Information lockdown: The importance of backing up general practice data

Amanda Lyons

29/03/2018 11:31:10 AM

Implementing an effective system for data backup and recovery is an essential preventive activity for the health of a general practice.

News teaser
Digital data is vulnerable to natural disasters such as fire and flood, as well as digital-specific threats.

As more and more healthcare information is digitised, data is vital to the operation of the modern general practice. Its protection is enshrined in the RACGP’s Standards for general practices (5th edition), and various professions are set to mark World Backup Day on 31 March.
‘Any interruption to the medical record can be financially, medically, professionally and personally devastating,’ Associate Professor Chris Hogan, GP and Associate Professor of General Practice at the University of Melbourne, told newsGP.
Digital data is undeniably more robust and agile than records kept on paper. However, it is still vulnerable to natural disasters such as fire and flood, as well as some new, digital-specific threats.
‘For example, medical data has a high level of value among hackers, because it contains sufficient demographic details to enable identity fraud,’ Associate Professor Hogan said.
As the recent scandal involving Facebook illustrates, breaching people’s personal data is also a breach of trust – and medical records contain some of the most sensitive information people have.
‘It’s really important that patient information is maintained securely,’ Dr Chris Mitchell, GP, former RACGP President and current member of the RACGP Expert Committee – eHealth and Practice Systems (REC–eHPS), told newsGP. ‘For the reputation of your practice and the protection of your patients’ personal health information.’
Tricks and traps
While the technology involved can be complex, the ultimate goal of data backup systems is fairly straightforward.
‘The aim is to have all the information available at any time you might need it, and be able to restore it quickly and efficiently,’ Dr Oliver Frank, member of REC–eHPS and Senior Research Fellow at the University of Adelaide, told newsGP.
There is a range of backup methods and systems available and a practice must decide what is best for its individual needs, although Associate Professor Hogan believes offsite storage should be non-negotiable for all practices in order to be fully prepared for disaster scenarios.
‘Such as the destruction of your general system, like your office burning down, or when there has been an incident whereby the whole building is inaccessible, usually due to extensive flooding,’ he said.
There are many types of backup, including local, in which practices back up data to a physical storage device onsite or at a nearby location. Data can also be stored offsite, either physically or online. Finally, there is the option of storing data in the ‘cloud’.
Each option contains its own benefits and drawbacks: physical onsite storage remains vulnerable to theft and natural disaster, online storage is dependent on internet access, and third-party storage companies can expose practices to external risk.
‘You’re very dependent on the organisation maintaining the data,’ Dr Frank said, ‘Even if they are doing the right thing but then go out of business, there’s potentially a problem.
‘And, of course, there are questions about the data being hosted in Australia, and even about your connection to where your backup is working.
‘There’s quite a few steps along the way.’
Once a backup system has been chosen and implemented, it is then important to ensure it is operating correctly.
‘The area where I see practices getting into strife is thinking that they’ve got an automated backup process when they don’t,’ Dr Mitchell said. ‘They’ve set up, or their IT manager has set up, a process of automated backups that has fallen over for whatever reason, and nobody knows it’s fallen over.
‘The other problem I often see is backups occurring, but the data is not readable. The key is to ensure that backups are occurring every day, at least, and that they are checked and you can restore from them.’
There are also more technological concerns to consider, such as compatibility between systems.
‘When your system goes down, how do you collect the information?’ Associate Professor Hogan said. ‘It needs to have a computer that’s compatible with the data-retrieval system. The technology you use has to be robust and able to do the job that you are asking it to do. For instance, USB sticks are useful for intermittent backup, but not for doing it regularly.
‘The other thing is that the computer you are using must be able to read and cope with the backup and not corrupt the data.
‘And when you are using the system away from the practice, you need to make sure that the information you collect can be integrated back into your main system.
‘We have had issues after a bushfire where people collect all of the data and then realise they have to manually re-enter it because they’ve used a manual system.’
System education
It is not just data backup technology that requires attention, but also the people using it.
‘Even with the best IT system in the world, people have to be aware of the risks,’ Dr Mitchell said. ‘So it’s not just about investment in infrastructure, but also in training.’
Effective training is vital to ensure that practice staff members understand how to safeguard the security of their IT system.
‘A chain is only as strong as its weakest link, and the person who has the passwords on sticky notes on their computer isn’t what you would call the strongest link,’ Associate Professor Hogan said.
It is also important to have dedicated staff members with detailed background knowledge of the practice system.
‘You’ve got to have at least one person who understands the backup process and is involved with checking it,’ Dr Mitchell said. ‘Because it isn’t just IT systems that fall over, [human] systems fall over as well, and it’s pretty awkward if the only person who knows how that system works leaves the practice for sickness or any other reason.’
Because the knowledge needed to understand and run these systems is so specialised, it is also important for GPs to seek professional assistance and advice.
‘GPs are not computer technicians,’ Dr Frank said. ‘Some of us have an interest, but even then it’s probably dangerous to think we can manage it ourselves. It’s too technical.’
While ensuring data backup and security comes with a price tag, Dr Frank cautioned that choosing not to invest in it can carry a much more significant expense.
‘To some extent, it’s a question of cost versus how much data you’re prepared to lose,’ he said. ‘The more you spend, the more likely you’ll lose less data and be able to recover lost data sooner and more easily. So there is a balance in that.’
RACGP resources

general-practice-data patient-data patient-information world-backup-day


 Security code