6. Plan for the Unexpected
Sooner or later, the unexpected will happen. Fire, flood, hurricane, earthquake, and other natural or man-made disasters can strike at any time. Important health care records and other vital assets must be protected against loss from these events. There are two key parts to this practice: creating backups and having a sound recovery plan.
In the world of business, creating a backup is routine. In the small practice, however, it may be that the staff members are only familiar with a home computing environment, where backups are rarely considered until a crash happens, by which time it is too late. From the first day a new EHR is functioning in a practice, the information must be backed up regularly and reliably. A reliable backup is one that can be counted on in an emergency, so it is important not only that all the data be correctly captured, but that it can quickly and accurately be restored. Backup media must be tested regularly for their ability to restore properly.
Whatever medium is used to hold the backup (e.g., magnetic tape, CD, DVD, removable hard drive), it must be stored safely so that it cannot be wiped out by the same disaster that befalls the main system. Depending on the local geography or type of risk, this could mean that backups should be stored many miles away. One emerging option for backup storage is cloud computing, which may be a viable option for many, since it involves no hardware investment and little technical expertise. However, cloud backup must be selected with care. The backed-up data must be as secure as the original.
Critical files can be manually copied onto backup media, although this can be tedious and potentially error-prone. If possible, an automated backup method should be used.
Some types of backup media are reusable, such as magnetic tape and removable hard drives. These media can wear out over time and after multiple backup cycles. It is especially important to test them for reliable restore operations as they age.
Storage of backup media must be protected with the same type of access controls as described in Tips 7 and 10. The Contingency Planning Safety Assurance Factors for EHR Resilience (SAFER) Guide 7 identifies recommended safety practices associated with planned or unplanned EHR unavailability.
Recovery planning must be done so that when an emergency occurs, there is a clear procedure in place. In a disaster, it is possible that health care practices will be called upon to supply medical records and information rapidly. The practice must be prepared to access their backups and restore functionality, which requires knowledge about what data was backed up, when the backups were done (timeframe and frequency), where the backups are stored, and what types of equipment are needed to restore them. If possible, this information must be placed for safekeeping at a remote location where someone has responsibility for producing it in the event of emergency.
Is it OK to store my backup media at home?
A fireproof, permanently installed home safe, which only the health care provider knows the combination for, may be the most feasible choice for many practices to store backup media. This would not place the backup out of the danger zone of a widespread disaster (earthquake, hurricane, nuclear), but it would provide some safety against local emergencies such as fire and flood. Fireproof portable boxes or safes where non-staff have the combination are inadequate.
Backup and Recovery Checklist
Policies are in place prescribing backup and recovery procedures.
All staff members understand the recovery plan and their duties during recovery.
System restore procedures are known to at least one trusted party outside the practice.
A copy of the recovery plan is safely stored off-site.
Files identified as critical are documented and listed in the backup configuration.
Backup schedule is timely and regular.
Every backup run is tested for its ability to restore the data accurately.
Backup media are physically secured.
Backup media stored off-site are encrypted.
Backup media are made unreadable before disposal.
Multiple backups are retained as a failsafe.