The first of a series of blogs on securing your data.
Even prior to last weeks news of the significant disruption to the HSE by cybercriminals there has been a lot of talk about security in the GP forums. From the use of proton mail to setting up vlans on your network. One thing I have noted is that there has been very little discussion around backups. Backups should be the foundation of your overall security strategy and it needs to be right.
In many cases we are the sole custodians of the patient data and therefore have added responsibility to ensure it is adequately protected.
Nowadays, backing up your data is one of the safest ways to ensure that you’re being proactive about your data’s security. This way, if disaster strikes, you can rest easy and know your information still exists elsewhere. With the help of cybersecurity techniques and backup software, you can take the initiative to protect yourself before anything drastic happens.
Because cyberattacks occur more and more often, it seems almost impossible to assure yourself that your data won’t be corrupted or stolen. While hackers and ransomware outbreaks are more prevalent at the moment, old-school tried and true techniques like dangerous malware, spyware, and viruses continue to be among the leading causes of data loss and system breaches.
As a lot of practices still allow unsolicited email I would suggest that this channel will be the most probable way that a practice may be compromised. Email carries a significant risk for any organisation and unsolicited email should be allowed as little as possible.
The importance of backup
Backup software offers protection for business data by copying data from servers, databases, desktops, laptops, and other devices in case of user error, corrupt files, or a physical disaster that renders critical data inaccessible. It can also protect sensitive business data in the event of a hardware malfunction, hacker penetration, and many other threats posed to digitally stored information.
Naturally there are many types of backups, eg backup to disk, backup to tape or cloud backups. I’m not going to go into detail about the different types but a quick google will find all the information you need.
Personally, I use a cloud based backup strategy. I backup the data using my own encryption keys and store it in multi-geo locations. I find this a very secure and cost effective method which also allows me to quickly test my backups. It is also a key element of my DR plan.
Having backups as already discussed is important but having backups that have been tested is more important. It is critical that test restores are carried out and documented on a regular basis. There are many horror stories of organisations believing they had robust backup strategies to only realise when they tried to restore that critical elements of their data were missing.
I cannot emphasise how important it is to test the restores. In my practice once a quarter we spin up a server on azure and carry out a test restore. We actually now have this process automated, so it takes very little time to run.
Disaster Recovery Plan
The last piece I will mention now is that you should consider building a disaster recovery plan. A disaster recovery (DR) plan is a formal document created by an organization that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events. The plan contains strategies on minimizing the effects of a disaster, so an organization will continue to operate – or quickly resume key operations.
Disruptions can lead to lost revenue, brand damage and dissatisfied patients. And, the longer the recovery time, the greater the adverse business impact. Therefore, a good disaster recovery plan should enable rapid recovery from disruptions, regardless of the source of the disruption.
- Robust backups are the foundation to ensuring business continuity in the event of a disaster
- Don’t trust your backups until such time as you have proven they work
- Ensure that everything is documented
- Have a plan