3 questions to ask your Backup and Recovery Provider about HIPAA Compliance

KeyCloud Security - HIPAACompanies in all industries are dealing with an explosion in the amount of data they have to manage. This is especially true for healthcare organizations. With electronic patient records, patient tests and scans, and other information constantly being created and changed, it can be tough to keep up.

On top of that, healthcare organizations face numerous regulations that place strict rules on how this private patient data has to be stored and protected. This makes sense since healthcare organizations are trusted with some of the most sensitive, private data that exists. Of course, when it comes to data and privacy, no regulation has a greater effect on organizations in the industry, than the Health Insurance Portability and Accountability Act, or HIPAA.

Being HIPAA compliant involves a range of data protections including privacy, security and what to do if a breach occurs. Complying with these wide ranging and difficult regulations can stretch IT departments to the breaking point, while not ensuring compliance. The fact that healthcare IT departments are generally lean — these companies generally try to put every possible dollar towards patient care — only adds to the challenge.

To help stay in compliance, and save IT time and money, many healthcare organizations have begun investigating backup and recovery as a service (BRaaS) options. Naturally, these organizations are cautious when considering a move to cloud-based backup and recovery, so we thought it might be helpful to look at some of the important questions healthcare organizations should ask BRaaS solution providers when considering a move.

Are you HIPAA certified?

This is somewhat of a trick question. In fact, no data center or cloud provider is “HIPAA certified” — it’s not a certification that is offered. That being said, there are many things providers can do to make sure they allow you to be HIPAA compliant. Make sure your solution provider has adopted all the associated rules to allow their data center and the cloud services to keep you in compliance.

As an extra step, see if your solution provider has been through an external audit by an independent investigator. These audits can determine that the provider is presenting their information security program fairly in its literature, and that the program adopts all the essential elements of HIPAA. Any company that has been through one of these audits has a detailed report from the auditor. Ask to see it.

How do we know our data will be secure?

There are a few critical items to look for when it comes to actual data security. First, the security process has to account for physical dangers, like fire, flood, or other incidents. This means data should be automatically backed up to a secure offsite facility regularly — think every few minutes, not hours.

Another thing to be sure of is that your data is encrypted, at-rest, in-transit, and when it’s finally stored. Look for technology like AES-256 bit encryption, and other state of the art security measures.

How do we restore from backup if something happens?

What good is a secure backup if you can’t recover quickly from that backup? HIPAA has strict requirements around disclosing data breaches, including “The extent to which the risk to the protected health information has been mitigated.” Being able to ensure that you can restore from backup instantly with RTOs (recovery time objectives) and RPOs (recovery point objectives) of zero makes any breach that does happen much less painful.

Look for BRaaS solutions that let you determine which recovery tasks will happen automatically and which you want to manage more manually. Being able to do all this through a user-friendly interface from anywhere with an internet connection is a crucial consideration, as well, should your primary storage be compromised.

Getting solid answers to these three questions should give you a good start when finding a BRaaS solution for your organization. These questions probably lead to one more for those CIOs out there: How can BRaaS help our bottom line?

This is, of course, different for every organization. But by getting off the constant hardware provisioning, and taking advantage of the many other benefits of BRaaS, the cost savings can be significant.

Want to see how much your organization can save? Check out our backup and recovery calculator.


Drew Woods
Key Information Systems