Steps to follow to help with compliance and protect against data loss
The updated NHS Data Security and Protection (DSP) Toolkit, which must now also be completed by private practices in order to refer in some regions, includes a requirement to ‘Explain how your data security incident response and management plan has been tested to ensure all parties understand their roles and responsibilities as part of the plan.’
A key part of any such plan would include how you restore lost data and as more practices go paperless and move towards cloud file storage, it is important to ensure that you have robust backup procedures in place to protect your data from loss or cyber-attack, with solid contingency arrangements to put into action if things go wrong. Disaster Planning and Emergency Procedures (M 255) contains updated protocols you can adopt for when data loss occurs.
Due to the above we thought it might be a good time to offer up-to-date recommendations on how we feel a modern practice can tackle these issues and explain how we manage backups here at CODE.
With the challenges of data protection becoming more and more complex, it may be useful to engage the services of reputable expert network and IT support to set up your systems and provide ongoing support. The level of service you require will depend on the size of your practice – a single-surgery practice will not need the same level of support that a seven-surgery practice with networked computers requires. A good IT support company should also be able to help carry out test restores of your data, which we recommend take place every 6 months, as detailed in the recently updated Information Governance Procedures (M 217C).
3-step backup procedure
It is recommended to have a three-step backup procedure, this is:
- Local backups of important files and data using an external hard drive or other media
- Cloud (internet) backup using a secure online service such as Databarracks for a backup of all essential files or of your complete server
- Using a Network Attached Server (NAS) drive, either on site or via the internet, to backup your essential files or your complete server
Backups should be encrypted and password protected for security. It is now considered that passwords should be at least three unrelated words separated by spaces or underscores (if you can’t use spaces in passwords for any particular programme use underscores). See Information Governance Procedures (M 217C) for more information about passwords and for a detailed backup procedure.
Backup daily online
There are some excellent internet (cloud) services available to help you easily backup your essential data, such as Databarracks, that allow you to carefully choose the important files on your server and then run daily backups. In addition, Databarracks will monitor your backups for you and they retain the last 10 days of data so you can always roll back to a previous day in case of cyber-attack.
Backups of the entire server
Sophisticated software, such as Veeam, can be used to backup your entire server each night to your backup provider. By doing so you will be covering yourself against instances such as if your server breaks, is stolen, damaged, etc. If such a circumstance occurs, your backup provider could use Veeam to access your latest backup, within a few hours everything you require could be accessible to you via the cloud allowing business to continue as normal. Once you have your original server back, or a new one in place, the Veeam backups can be used to set it up and you can continue working in the cloud while this is happening. Veeam is just one solution that does this, there are many others and your IT support company will recommend one that they are happy with.
Alternatively, some businesses are now running their server in the cloud, and not using a machine in their office at all. While this is easier to set up online backups, CODE recommends thinking about downloading regular offline copies of your online data too. You can adapt and use CODE’s Computer Backup Log (G 135A) to record backups.
Increasingly practice owners are using cloud-based file storage such as Office 365. In this scenario you may need a solution to backup anything that isn’t held on your server, such as your emails. Speak to your IT support provider, they should have a solution such as StorageCraft.
If you use Dropbox it is difficult to lose documents because even if a document is deleted or overwritten on a computer, the deleted file will still be in your online Dropbox account for some time. This is a great place for your iComply evidence if you choose not to store it within the iComply system. If you are hit with a ransomware attack, the professional version of Dropbox can roll back all of the files in your Dropbox to with a few mouse clicks.
Here’s how we do it at CODE Head Office
- All backups are encrypted with strong passwords
- The entire server is backed up daily with Veeam to our solutions provider AME
- The entire server is backed up daily to a local NAS drive at the office
- The entire server is backed up to a hard drive once a week which is kept at home with one of the managers, there are two hard drives that are swapped weekly
- CODE Outlook 365 emails are backed up to StorageCraft twice a day
- Member data is also backed up to DataBarracks online daily just because we want a ‘belt and braces’ approach
We’ve got you covered
As well as meeting the requirements of the DSP Toolkit, good backup and recovery protocols will also allow you to carry on with business as usual in the event of data loss that could affect the standard of care to patients, cause financial problems or create difficulties in case of a medico-legal investigation. At CODE, we are currently updating iComply to meet the new standard so you can rest assured that we’ll have you covered. For a free, no obligation, demonstration of the iComply system call our new business team on 01409 254 416 or email firstname.lastname@example.org