Sodium Dental Helpful Hints for HIPAA Hiccups Session 1 Backup
Welcome to the Sodium Dental Podcast on HIPAA, EPHI and office security. Each session we will be identifying a potential risk for your office that we would like you to be aware of.
Our Opening Session Will be on having a reliable, tested and secure data backup.
The first thing you need to know is that just because you are paying for a backup doesn’t mean you have one.
I asked 20 dental offices that we provide dental sensor repair services if they have a backup of their data and all 20 of them said, “yes”
My second question was, how does your backup work and where is your backup data? 17 of them told me they knew exactly how and where it was being backed up, the other 3 were not really sure. At this point I asked if I could remote in with them and we could be sure they are getting a secure backup and they were all okay with this. We found that 5 of the 17 doctors were correct about where there backups were stored and how they were backed up and the rest were all misinformed by the software or company they hired to do their backup.
I discuss some scary failed backup stories in my video.
Now here is the bullet list of what you NEED in your backup.
1. Multiple Backups from Multiple Times. This means you need a backup of more than just one time period of data. My suggestion is a backup for each day of the week, a middle of the month backup and a beginning or end of month backup.
Why do you need this? If your backup is of corrupted data then it is useless. Some viruses can begin to destroy data long before you ever realize it. For instance one office had acquired a Ransomware virus, this virus does not show up on any antivirus software because the computer views the virus as a program you intentionally installed. The program slowly encrypts data in the background so that you have to pay a ransom to get the data back. It only encrypts data it purposefully avoids encrypting critical windows files so you can likely run your system for quite some time before you know what is happening.
So this office on a Thursday had downloaded this virus, they then went away for a week. So they didn’t see their first errors till days later. They only kept 3 days of backups and then overwrote them and this turned out that by the time they knew they had a problem the oldest backup was still not old enough to go back to before the first files were impacted by the ransomware.
2. You need to keep copies of your backup offsite away from your office, either taken home on hard drives or backed up to an offsite secure data center.
Why should we do this? This is an obvious answer. For the sake of your practice your patient data is an incredibly valuable asset that is the fundamental equity you will sell when you retire. Also, you need to keep this data off site because you are required to keep your patient records for 7 years so if your practice burns down and you lose all of your charts, xrays and your digital data you are then going to be up for 10,000$ fines per patient topping out at $1,000,000 per year per HIPAA rules.
So make sure you prepare for a terrible office tragedy by keeping off site backups.
3. Your off site backups need to be secure and protected. If you are backing up to external hard drives this means that the data on those drives needs to be fully encrypted so that if a drive is lost or stolen the thieves will be unable to recover the data. If you are using an online backup service aka “the cloud” a completely made up term for a server in some other building that is accessible on the internet. There is no cloud people, some marketing company made that up, put it in an airline mall magazine and now we all have to live with it.
Anyway if you are backing up to “the cloud” there are some things you need to be aware of.
a. You have to have a BAA with the company that is storing your data. See the HHS website they have a great BAA which is a Business Associates Agreement, that you can utilize for your uses. A BAA is an agreement that contractually obligates the company you are storing your data with to keep that data secure, to not expose that data to other people not obligated under the BAA and to provide you assurances to the accessibility of that data.
Just because you have a BAA does not mean you have a good one. Make sure you read it and make sure it makes sense.
I for instance was doing a HIPAA Risk Assessment for a customer and asked to look over their BAA with their IT company who was providing their cloud data backup for a monthly fee. This IT company, whose name I won’t mention, but they are a large dental IT company who is often referred by one of the major practice management companies.
In their BAA it contained this line that deals with what happens to those backup copies or data in the case that the contract was terminated. I am paraphrasing to avoid any copyright infringement (if there is any) here.
Effect of Termination. If this agreement is terminated (i) if possible (seriously it contains the caveat of if possible, well it said feasible) “Company Notsogood” shall return to the practice OR DESTROY all protected Health information received from the practice.
It goes on but here is the problem, in the case that the contract between the dental office and this dental IT company is terminated the company doing the backups can return or destroy the data at the discretion of the IT Company not the dental Practice.
So now we will look at the term and termination part of the contract, this is the part that says how, why and when the contract is terminated. This section says they can terminate the agreement as soon as it desires by delivery of written notice. So we will put that together, you pay for a backup solution and one day you really need it and maybe that backup company wasn’t actually doing their job and they don’t have a good backup. Well according to the BAA that company could just fire you as a customer then “destroy all copies of the data”. Realistically they have no obligation to ever actually provide the data to you.
Now guess who is liable? The doctor. The doctor is out the data, they can’t see patients and now they are probably up for about 5,000 HIPAA related fines.
Also, your BAA should say that the data is being transmitted securely and stored in an encrypted format and many more things. Please see the sample BAA provided by the HHS.
4. Backup Reporting
You need some method to know for sure that your backup is successful daily. If your backup software provides a method to email you a report then set that up, actually read the emails it sends you and store those emails.
If you don’t have a computer log then keep a hand written log that you took a backup today, it is stored on whatever device, and the backup is this large in file size. Write it down every day and scan in the log about once a month and keep it.
5. Documenting your backup process. Your data is required to survive you for the years that you are required to keep it. So you need to document how you are backing up and how those backups can be recovered. You need at least one other person to have access to or knowledge of the encryption code needed to decrypt your backup.
Put this documentation in your HIPAA Risk Assessment and have it ready. It is a required part of your HIPAA documentation.
So here it is.
1. Multiple copies of your data, I suggest 7 daily backups Mon-Sun, a 1st of the month and middle of the month backup as well.
2. Keep some of these copies off site from your office. I suggest every night take home a backup drive and swap it for one you will leave in the office to backup that night. Or use off site backup.
3. Backups need to be secure and protected. This means data on backup media needs at least 128 bit encryption and any internet backed up data needs a BAA to insure they are encrypting and protecting your data.
4. Reporting. You need logs daily that tell you your backups are working and you need to look at them daily. I would also suggest every 2 weeks you actually look at the backups, see what files are in there, compare file numbers and size to the data that is on your server. Keep the logs of your backup.
5. Document your backup process. You need to NOW before your HIPAA audit, have written down, exactly how you are backing up your data, where it is going, how you would go about restoring it, who is responsible for it, and any information required to restore in case of your inability to provide the information yourself.