Information security in general practice

Information backup

About backups

      1. About backups

Last revised: 21 Apr 2023

Information backup

Your practice should have reliable information backup systems to support timely access to business and clinical information.

About backups

Backup is the process of copying files or databases so that they are preserved in the event of equipment failure or other catastrophes. It is essential that practices have robust backup procedures in place. For practices using cloud-based systems, it is recommended to consider cloud-to-cloud backup solutions.

It is highly recommended to keep separate copies of your critical business data in multiple places in case data loss occurs. This data needs to be kept safe, offsite and, if possible, encrypted. The more secure copies of data you have, the safer it will be.

Backing up business-critical information is a requirement for a general practice to achieve accreditation (refer to the RACGP’s Standards for general practices [4th edition], Criterion 4.2.2 Information security). It is recommended that practices have a reliable and robust information backup system to support prompt and secure access to business and clinical information.

The creation of a backup process may require assistance from a technical service provider.

Backup processes and accreditation

To meet accreditation, and for purposes of business continuity, ensure your practice backup process:

  • is checked at regular intervals (i.e. daily), including the ability to recover the data
  • is consistent with the business-continuity plan your practice has developed, tested and documented
  • details how to access backed up information and in which offsite locations information is securely stored, both digitally and in hard copy.

About backups

All practice management and clinical systems data, as along with other relevant documents, email files and user profiles should be backed up. You may require different backup and recovery procedures to manage these requirements.

All backups and archived data should be encrypted and password protected where possible and kept at secure locations.

The cost of data loss

The loss of critical data has the potential to create substantial financial and operational costs to your practice when trying to restore day-to-day business operations.

The amount of data lost, along with the reliability and efficiency of your practice’s data recovery system and processes, will determine the magnitude of the cost.

A severe disruption and loss of data could cause significant downtime in daily operations, as well as loss of financial revenue. Additionally, if a business continuity plan is not in place, the cost of restoring data by outsourcing to a data loss prevention company can be expensive.

Case study: The cost of not regularly testing your backups

A practice in New South Wales suffered a devastating failure  when a power outage occurred during the night and the uninterrupted power supply (UPS) did not correctly shut down the servers. The UPS instead ran until it was exhausted, and the servers were suddenly without any power. This corrupted the database.

When IT support tried to restore the data from the previous night’s backup and earlier versions, it was discovered that those three most recent backups were unusable. Unfortunately, no one in the practice was aware the backups were unusable as they had not been tested for readability.

The practice consequently lost three days’ worth of patient and business data, which proved to be disruptive and expensive for months afterwards.

The loss of data resulted in patients arriving for previously booked appointments that were no longer recorded in the practice systems, due to the faulty backups. GPs in the practice had to rely on patients to provide information on what had occurred during visits on the days where the clinical information system data was missing. The total cost resulting from the loss of data for a practice with 12 full-time equivalent (FTE) GPs is likely to have run into the tens of thousands of dollars.


Press print on appointments

To prepare for a computer failure, you may wish to consider printing out a copy of the following day’s appointments each evening. Doing so will allow your practice to continue running and keep appointments while the computer issue is being resolved.


Backup terminology

Backup is the process of copying files or databases so they can be restored in the event of equipment failure or other catastrophes.

Optimal backup processes are where multiple security controls are layered throughout an IT system to reduce the risk of a network attack. This is an extremely thorough backup process. It provides extra assurance that business-critical information is secure and easily recovered in the event of a disaster or system failure.

Redundancy is the method of using more internal drives than necessary to duplicate and store data, storing it in more than one place. It offers immediate data protection against drive failure. Another benefit is that the system will indicate if one of the internal drives has failed, offering you the chance to backup important data and replace the failed drive.

Synchronisation is a process in which files in multiple locations update each other, copying changes back and forth, whether it be real-time local or offsite. There are many different file synchronisation software packages available.


Optimal backup process

  • When using the ‘optimal backup’ approach, the primary physical server database (both clinical and financial) is synchronised to a secondary onsite physical server every 15 minutes and checked daily.
  • Additionally, the backup is synchronised over the internet to a cloud-hosted storage site overnight. This occurs automatically.
  • Data is backed-up daily to a NAS and a USB hard drive (which is rotated) and is then stored offsite.
  • It is recommended to backup up your entire server system daily using third-party software in case a ‘bare-metal restore’ is required. Archived backups dating back at least three years are kept offsite and stored in a dedicated archive server, allowing your computer system to be restored following a catastrophic failure of some sort.
  • If a backup is not completed successfully, failure notification email messages are automatically sent to the IT team and practice manager.
  • The entire process must also be documented and reviewed periodically.
  • Implementing thorough ‘defense in depth’ backup protocols across your practices will ensure the entire database can be restored and that your practice can return to normal working order quicker in the event the system completely fails.

What types of data need to be backed-up?

All information that is critical to the operation of your general practice should be backed-up. This includes:

  • clinical information system data, including patient healthcare information
  • patient demographic and contact details, billing and financial information, appointments and practice management
  • business management information including staff details, payroll, IT and any relevant third-party contact details
  • web page data.

The type of data you are backing up will determine your method and process:

  • Critical data – e.g. your patient healthcare information and any data required to run your business. You may want to have redundant backup sets that extend for several backup periods. Critical data must be encrypted and kept secure.
  • Sensitive data – e.g. personal health information details. It is recommended that you ensure backup data is physically secured and encrypted.

Create a policy: Information backup

Your policy should outline all processes and procedures for backing up your practice data.

Your policy should cover:

  • how to complete all practice backup procedures correctly
  • how your backups are encrypted
  • where copies of your business-critical data and backup are stored (both onsite and offsite are recommended)
  • how your backup data is restored
  • how long it takes to restore your backup data
  • managing your archived data in a format readable by your current hardware
  • your practice’s obligations under national and state records legislation relating to the retention of patient information
  • practice team education and training for those with authorisation for backup access on backup processes
  • details of which practice team members are trained and authorised to perform backup procedures
  • details of any automated backup processes
  • testing data restoration regularly (daily is recommended)​

Standards indicator

  • C6.4E Our practice has appropriate procedures for the storage, retention, and destruction of records.

    You must maintain and test a business continuity plan for information recovery and maintain a privacy policy.