A guide to information backup in general practice

About backup

Backup is the process of copying files or databases so they are preserved in the event of equipment failure or other catastrophes. It is an essential activity for general practice to have backup procedures in place.

It is recommended to keep separate copies of your business-critical data in multiple places in case data loss occurs. This data needs to be kept safe, offsite and, if possible, encrypted. The more secure copies of data you have, the safer it will be.

Backing up business-critical information is a requirement in order for a general practice to achieve accreditation (refer to the RACGP’s Standards for general practices [5th edition], Criterion C6. Information security). It is recommended that practices have a reliable information backup system to support timely access to business and clinical information. In order to meet accreditation and for purposes of business continuity, ensure your practice backup process:

  • is checked at regular intervals (ie daily), including the ability to recover the data
  • is consistent with the business continuity plan your practice has developed, tested and documented
  • details how and in which offsite locations information is stored.

This checklist details the recommended procedures to help achieve the minimum level of secure and reliable backup in your practice:

Complete written backup policy in place that is periodically reviewed

Backup policy is communicated in written format, training is provided on the process and all practice team members have access to the policy

Daily automatic initiation of full backup of all data and programs

Backup is encrypted with password

Backup is periodically checked for reliability and the outcome tracked

Backup is tested daily and regularly manually restored by, or under the guidance of, an IT professional

Backup media comprises of a combination of removable hard disk, networked storage that is not generally accessible across the network, separate network, or offsite (cloud)

The media used for each method of backup is rotated frequently to ensure there are multiple copies of the practice data at any point in time

Current backup is securely stored both onsite and offsite

Backup access only for authorised practice team members

Retain access to previous backup technology and readability of previous media tested

The loss of critical data has the potential to impose a substantial financial and operational cost to your practice when trying to restore day-to-day business operations. The amount of data lost, and the reliability and efficiency of the practice’s data recovery system and processes, will determine the magnitude of the cost. A severe disruption and loss of data could cause significant downtime in daily operations, as well as loss of financial revenue. Additionally, if a business continuity plan is not in place, the cost of restoring data by outsourcing to a data loss prevention company can be expensive. Having a business continuity plan and a reliable, frequently tested backup procedure as part of your normal practice operations is therefore crucial.

In addition to having a sound backup system in place, your practice needs a continuity plan to encompass all critical areas of your practice’s operations, such as:

  • enabling clinical team members to provide adequate clinical care while not having access to electronic health records
  • appointment scheduling
  • billing
  • business financial operations (eg payroll, Medicare claims).

Once a plan has been formulated, it needs to be regularly tested in order to ensure backup protocols are working properly. Refer to RACGP’s Information security in general practice for a comprehensive explanation of what a business continuity and recovery plan should entail, and templates to assist your practice in developing one.

Refer to the ‘Further reading’ section for more information on resources that are helpful in business contingency planning.


A general practice in inner-Melbourne prints out a copy of the following day’s appointments each evening. In the event of a computer failure, this allows the practice to continue running and keep appointments while the issue is being resolved.

As an added precaution, it is recommended you be able to restore data to a test computer which has a separate copy of the practice software, in order to validate data against the live system.


This is the method of using more internal drives than necessary to duplicate and store data (ie storing the same data in more than one place). It offers immediate data protection against drive failure in real-time. The system will indicate that one of the internal drives has failed, offering you the chance to backup important data and replace the failed drive.

It is recommended that you have a primary contact for your practice’s backup and recovery plan. Ensure that you have a written agreement that clearly outlines the roles and accountabilities for the primary contact. This role is a key responsibility, so you must ensure the person possesses the necessary skills and understanding of the impact a data loss or backup failure will have on the practice.

This staff member might also be responsible for performing or monitoring the actual backup and recovery of data. Alternatively, your practice may contract an IT company to control the backup and recovery process. If you choose to use an external IT company, you will also require a written agreement that outlines the organisation’s roles and accountabilities.

If you have decided to engage the services of an external IT provider, there are certain factors and questions to consider in order to help choose the right one for your practice needs:

  • What is the history and background of the IT business? Does it have experience in the healthcare industry?
  • What are the qualifications and expertise of the business’ staff members?
  • What type of hardware (if any) is supplied and what is the warranty period?
  • What are the details of the service agreement? (Request a copy of the service agreement prior to finalising your decision, and ensure that you and the IT provider have agreed on the same terms of the service delivery.)
  • What insurance cover does the business have?
  • What risk management strategies are in place?
  • Will the business be available to provide support if you run into trouble?
  • Does the business provide remote monitoring and maintenance systems?
  • Is there remote monitoring of backup and regular restoration from backup?
  • Does the business’ area of expertise cover site servers or cloud-based systems, or both?
  • What is the cost of the service? Are there differing price structures depending on the level of support required  (eg 24-hour monitoring to ensure there is no down time)?
  • What support does the business provide when the practice is undergoing accreditation?

For further information on reviewing contracts and service-level agreements with external IT providers, refer to the document on ‘Contracts’ on the RACGP’s web page for general practice hardware and software requirements.

All information that is critical to the operation of your general practice should be backed up. This includes:
  • clinical information system data, patient healthcare information
  • patient demographic and contact details, billing and financial information, appointments and practice management
  • web page data.

The type of data you are backing up may determine your method and process:

  • Critical data – for example, your patient healthcare information and any data required to run your business. You may want to have redundant backup sets that extend for several backup periods. Critical data should be encrypted and kept secure.
  • Sensitive data – for example, personal health information details. It is recommended that you ensure backup data is physically secured and encrypted.

The frequency of data change can affect decisions regarding how regularly it should be backed up. For example, data that changes daily should be backed up daily.

You must have backup hardware and software in order to perform backups. Timely backups may require several backup devices and sets of backup media. There are several types of backup hardware:

  • Local or direct-attached hardware:
    • This hardware can include portable hard drives, USB flash drives, desktop external storage devices, tape and optical media (CDs, DVD, or Blu-ray).
    • It is important to store copies offsite, and it is recommended you keep and cycle multiple removable devices  (eg portable hard drives), as they can be prone to failure.
    • Using local or direct-attached hardware can be fast; however, you can only back up one computer at a time with each medium.
  • Network backup using a local server:
    • Network backup means having one computer as a backup destination for all other computers and devices. The best way to do this is with a network-attached storage (NAS) server.
    • You will still need to have an offsite backup when using a local server backup. It is recommended that a second backup of the local server be taken offsite.
    • Multiple computers can be backed up at the same time, but initial setup can be costly and complicated.
  • Online backup or cloud backup using the internet:
    • An efficient form of backup, but relies heavily on a fast and secure internet connection.
    • These services are provided by external IT companies.
    • It is important to consider where the backed-up data is held. Online and cloud servers may be located outside of Australia, so seek to ensure the information is stored only in countries with privacy protections that are compatible with Australian law.

It is recommended that a combination of backup hardware be used. Your data storage strategy and the types of backup media you use will depend on the volume of data and available budget.

You will need to consider the physical location of your backed-up data. For general practice accreditation, it is recommended that your backups are stored offsite, as this is essential to recovering your information in the case of a natural disaster. Your offsite storage location should also include copies of the software you might need to install to re-establish and restore operational systems.

Ensure you have offsite copies of installation media for practice software, license information and operating system details. Where backups are retained using old media, the media recorders and players will also need to be retained (eg tape recorders).

Any backup storage location needs to be a secure environment. Lost or stolen data can lead to identity theft and breaches of patient privacy. Wherever the physical location, ensure it is kept secure and limit the number of staff members with access. If your main backup is to NAS, an air-conditioned room will keep it and other hardware from overheating.

It is important to be aware of the physical environment in which backup media is stored. Backup media is often storied in cupboards and safes, for example. The location should be hazard-free in order to ensure media will not be damaged.

More than one backup method should be used if it is practical to do so. Backup media should be cycled, or rotated,  so that there are multiple backup copies of the practice data at any point in time.

Scheduling backups during times of lower system use will help speed up the process. Try to schedule backups for a time during which the process is less likely to impact on day-to-day business, ie out of business hours or overnight.

Your clinical information system is likely to have an inbuilt automated backup function, and you should consult with your vendor regarding how these backups are undertaken and how they can be accessed if required.

This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log