Healthcare News & Insights

How your business can ensure HIPAA-compliant backups


HIPAA compliance doesn stop at the data youe actively using. It applies to everything in your organization “ up to and including your backups. In this guest post, Tim Mullahy, executive VP and managing director of an enterprise class, tier 3 data center, explains how to ensure you aren caught off-guard by that fact (and slammed with a hefty fine in the process).


Healthcare organizations are under constant pressure to keep protected health information (PHI) safe from prying eyes and malicious parties. It as much a part of working in the industry as dealing with staff burnout. And it something you yourself need to be cognizant of “ and not just because of the penalties you might run into under regulatory frameworks such as HIPAA.

Failing to adequately protect PHI can land you in hot water with more than regulatory agencies. It can also destroy patient trust “ something that victims of a healthcare data breach can seek legal recompense.

In short, you need to ensure your organization is airtight, and that every device, system, and individual is compliant. And not just data that youe actively using, either. Your backups need to abide by HIPAA, as well “ here how to ensure they do.

Remember there no such thing as ˜too secure™

HIPAA has some pretty strict guidelines as far as data storage is concerned “ and these are guidelines you need to follow even if it feels a bit inconvenient at times. All backups must be strictly access-controlled and data should only be stored in approved locations. That means no leaving thumb drives or laptops sitting out, and no storing backups in systems that aren properly air-gapped and secured with 128-bit encryption at minimum.

It also means, while backups should be easily retrievable, it should also be easy for authorized personnel to delete them in the event this becomes necessary.Physical security is important, too. It no good putting a bunch of digital safeguards in place, if a bad actor can just walk into your server room.

In short, your backups should be guarded by measures such as:

  • keycard readers, physical locks and/or biometric scanners
  • uniformed security personnel
  • CCTV surveillance/monitoring
  • fire suppression systems
  • workstation lockdown capabilities
  • strict media/device controls for personnel
  • regular security awareness training for all staff in the facility
  • clearly-defined security roles for all staff in the facility
  • a contingency planning “ what happens in the event of a disaster, and how will staff ensure your safeguards remain active during that crisis?
  • access logs “ you should know exactly who accessed a file or server, when they accessed it, and what they did with it at any given time
  • offsite storage “ avoid storing backups onsite if possible
  • a minimum of 128-bit encryption, and
  • notifications for:
    • when a file is accessed
    • when a file, system or device is backed up
    • when a file is modified
    • when a physical server is accessed, and
    • unusual network activity.

If it helps, you might envision your business as a submarine. Even a single leak can sink the entire vessel. Don let your backups be that leak.

Keep your backups redundant

Another requirement under HIPAA is redundancy. You need to store your backed-up data in more than one offsite environment. And each one of those environments must be equally secure.

Additionally, it important that you store infinite revisions of each protected file. And those revisions should be well-organized and searchable in case youe audited. Again, this is something else that required by HIPAA.

Given that you need to back your data up on an incredibly frequent basis, it should go without saying youe going to need to invest a decent amount into storage capacity. Make sure you budget for that. It a necessary expense.

Test everything regularly

Even with all the measures outlined here, your backups are functionally useless if their integrity isn absolutely guaranteed. With that in mind, it imperative (and required by HIPAA) you periodically test your backups to ensure everything is working as intended. You should also regularly revisit your disaster recovery process and crisis management plan to see if there anything that could be improved or updated.

If youe working with a vendor, verify them

Last, but certainly not least, if you aren maintaining your own backups, you need to make certain the vendor youe working with follows all the other steps on this list, including and especially unlimited revisions. Additionally, the vendor needs to have undergone an annual HIPAA-compliance audit and must be willing to sign on as a covered entity.

Should they refuse or if their security falls short anywhere, find someone else. It not worth the trouble it will cause you in the long run.

Keep your backups in good health

HIPAA can be challenging, intimidating and confusing to follow, especially when it comes to protecting your backups. Here hoping this has cleared the air a bit and made things just a little less murky for your organization. The rest is up to you.

Tim Mullahy is the executive VP and managing director of

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.