Standard 7: Information backup
Our practice has a reliable information backup system to support timely access to business and clinical information
The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 7.
It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.
The compliance indicators at level 4 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.
|Information backup compliance indicators||Level 1 Initial||Level 2 Repeatable||Level 3 Defined||Minimum||Level 5 Optimised|
|Level 4 Managed|
|7.1 Policy content
||No formal policy
||No complete written policy
||Complete written policy
||Complete written policy, periodically reviewed
||Complete written policy, reviewed annually
|7.2 Policy communication
||Policy not communicated to the practice team
||Policy communicated verbally to the practice team
||Policy communicated in written format to relevant practice team members
||Policy communicated in written format, training provided and all practice team members have access to the policy
||Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
|7.3 Backup frequency
||None or manual initiation of backup on ad hocbasis, or frequency unknown
||Manual initiation of backup weekly or every few days
||Manual initiation of backup daily
||Automatic initiation of backup daily
||Automatic initiation of backup
Continuous or real time with checks in place
|7.4 Backup type
||Unknown or partial (data only) or incremental
||Partial (data and setup files)
||Full: all data
||Full: all data and programs
||Full systems back up or imaging, including operating system
|7.5 Backup encryption
||Encrypted with password
||All backups encrypted and password protected
|7.6 Backup reliability
||Backup not checked or reliability unknown
||Backup checked for completion
||Backup periodically checked for reliability
||Backup periodically checked for reliability
and outcome tracked
|Backup reliability tested with automatic notification
Every backup has outcome tracked
|7.7 Backup restoration
||Never restored or restore status unknown
||Ad hoc restoration
||Regularly manually restored
||Fully automated restoration
|7.8 Backup media
||Unknown or obsolete media (e.g. floppy)
||Jaz/ZIP or tape (e.g. DAT/QIC) media
||Second hard disk, raid configuration, solid state or to other computer/laptop
||Removable hard disk or networked storage that is not generally accessible across the network or on a separate network or offsite (cloud)
|7.9 Media rotation
||No rotation or rotation unknown
||Daily and weekly
||Daily, weekly and monthly
||Daily, weekly, monthly and annual
|7.10 Backup storage
||Unsecured in practice (e.g. next to computer)
||Secure onsite (e.g. in a safe) or offsite
||Secure onsite and secure offsite
||Current backup securely stored onsite and current backup stored security stored offsite
||Multiple copies of current backup securely stored onsite and current backup stored securely offsite
|7.11 Backup access
||Uncontrolled or access not known
||Appropriate practice team members
||Authorised practice team members
||Authorised practice team members, fully trained
|7.12 Legacy systems data storage
||Unknown access to previous backup technology or previous technology unknown
||Unknown access to previous backup technology
||Access to previous backup technology
||Access to previous backup technology and readability of previous media tested
||Data transferred from previous backup technology media to current one and verified
|Adapted and reproduced with permission from Dr Patricia Williams
Helpful templates for this Standard
Templates 7.1–7.3 will assist in achieving compliance. Completion of these templates will ensure you have fully documented the requirements of this Standard.
Data can be lost through human error, software malfunction or failure, hardware problems and external causes such as theft or natural disasters. People can accidentally erase information, software can cause data loss through program flaws, and data storage devices can be lost or stolen. It is critical to make regular backups of all your clinical and business information and software in case any of these occur. Also, the longer term preservation and access to health records needs to be maintained.
Storage and retrieval of information are a high priority in information security. A reliable and tested backup procedure is vital, as is the ability to restore all practice information after a computer incident. Knowing when to seek technical assistance is essential, and timely access to the latest backup (knowing where it can be located) is important.
The backup procedures are an integral part of the practice’s business continuity and information recovery plans (see Section 5).
You need to know the answers to the questions below.
- What is your backup procedure?
- Which backup medium and software will you use?
- How can your backup data be restored?
- How long will it take?
- How can you check that the backup system works every time?
- If you store any health information offsite, does this information reside on Australian soil?
The installation of a backup system requires technical skills and is best provided by a technical service provider. There are several important points regarding backup and the backup procedures.
Backup and data restoration procedures are a vital component of the business continuity plan. However, as the optimal method of backup and restoration is quite technical, practices are advised to consult with a technical expert on these matters. Document the backup process using the forms provided in Templates 7.1–7.3.
7.1 Policy content
Details of the backup and recovery procedures should be documented. The backup procedure is a key component of the business continuity and information recovery plans. Ensure that backup media are taken offsite when the practice is closed. Record which members of the practice team perform the backup and automate as much of the procedure as possible. Data restoration should be tested periodically. If this is done by the technical services provider, then the Computer Security Coordinator should ensure that it is being done regularly.
7.2 Policy communication
The policy should be in written format and communicated to relevant practice team members.
7.3 Backup frequency
A distinction should be made between the daily backup (stored offsite and used to restore data when necessary) and weekly, monthly and yearly archives (used for long-term data retention and legal purposes). A distinction should be made between system backups versus business and clinical data backups: business and clinical data backups must be performed daily, while system backups can be performed less frequently as the operating system and software change less frequently.
7.4 Backup type
Any changes to data and files should be backed up. This includes practice management and clinical systems data as well as other relevant documents, email files, user profiles including desktop settings and internet favourites and bookmarks. You may require different backup and recovery procedures to manage these requirements. While you do not need to back up your operating system or programs daily as these can be restored from the original media, it is a good idea to periodically back up the entire server. This can be done using disk imaging software as it takes an identical copy, or ‘image’ of your computer hard drive. Continuous backup should be considered as an option where you have two onsite servers.
Note: It is important to keep a correct and current copy of the computer practice and policy procedure manual offsite so that if there is a systems failure, there is ready access to the restoration and business continuity procedures.
7.5 Backup encryption
All backups and archived data should be encrypted and password protected where possible and kept in secure locations.
7.6 Backup reliability
A common problem is that the verification step of the backup process (did it work) is overlooked or not undertaken. Unfortunately, backup failures are often only detected when it is necessary to use the backup for restoration purposes. It is vital that a process is established for determining that the backup has successfully completed.
7.7 Backup restoration
Data restoration is the knowledge of how to ‘rebuild’ a system and server if it has become inoperable. It is not simply a matter of reloading the data; you also need documentation that defines which programs were on the computer and how they were configured. This needs to be done by or under the guidance of a technical service provider. Appropriate documentation of the process in your risk assessment and asset register is therefore important.
In addition, the restoration process needs to be periodically tested and validated. More frequent restoration reduces the risk of data loss and practice downtime. In most instances the restoration process should be automated. If it is not set up to be automated, the restoration process will need to be actioned by, or under the guidance of, your technical service provider. It is recommended that an authorised person in the practice visually checks the restored data. One method is to ensure the last patient entry from the previous day is present on the restored system.
The process for backup restoration needs to be documented, so that if required the backup can be used to restore all or part of your practice data and programs. There are important issues to be considered regarding testing the backup and restoration procedures.
7.8 Backup media
Choosing the appropriate backup software and hardware for individual practice circumstances is important. There are many types of backup media and programs to choose from and because of the rapid changing IT environment, practices should seek technical advice. Common backup media include read/writeable DVD/CD-ROM and portable hard drives. Also, in a networked environment the backup method can include transfer of data to another computer over the network or to an online backup service via the internet. If the backup is performed across the network, practices should ensure that this backup is not accessible across the normal network from the internet. Unauthorised access into a network that has the backup also fully accessible to the whole network is an added vulnerability. At least one current backup should be kept offsite or segregated from the network.
It is important to be observant for potential problems within the systems that manage data, including backups. It is useful to have a series of backups so that you can restore a file from a point before the problem occurred. Having a system of daily, weekly, monthly and annual backups enables you to do this.
For daily backups, use a different tape, CD, DVD or hard drive. Label them by the day of the week, and use the appropriately named tape or hard drive (e.g. Monday data is always backed up (overwritten) on the media marked Monday).
7.9 Media rotation
Backup media must be cycled so that at any point in time there are multiple backup copies of the practice data. If practicable, more than one backup method should be used. A suggested backup rotation strategy for portable media and associated recording sheet can be found in Template 7.2. A backup rotation is not applicable to networked or online backup.
- Weekly backups: have backup media labelled ‘Week #1’, ‘Week #2’. This should be used once every week of each month (e.g. every Friday). Therefore ‘Week #1’ would be used on the first Friday of each month, ‘Week #2’ on the second Friday of each month, and so on.
- Monthly backups: have one backup media labelled ‘Monthly’. This should be used once every month (e.g. on the first working day of each month).
- Annual backup: this should be done at the end of the financial year.
Note: While this section gives details for physical media, network and online backup is also an option. This should not, however, be the only form of backup used. Consult your technical service provider for setup of network and online backup.
The backup rotation procedure will be dependent on the type of backup media and the process and software used. An example backup rotation schedule is provided in the Templates for Standard 7. This can be printed each month as a reminder of which media to use and record that the backup has been executed and checked.
7.10 Backup storage
The physical protection of backup media is important. It should be securely stored and access to it controlled. Leaving backups next to the computer or in publicly accessible areas creates a security risk. Ensure that backups are taken offsite daily and stored in a secure environment (e.g. not left in cars or subject to heat). This includes awareness of who has the most recent backup at any one time.
Continuous backup (real-time) is best practice as it protects against business downtime. Practices should consider the costs associated with a server failure versus the initial capital cost of installing a second server.
7.11 Backup access
There should be restrictions on who can access the backup.
7.12 Legacy systems data storage
The practice policy on backup process should also include the procedures for keeping archived data (e.g. yearly backups) to ensure that they are able to be read by current hardware.
It is important that archive backups (weekly, monthly and yearly backups) can be read in the future. This becomes an issue when computer systems and backup methods are updated and replaced. A process for transferring archive backups to current backup media is required to ensure they can always be read by the currently available technology. The practice should be aware of and adhere to the national and state records legislation in regards to the retention of patient information. The archive backups form part of this requirement. The backup and long-term record-keeping policy for the practice should detail the local and national requirements. Further, these policies should ensure continuity of access to archived data and the processes for conversion of legacy system information to current readable formats.