Keeping critical information safe:Backups and data protection for Australian healthcare providers

A StorageCraft guide

c3grouptech enabling business

c3grouptech enabling business

ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Backups matter: Healthcare’s compliance requirements . . . . . . . . . . . . . . . . . . . .

Backup challenges for healthcare providers . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The service provider opportunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Best practices for healthcare industry data protection . . . . . . . . . . . . . . . . . . . . .

From backup to business continuity in healthcare . . . . . . . . . . . . . . . . . . . . . . . .

Recommendations for healthcare providers . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

About StorageCraft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

03

04

05

05

07

09

10

11

12

A StorageCraft Guide 2Keeping Critical Information Safe

c3grouptech enabling business

A StorageCraft Guide 3Keeping Critical Information Safe

IntroductionThis report is intended to reveal the critical importance of backups, data protection and business continuity for healthcare providers.

The healthcare industry houses some of the most sensitive data, and even with all of the automation capabilities of secure backups, there continues to be a significant gap in knowledge when it comes to the solutions available to keep this imperative data safe.

There are thousands of small to medium healthcare centres throughout Australia and, despite a paper legacy, almost all of them now collect patient data electronically.

This report is for those doctors, specialists and other clinics who are in need of a secure backup system, but do not have the tools or expertise to perform them to industry best practice. This report is not written for large public or private hospitals, or state government departments like the NSW Ministry of Health, which have dedicated IT management resources. Those enterprises, however, could nevertheless benefit from the recommendations in this guide.

As data becomes more central to effective healthcare and better patient outcomes, industry leaders must be aware of the threats to data and how one incident can potentially put a practice out of business.

Best practice backup and data protection processes combined with cloud-based, offsite storage, eliminate the risk of a catastrophic failure and prepare healthcare businesses for a long-term future.

c3grouptech enabling business

c3grouptech enabling business

A StorageCraft Guide 4Keeping Critical Information SafeA StorageCraft Guide 4Keeping Critical Information Safe

Backups matter: Healthcare’s compliance requirementsComputer backups and data protection are critical for today’s healthcare providers. Over the past three decades, the industry has moved from paper to electronic patient records, resulting in most healthcare practitioners having significant repositories of data on clients, on their servers.

Unlike other industries, healthcare has statutory regulations and general best practice guidelines for the retention of patient data. In Australia legislation around the retention of medical records does vary by state; however, it is accepted and recommended by healthcare professional colleges and medical insurers that clinical records are kept for1 :

• Seven years from the date of last entry for an adult.

• Until the age of 25 years for a child under the age of 18.

An important factor for Australian healthcare providers is that backed up data is encrypted and does not leave Australia. This level of compliance can only be maintained with whole server backups and not having data backed up is now a liability in the healthcare industry.

These guidelines and regulations add to the challenge of data protection in healthcare and call for a dedicated, professional approach to backups and business continuity.

1 http://www.mcnsw.org.au/page/65/resources/legislation/medical-records-act---regulations/2 http://www.abc.net.au/news/2012-12-10/hackers-target-gold-coast-medical-centre/4418676

Patient data held to ransom in Gold Coast medical centre attack

A stark example of how easily medical records can be targeted by encryption malware occurred in 2012 on the Gold Coast, Australia2. The attackers broke into the medical centre’s computer system and demanded a ransom of $4,000 to decrypt the sensitive information, including patient records. Even with anti-virus software running, the attackers were still able to use their encryption app. The clinic was left scrambling to restore its data from backups.

c3grouptech enabling business

c3grouptech enabling business

A StorageCraft Guide 5Keeping Critical Information SafeA StorageCraft Guide 5Keeping Critical Information Safe

Backup challenges for healthcare providersThe healthcare industry has regulatory requirements for data retention, but the challenges it faces with backups are not unique, in fact, these challenges are similar to those of other industries. Threats to data, such as ransomware, human error, or a flood or fire, can strike any organisation, and without proper backups, there is often no way to get the affected data back.

Jack Alsop, Director of Technical Services for Australia and New Zealand at StorageCraft, an industry leader in backup and disaster recovery solutions, says many small to medium sized healthcare providers, still don’t have a means to backup data to an offsite location.

“In healthcare there is a legal requirement, however, that does not mean data protection is performed well. In fact, many do not have regular local or offsite backups,” Alsop says.

“Many in the industry do not understand the importance of backups. IT is vital, but not considered a primary part of the business. Ransomware doesn’t care who you are: you could be a doctor or a judge - it will still encrypt your data so you can’t access it.”

Another challenge facing the sector, is the lack of trusted advisors to help with offering concise information about the importance of backups and what options are available.

“They say they are doing backups, but are they doing them regularly and correctly? Often they don’t have anyone to turn to who can communicate the problem and offer a cost-effective solution.”

The service provider opportunityWithout an understanding of the backup options available, healthcare providers are often relying on IT service providers to introduce them to technology.

Brian Townley, General Manager of C3 Group, says that partnering with an IT Provider is the first step to ensuring you’re doing the right thing by your practice and patients, as you’ll have experts to leverage for a superior backup and disaster recovery strategy.

C3 Group is a reputable IT Provider, and StorageCraft partner. They have a strong focus on helping SMEs improve data protection, and have extensive experience in providing the knowledge and solutions that permit businesses to have greater security and preservation.

“There are many options that come with data-storage and security,” Townley says, “A big thing for us is helping businesses understand what’s available to them and how it works, so they can make an informed decision about their company and clients safety.”

Bringing light to what’s available to healthcare providers is something C3 Group is proactively doing. Additional security and peace-of-mind can be as easy as replicating data to StorageCraft’s cloud servers in Sydney, so that backup data can be encrypted from the time it leaves the server, and never leave Australia.

c3grouptech enabling business

A StorageCraft Guide 6Keeping Critical Information Safe

According to Alsop, the need for the partnership between the healthcare market & IT firms as trusted advisors, is necessary to allow for superior data protection, and therefore greater data safety within the industry.

From paper to digital in healthcare

From doctor’s notes and test results to medicine prescriptions, healthcare continues to carry many paper-based processes. Smaller clinics like those for general practitioners and specialists have largely moved from paper to electronic records with government support, but many paper-based records remain and are generated at different points of a treatment cycle. Electronic records have many advantages (most notably discovery and transferability) over paper and although paper cannot be compromised by a digital threat like ransomware it should not be considered safer. Paper is vulnerable to environmental risk factors like fires and is more difficult to duplicate to an offsite location. As recently as April 2017, confidential paper-based medical records from a number of NSW hospitals was found dumped in a bin in Sydney3.

3 http://www.dailytelegraph.com.au/newslocal/central-coast/gosford-hospital-medical-records-found-dumped-in-communal-bin-at-sydney-apartment-block/news-story/645ac60c5ed734e58220c18faff82680

c3grouptech enabling business

c3grouptech enabling business

A StorageCraft Guide 7Keeping Critical Information SafeA StorageCraft Guide 7Keeping Critical Information Safe

Best practices for healthcare industry data protectionHealthcare providers have a good opportunity to significantly improve their compliance and data protection with local and offsite backups. A modern backup capability will ensure data is kept secure for long periods and the clinic can continue to operate, or recover quickly, in the event of a problem.

Best practices for protecting and securing healthcare data, include:

• Identifying the requirements. Not all data is equally important, so business leaders must determine what is valuable to the organisation - both legally and practically. Healthcare data retention requirements vary, so it’s important that you identify what needs to be retained, and for what time period.

• Have multiple copies of data, including offsite. A pro tip is to keep at least three copies of data, including the raw data, a backup copy and an offsite replication. Understand what data you have, where it is located and how to manage it. Leveraging the power of the cloud for backups and disaster recovery with an on-site server is, for many healthcare providers, a strategic hybrid solution that gives them the edge of greater security.

• Backup and report daily. The frequency of online threats dictates regular, daily backups. A small medical practice will generate hundreds of clinical interactions per day. If backups are performed only weekly and an incident occurs, this will put patients and medical professionals at risk. Make sure your backups are setup to report regularly and that somebody knows how to read the report and does so.

• Consolidate your data sources. Try to limit the number of data sources you have in your clinic. This will help avoid data being left out of the backup process and prevent data loss. Review all your data sources, from desktops to removable drives.

• Test backups and recovery. Modern backup tools have native testing features which confirm if a backup was completed successfully or not. Testing is very important because if a backup did not complete successfully then the data cannot be restored from that backup. The ability to get up and running with minimal downtime depends on the efficiency of the restoration process, which is often overlooked by many practices. In the event of a data loss or corruption incident, a properly tested backup can be restored from quickly and easily.

• Secure the data and network. Backups should be encrypted on local storage and before being replicated to the cloud. To prevent ransomware and other malware attacks a number of practical steps can be taken to secure desktops and servers on the local network4. As an additional layer of security, specialist anti-malware software should be used on all clients and servers to identify any potential threats to your data. Healthcare data is some of the most sensitive data generated and security should be part of the backup process, not something added on afterwards.

4 See the StorageCraft guide: Best practices for securing backups and mitigating ransomware attacks

c3grouptech enabling business

A StorageCraft Guide 8Keeping Critical Information Safe

• Retention management. Use tools which can manage incremental backups and provide visibility into point-in-time backups. It is not uncommon for a healthcare practice to see some patients infrequently. If a data corruption problem occurred with a set of patient records it might not be noticed for months or even years. While this is rare, it is something practice managers need to guard against. Furthermore, the practice might have a legal need to know what was in the records at a certain point in time. Use a backup system with retention management capability to provide details of the data as it was at a certain time.

By developing a detailed understanding of your healthcare practice’s requirements, and trusting in an industry leading Manager Services Provider, your level of data security & protection will increase exponentially, eliminating risks associated with privacy breaches and data loss, and potentially leading to wider business benefits, including diminished downtime, increased productivity, and overall, greater peace of mind.

c3grouptech enabling business

c3grouptech enabling business

A StorageCraft Guide 9Keeping Critical Information SafeA StorageCraft Guide 9Keeping Critical Information Safe

From backup to business continuity in healthcareIn addition to meeting compliance requirements, a solid disaster recovery solution will allow healthcare providers to benefit from greater productivity, as a result of implementing business continuity.

Business continuity is a strategy whereby essential services are duplicated – or have contingency options in place – in the event of a disruption. This enabled your systems to get back up and running in a matter of seconds, rather than waiting for the remediation process of a simple backup files. The routine operation of a business or healthcare practice can be impacted by many events, from a transport strike to a fire or malware attack. And with more business processes now digital, the availability of data and applications is a critical component of the value in implementing business continuity.

In healthcare there is a mature understanding of the need for business continuity in mission-critical environments like emergency rooms, but the non-hospital healthcare industry might not have a plan for a computer system outage.

StorageCraft’s Alsop says the need for business continuity comes down to the question of the necessity of a business continuing to run is something were to happen, and your data were to became unavailable.

“Ask yourself, ‘what will be my cost if I don’t have a server?’ Doctors might not understand this, but if the ability to collect patient records was taken away they would be immediately concerned,” Alsop says.

“It comes down to one thing – you have insurance for specific reasons and it is worth having a fully costed TCO for business continuity. Business continuity is not difficult, but it has to be part of a whole insurance policy for the practice, because that’s the reality of it, it’s essentially technology insurance.”

For healthcare providers improving their backups to include business continuity will help build resilience when there is a problem, and for StorageCraft partners business continuity helps provide better service levels to clients5.

Having been in business for over two decades themselves, C3 Group understands the undisputable benefits of business continuity. Townley always recommends this as a safeguard to businesses he knows would struggle if they were forced offline, for whatever reason.

“Healthcare is an industry that would suffer dearly if their systems were to become unavailable to them. Their staff and their patients alike would be affected. Where backups are certainly ‘sufficient’ protection, business continuity is a powerful tool in creating a strong disaster recovery plan that will give you peace-of-mind that your business is ready for anything," Townley says.

5 See the StorageCraft guide: Modern business continuity: Making the transition from VAR to MSP

c3grouptech enabling business

c3grouptech enabling business

A StorageCraft Guide 10Keeping Critical Information SafeA StorageCraft Guide 10Keeping Critical Information Safe

Recommendations for healthcare providersWith healthcare providers of all sizes challenged by data retention compliance and external threats like ransomware attacks, a data protection strategy is essential for the long-term viability of the business.

Healthcare industry leaders are advised to action the recommendations in this guide and develop backup and recovery strategies that will suit the size and profile of their practice.

• Understand and communicate the need. The purpose of this guide is to help healthcare industry leaders understand the need for a modern backup capability. It can also be used to assist communicating this need to others. All staff, including clinicians, should have at least a fundamental appreciation for critical role data protection plays, and the risks of not having sufficient backups.

• Better options are available. Many practices use a number of rudimentary methods for backups, such as external USB drives, which are manual, easily lost, stolen or damaged, and quite difficult and timely to restore from. A modern backup solution, including offsite storage, is completely automated, not expensive and the risk of not having business continuity far outweighs the cost.

• Engage with a service provider. You do not need to perform backups on your own. There are plenty of experts available to help. If you’d like to know more about your options, reach out to C3 Group.

• Move from backups to business continuity. In addition to protecting healthcare data, practices should develop strategies to get up and running as quickly as possible following a disruption to the business. As we saw with the 2012 Gold Coast medical centre incident, many businesses still have no regular data backups, or no plan to operate from an alternative location. To ensure your practice will continue to operate in the long-term, think about data backups in the context of business continuity.

c3grouptech enabling business

c3grouptech enabling business

A StorageCraft Guide 11Keeping Critical Information SafeA StorageCraft Guide 11Keeping Critical Information Safe

ContactStorageCraft Enquiries: Asia AsiaSales@StorageCraft.com.au

Australia sales@storagecraft.com.au +612 8061 4444 www.storagecraft.com/au

New Zealand sales@storagecraft.co.nz 0800 89 1234 www.storagecraft.co.nz

C3 Group Enquiries: info@c3group.com.au 1300 661 859 www.c3group.com.au

About C3 Group

C3 Group give businesses access to a team of experts’ ready to make IT simple. From a humble beginning in a home garage over two decades ago, they’re now 30+ employees strong, managing more than 600 Servers, 3000 Endpoints & over 500 Networks. Their client base ranges from small businesses with as few as five users, right through to medium sized organisations with 500+ users – specialising in managing technology for businesses across all sectors.

Their service ranges from IT Solutions such as Cyber Security and Backup & Data Recovery, to Cloud Solutions including Private and Public Cloud, to Connectivity including Internet, Business Telephony and Wi-Fi, and their latest solutions range which is all encompassing of business branding and awareness, Websites, and SEO Management.

C3 Group are able to provide businesses with superior solutions thanks to their industry leading partnerships, including their partnership with StorageCraft.

c3grouptech enabling business

A StorageCraft Guide 12Keeping Critical Information Safe

About StorageCraft

The StorageCraft family of companies, founded in 2003, provides best-in-class backup, disaster recovery, system migration and data protection solutions for servers, desktops

and laptops. StorageCraft delivers software products that reduce downtime, improve security and stability for systems and data, and lower the total cost of ownership.

StorageCraft and ShadowProtect are trademarks of StorageCraft Technology Corporation. Other company and product names may be trademarks or registered trademarks of their respective owners.

For more information, visit www.storagecraft.com/au