won’t get the job done when your information system comes crashing down and you have a full schedule.
When discussing this with my IT specialist, he emphasized that whomever it is you procure—individual or company—you absolutely must trust them. Furthermore, reliability and accessibility are vital, especially if something goes awry. What could possibly go wrong? Viruses, data freezes, incomplete backups, computer hardware or software crashes, disasters such as floods or fires, stealing of information, and more. Could you handle any one of these major issues and get your office back up and running? Maybe, but do you want to leave it to chance?
The data of one of my IT person’s clients crashed toward the end of a workday. It took more than 24 hours for the office to get back online, and he lost $12,000 of production in that single day that he could not get back online. What if it had taken two or three days? Do the math. It adds up very quickly.
It’s imperative that you invest in what it takes to maintain your data and its integrity. This includes hardware, software, and storage. If you don’t, you could literally put yourself out of business. Yes, you need to pay for it, but you’re investing in the heart of your practice, and you need to protect your livelihood and working entity.
Here are factors and questions to remember with regard to your data and what you and your IT specialist should be discussing:
- What type of backup do you have? It’s recommended that you have a hard copy (server, etc.) and an electronic copy (digital, cloud, etc.)
- Is your information encrypted onsite and offsite? If it is, are there multiple levels of encryption? (See below.)
- What type of firewalls do you have in place, and are they current?
- What is your backup protocol? Is it daily, hourly? Is data being purged after the mandatory seven years of record-keeping?
- What kind of reporting is expected with regard to backup validation? Is it daily, monthly? If backup is not successful, what’s your next step?
- Are your computers HIPAA-compliant? (See below.)
- What kind of recovery plan do you have? Most established offices have large databases but do not have an extra computer or server big enough to retrieve said data and run the software program. Yeah, you need to have a $5,000 paperweight available should the need arise. What did I do? I bought a new server and kept my old one as an extra.
- In the event you need to retrieve your data, how long will it take to get up and running again? Factors include access to data, speed of downloads, and more. There is a cost to your downtime. Something to consider that can have an influence on your recovery is geography. I live in a rural area and internet speed is not great. It took three weeks (24/7) to back up my entire data system to my offsite location. Yup. Three weeks. In other areas, it would have taken three days. So, make that part of your overall equation, or at least assess this because even with partial data acquisition, timing can take longer than expected.
- How does your insurance cover lost data and recovery? Do you even have coverage, and if so, what are the limitations and inclusions in the policy?
How does HIPAA play a role in data backup? This one sentence gives us our answer: Do not allow unauthorized persons to access protected information. Seems simple enough, right? In short, yes, after you’re compliant, which means acquiring, using, backing up, and maintaining the integrity of electronic protected health information (ePHI). They all go hand in hand. If you’re secure on one end but not on the other, then you’re not compliant, plain and simple.
Here’s a list of fundamental steps to jumpstart your inventory and determine whether or not you’re compliant. A comprehensive HIPAA assessment should be obtained from your compliance officer. Keep in mind that details may vary from state to state.
- Passwords are mandatory and should not be shared. User activity can be monitored via passwords to those who have clearance and variable accessibility to data.
- Passwords should be present when you first login to the computer itself, and when logging into your practice management software.
- If the computer is left unattended, a screen lock and password should be in place.
- Onsite and offsite data must be encrypted. This includes “data at rest” (your server) and “data in motion” (offsite backup and email). Encryption equals security. Multiple levels of encryption are available and are highly advised.
- These reports advise you of successful and unsuccessful backups. Daily is recommended.
- Most backup programs can report, down to the file, what caused an unsuccessful backup.
- Breaches and suspicious activity are also conveyed.
- If you hire an IT person or a company to be in charge of your backups, or for that matter anyone who has access to your data, a confidentiality agreement should be signed.
There you go—your 101 on data backup. If you’ve read this and can, without hesitation, say you’re good to go with your security systems and how you back up your data, you’ve aced the test. If not, then you’ve got some work to do, and that’s the intent of this article—to make sure you’re in a better place than I was. I clearly failed; however, I’ve since redeemed myself, and my new peace of mind is priceless.