As we’ve already stated several times in this training, therapists tend to be highly focused on the confidentiality of information and thus can easily forget about its availability. Antimalware, firewalls, and trusted WiFi can protect availability of information a little bit. However, the most reliable method, by far, of protecting information availability is to keep thorough backups of it.
Backing up data means making exact copies of it. There are many kinds of backups. You choose what works for you. The important thing is that if you lose electronic PHI that you were supposed to hold onto, you should be able to restore it using your backup. If your backup scheme can ensure that, then it works!
Frequency of Backups
Your backup plan should have you making backups frequently enough that you can restore data that gets lost at any given time. This usually depends on how often you work. And best practices have most people performing backups at the end of the day.
For example, a practice that only operates two days a week can probably make backups during just those two days and be safe. But be careful — if you do administrative work on the other days, then you may need to make backups on those days.
Furthermore, your practice might rely on some information that isn’t technically PHI. For example, you may keep financial records that don’t contain client identifiers. This means those records aren’t PHI. But it they aren’t backed up, and you lose them for some reason, that could still cause problems for your practice that are big enough to cause some interruption in client care.
Full time therapists usually make backups at the end of every work day.
Best practices strongly encourage us to keep data backups in a separate location from the originals. Imagine if your computer and its backup disk were kept on the same desk in the same office, and then a fire swept through that office. Both copies would be destroyed. The same scenario works for a thief entering the office to steal valuable computing equipment. There are many reasons why data originals and backups should be separated.
Most of us have an office location separate from our homes. In this case, keeping the backups in one place and the originals in the other should suffice. Yes, that means they’ll be in the same place during most work days. This is a risk, but many of us cannot further reduce this risk without some onerous practices. Or, perhaps, we can reduce it using cloud backup. More on that later.
Backup information is just as sensitive as the originals. So backup devices need to be protected, too. Most backup devices are nothing more than data storage devices, such as external hard drives. As such, the primary method of protection is FDE (full device encryption.)
The same software that provides FDE for laptops and desktops can also be used to enact FDE on devices like external hard drives, thumb drives, and the like. The software will set up an encryption password for the drive, just like you have on the original device. Be sure to make it a strong one.
Methods of Backup: External Drives and “The Cloud”
A tried-and-true method of backup is to use an external hard drive, or something similar, to make copies of our devices’ data. We even have programs that make this method easy and powerful, such as Apple Time Machine and Windows Backup.
This method works fine. If you are able to run backups on time and keep them protected, then it’s great.
Do consider, however, the advantages of cloud backup. We will explore the particulars of using cloud-based services in section 6. Here, however, we can note these advantages offered by most online backup services:
- Backups are always offsite, because they are kept on servers in data centers away from your office(s.)
- Backups are usually performed automatically without creating a new task for you. Some backup services run continuously, so your backups are always up to date.
- Your backup data is available anywhere you have an Internet connection.
An important downside is that online backup is a subscription cost, whereas using your own drive is usually a one-time cost.