Articles

Remote Backup Compliance

Remote Backup Compliance

by Liam McNaughton

Why Dental IT’s remote backup is (probably!) the UK’s most compliant backup solution.

To consider this claim, I am taking account of the following legislation, regulations and guidance:

  1. The Data Protection Act (see I). (Referred to as DPA for the rest of this article).
  2. ICO guidelines on cloud computing (see II).
  3. NHS/CQC Information Governance requirements (see III).

Where I refer to “compliance” in the context of this article, I mean compliance with these in particular. The specific documents referenced, and where to find them, are linked to above, and are in the endnotes of this article.

In General

All dental practices should be registered with the ICO. Because dental practices collect, handle, create and process patient data there is no doubt whatsoever that any dental practice operating in the UK should be registered with the ICO, and be aware of their responsibilities as data controllers and data processors. See the Information Commissioner’s Office website (www.ico.org.uk) for further details and guidance on this if you are not already registered and compliant.

Dental practices will often (indeed in my opinion they should!) contract much of their IT systems administration, setup and maintenance to third parties, such as their hardware or software suppliers, IT support company, or (in the context of this article) their backup software suppliers. For the avoidance of doubt, this does NOT absolve the dental practice of their responsibilities under the DPA and the other application regulations, from ensuring that their remote backup solution (or indeed any aspect of their IT systems) is compliant. This is clear throughout the guidance. See for example IV below. So you should satisfy yourself, as far as reasonably possible, that your remote backup solution is achieving compliance for you.

Keeping Your Data Safe

When considering IG and issues around compliance, people often home in on issues of confidentiality, data access, security and the like. But firstly I would like to consider the safety and integrity of the data. And to be clear, this is also a strict requirement; in the DPA, this is data protection principle point 7, summarised by ICO as follows: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” We do not recommend this, but some practices deploy ONLY a remote backup solution as their sole protection against data loss. Carestream, for example, (previously Kodak/Practiceworks), software suppliers of R4, have long been recommending their remote backup solution (itself based on third party software and hosting, more on this later) as the only backup solution that a practice needs to have. There are many reasons we do not recommend this, but primarily this is because remote backup systems do not backup the entire system, just the core datasets.

So yes, you would be able to recover from a disaster eventually, after you rebuild your server, network and configuration and restore your data into it – but in reality this would take days. Much better to restore from a comprehensive image backup of the entire system, that only a local backup solution can offer you. Either way, whether your remote backup is your secondary/offsite backup, or it is your ONLY backup, it has to work, and has to be able to protect you against loss of data or damaged data.

It is easy to take for granted that a commercial backup solutions works, but until and unless they have actually been tested, you cannot be sure that they are working.

Any backup solution worth its salt, should be able to test backed up data against the source data at each backup “pass”; this “verifies” that the source data is exactly the same as the destination data stored at the remote location. Dental IT’s remote backup software does this using block level synchronisation technology based on “rsync” (see V); this compares source and target file using algorithms which efficiently and accurately replicate the files exactly, with minimum use of resources.

In short, if the software completes a backup cycle and reports a successful backup, you can be sure that the files at the destination are the same as those at the source; this includes all files within a backup selection, not just those that have changed since the last backup. The data, or a selection of the data, can be restored at any time for testing purposes. Further, a good backup solution should keep multiple “versions” of the files being backed up; it is not always just last night’s backup that you need to restore… you may need to restore a dataset from a few days ago, or a few weeks ago. Dental IT’s backup solution is able to restore files from up to a month ago, to allow plenty of time to discover that a file is lost or damaged, and allow you to restore it. Additionally, you need to be confident that the storage of the backed up data is safe; that the backed up data itself is not going to be lost or damaged. At Dental IT, the data is stored on physically safe and secure servers, built with substantial resilience, on a secure network, at our own premises.

Capturing Data

Other technical aspects of the Dental IT backup solution offer the best possible methods of capturing data: the software is able to capture “open files” without issue – this is particularly relevant with software such as Software of Excellence EXact, which, due to the EXact email server running 24x7, has files open all the time. The software is also able to capture SQL data directly from the database; so for SQL based software (such as Dental IT’s Spinnaker, or Kodak R4), a direct database dump can be taken live, without shutting down the software.

In the section related to data “integrity” in the ICO document, specific questions are asked: “What audit trails are in place so you can monitor who is accessing which data?” At Dental IT, all access to our backup servers is logged by user, and no-one directly outside of the employ of Dental IT has access to our backup servers anyway.

“Make sure that the cloud provider allows you to get a copy of your data, at your request, in a usable format.” We can provide all of our users with direct access to their data, via a secure (https) web interface. Typically, we would handle the restore for the dental practice, however we can also allow direct access if required.

“How quickly could the cloud provider restore your data (without alteration) from a back-up if it suffered a major data loss?” This is a critical difference between our backup solution and many other backup solutions. Whilst other providers are entirely “cloud” based, so a restore would involve downloading the data via the Internet connection (which could take days), we have direct local access to a customer’s data as well as cloud access. This means that, should a restore of any entire dataset be required, we can copy that data to portable media, and, if necessary, take it to site with an engineer; so even the largest of datasets can be restored to the practice the same day.

ICO Guidelines

Sections 58-62 of the ICO guidelines deal with the (in this case) practice’s responsibilities to ensure that their contractor’s handling and storage of their data is safe to the satisfaction of the data controller (in this case the dental practice). The ICO suggests that the data controller could visit the premises of the cloud storage, and/or satisfy themselves as to the quality of the procedures and technical measures in place at the storage site. At Dental IT, we store all our customers’ data in our own managed premises; we can therefore offer customers an onsite visit if required, and/or a full disclosure of our procedures and the measures in place to keep the data safe.

The ICO document suggests that, where the customer cannot establish this for themselves, they should ask for an independent third party report on the physical and network security at the cloud provider. With other third party providers and products, it is extremely unlikely that you would be able to gain the necessary reassurances that your data was safe, and under the control or care of the suppliers with whom you are actually contracted. In most cases (indeed every case that I have come across so far) the IT supplier is actually reselling a product or service provided by a third party. For example, in the case already mentioned, Kodak Online Backup and Recovery (from Carestream) the actual provider of the service/software is Attix5; and if you purchase this product from Carestream you will be in contract with Carestream for the service, and NOT Attix5 who are actually providing the service.

It is entirely possible, given the layered nature of modern networks and cloud storage, that even the third party supplier is themselves reliant on a further upstream provider, so for example you could be in contract with an IT supplier A who resells you a remote backup product that they manage, the service of which is provided by supplier B, who actually store the data with supplier C, on the network of supplier D. It would be unrealistic to unravel all of this, and expect to be able to gain appropriate assurances from all suppliers involved, that the handling of your data is compliant. With Dental IT’s remote backup product, ONLY Dental IT are involved in the handling of your data, end to end.

It is clear throughout all the legislation and guidelines, that your practice data should not leave the UK or EU (except if certain conditions can be met, but it is much easier to simply not allow this). All Dental IT’s remote backup solution is based in the UK, at our own premises.

IG requirement 11-322 and the NHS documents referenced within this requirement, make clear that all data transfers outside of the practice must use encryption in transfer. Dental IT’s remote backup system uses 128 bit level AES encryption across the secure https protocol. Whether or not the data is encrypted whilst “at rest” at the storage location is a matter of judgement and appropriateness, depending on the data. This can be enabled or disabled. This is covered in sections 65-66 of the ICO document. I would expect that all remote backup software would offer encryption in transit and at rest, so this is unlikely to be unique to Dental IT’s offering.

Ongoing Management

It is clear that implementing a remote backup solution requires ongoing management and maintenance. It is not a “fire and forget” solution. All backup systems suffer failures from time and time, sometimes they recover from these, sometimes not – and intervention and troubleshooting is required to re-establish a good, regular backup. With other backup solutions it is not always clear who exactly is responsible for monitoring and maintaining the remote backup – is it the dental practice, or the IT support or software people who installed the solution and software, or is it the upstream provider of the solution? And in the case of a restore being required, who would do this? Remember, under the DPA it is ultimately the practice’s responsibility; so any delegation of that responsibility has to be clear, and contractually established.

Dental IT’s remote backup solution offers you that clarity; we take responsibility for the ongoing functionality of the remote backup solution, monitoring its success on a daily basis, and investigating and resolving failures and problems as and when they occur. For customers on a support contract with us, we also take full responsibility for restoring the data, and re-integrating it to the practice network. In addition, we can configure email notifications of success or failure to designated practice staff, as an additional safeguard and reassurance to the practice management.

Finally, you should be aware that the DPA legislation, and IG guidelines, apply to ALL your clinical and practice data, not just the data within your DPMS (dental practice management system). So you may have a remote backup solution provided by your software supplier, but they typically may not consider what other data on the network should be backed up; this is other clinical data (digital imaging data, x-rays, photos, referral letters and the like), but also non-clinical but essential practice data, such as policies and procedures and the like. Dental IT will work with you, to ensure that the selection of files to back up is thorough and appropriate.

To find out more about our backup solution, and our other products and services, visit: www.dentalit.ltd.uk/technologies

I - The full act is available here however in general I would refer to the ICO’s interpretations and guideance which is (far!) more user friendly, available here.

II - A very useful document from ICO specifically interpreting of the provisions the DPA in the context of cloud computing.

III - All IG documents are available to browse here.

IV - Paragraph 31 of the ICO guidance on cloud computing states: “However, simply because an organisation chooses to contract for cloud computing services on the basis of the cloud provider’s standard terms and conditions, does not mean that the organisation is no longer responsible for determining the purposes for which and manner in which the personal data is to be processed. The organisation will continue to be a data controller and will be required to meet its obligations under the DPA.”

V - http://en.wikipedia.org/wiki/Rsync


Return to Articles page

More Articles

SIP isn't as reliable as ISDN. Get over it. Lessons from Wannacry Is backing up to the cloud enough?
Support Ticket