Doing Proper Backups

We all know that data is important, and we need to back it up.  Whether a hard disk stops working, or your network has been invaded by “ransomware,” ensuring that you are doing proper backups can definitely save your bacon.

When we examine someone’s practice for embezzlement, we start by making a duplicate of their practice management software in our lab.  This allows us to do our work unobtrusively and isolated from the changes that take place daily in “live” software.

Normally our technical staff connects to the client’s server over the internet and uploads what we need to our lab.  However, occasionally we receive a disk drive on which our client has made a backup.
Overall our experience with these backup media isn’t good.  It is common for us to receive a backup containing only empty folders.  At other times, we receive an “incremental” backup (i.e., only files changed since the last backup).

Obviously, if you are using cloud-based practice management software you don’t need to worry about this; for the rest of us there are a few rules to follow:

1.  Test your backups.  To paraphrase an old cliche “You don’t need a backup until you need one and when you need one you really, really need one.” Testing a backup of practice management software isn’t easy — you need to restore it to a “clean” install of your practice management software to make sure that it works.  With most software, there are several critical files that, if not backed up, will make you unable to restore a working copy.

2. Always back up data; never back up software.  Your practice management software is easy to rebuild if needed (usually as a download from the company that owns it), so there is no good reason to back it up.  And it also presents a danger — if your backup media is lost, someone finding it will have both your data and the means to read it.  Data without the software is usually quite difficult to extract, and backing up your software provides little benefit to you but makes it much easier if someone comes into possession of your data.

3. Don’t use flash drives for your backup.  The storage of small USB drives has increased dramatically over the past few years, and it is tempting to use them as backup media.  However, their small size is also their downfall; it is far too easy to lose one and not realize it.  However, if a portable hard drive falls out of your pocket, you will definitely notice.

4. Backups need to be taken off-site.  Backing up to a hard drive next to your server will not help you at all if your office burns down.

5. Encrypt your backup.  Practice management software, except in very outdated systems, is already encrypted.  However, there are often a few files that are backed up that aren’t encrypted, and many offices back up other office files in addition to practice management software.  So encrypting and protecting your medium with a password provides a good (and easy to implement) additional layer of security.  And you really don’t want a HIPAA breach, do you?

6. Be careful with “incremental” backups.  These are backups limited to things that have changed since the last backup.  This is normally done if the data set is really, really big, but makes the job of restoring from backup much harder (typically you must restore the last full backup, and then every incremental backup made after the full backup, in sequence.

7. Redundancy is key.  If something is important (and your practice data certainly qualifies), it should be backed up at least twice (e.g., one backup to the cloud, and another to a physical medium).

8. Cloud backup needs to be used carefully.  Most cloud backup probably isn’t HIPAA compliant, so some research needs to be done, and, just like a backup to a physical medium, a cloud backup should be properly encrypted.

Hopefully, you never need any of this, but in case you do…

Do you have questions about embezzlement?  Give Prosperident a call at 888-398-2327 click HERE.