Healthcare backup vs record retention

Source: Veeam

Healthcare overspends on long term backup retention

There is a dramatic range of perspective on how long hospitals should keep their backups: some keep theirs for 30 days while others keep their backups forever. Many assume the long retention is due to regulatory requirements, but that is not actually the case. Retention times longer than needed have significant cost implications and lead to capital spending 50-70% higher than necessary. At a time when hospitals are concerned with optimization and cost reduction across the board, this is a topic that merits further exploration and inspection.

What is the role of data protection?

The primary role of data protection is recovery in response to failure, malice, or accident. Wherever we have applications and data, we need assurance that those applications can be restored quickly (RTO) with tolerable near-term information loss (RPO). That is an IT deliverable common to all hospitals.

What are the relevant regulations?

HIPAA mandates that Covered Entities and Business Associates have backup and recovery procedures for Patient Health Information (PHI) to avoid loss of data. Nothing regarding duration is specified (CFR 164.306, CFR 164.308). State regulations govern how long PHI must be retained, usually ranging from six to 25 years, sometimes longer.

The retention regulations refer to the PHI records themselves, not the backups thereof. This is an important distinction and a source of confusion and debate. In the absence of deeper understanding, hospitals often opt for long term backup retention, which has significant cost implications without commensurate value.

How do we translate applicable regulations into policy?

There are actually two policies at play: PHI retention and Backup retention. PHI retention should be the responsibility of data governance and/or application data owners. Backup retention is IT policy that governs the recoverability of systems and data.

I have yet to encounter a hospital that actively purges PHI when permitted by regulations. There’s good reason not to: older records still have value as part of analytics datasets but only if they are present in live systems. If PHI is never purged, records in backups from one year ago will also be present in backups from last night. So, what value exists in the backups from one year ago, or even six months ago?

Keeping backups long term increases the capital requirements, complexity of data protection systems, and limits hospitals’ abilities to transition to new data protection architectures that offer a lower TCO, all without mitigating additional risk or adding additional value.

What is the right backup retention period for hospital systems?

Most agree that the right answer is 60-90 days. Thirty days may expose some risk from undesirable system changes that require going further back at the system (if not the data) level; examples given include changes that later caused a boot error. Beyond 90 days, it’s very difficult to identify scenarios where the data or systems would be valuable.

What about legacy applications?

Most hospitals have a list of legacy applications that contain older PHI that was not imported into the current primary EMR system or other replacement application. The applications exist purely for reference purposes, and they often have other challenges such as legacy operating systems and lack of support, which increases risk.

For PHI that only exists in legacy systems, we have only two choices: keep those aging apps in service or migrate those records to a more modern platform that replicates the interfaces and data structures. Hospitals that have pursued this path have been very successful reducing risk by decommissioning legacy applications, using solutions from Harmony, Mediquant, CITI, and Legacy Data Access.

What about email?

Hospitals have a great deal of freedom to define their email policies. Most agree that PHI should not be in email and actively prevent it by policy and process. Without PHI in email, each hospital can define whatever email retention policy they wish.

Most hospitals do not restrict how long emails can be retained, though many do restrict the ultimate size of user mailboxes. There is a trend, however, often led by legal to reduce the history of email. It is often phased in gradually: one year they will cut off the email history at ten years, then to eight or six and so on.

It takes a great deal of collaboration and unity among senior leaders to effect such changes, but the objectives align the interests of legal, finance, and IT. Legal reduces discoverable information; finance reduces cost and risk; and IT reduces the complexity and weight of infrastructure.

The shortest email history I have encountered is two years at a Detroit health system: once an item in a user mailbox reaches two years old, it is actively removed from the system by policy. They also only keep their backups for 30 days. They are the leanest healthcare data protection architecture I have yet encountered.

Closing thoughts

It is fascinating that hospitals serving the same customer needs bound by vastly similar regulatory requirements come to such different conclusions about backup retention. That should be a signal that there is real optimization potential both with PHI and email:

  • There is no additional value in backups older than 90 days.
  • Significant savings can be achieved through reduced backup retention of 60-90 days.
  • Longer backup retention times impose unnecessary capital costs by as much as 70% and hinder migration to more cost-effective architectures.
  • Email retention can be greatly shortened to reduce liability and cost through set policy.

The post Healthcare backup vs record retention appeared first on Veeam Software Official Blog.

Healthcare backup vs record retention

Streamlined data protection for the healthcare data center

Source: Veeam

When I was a part-time CTO for hospitals prior to joining Veeam, I was focused on outcomes: understanding how technology choices ultimately affect the clinical and patient experience with a goal of improved patient outcomes and higher satisfaction. I said as much to a West Coast health system CIO when presenting a strategy, and he said to look even further: the true outcome of technology choice in healthcare is the health and well-being of the community at large.

That has been with me ever since and helped shape Veeam’s mission in healthcare — improving the health of our communities by assuring Availability of your healthcare information with simple, reliable, flexible backup and recovery software. Wherever your applications and data go, whatever platform whether on-premises or in the cloud, we protect it easily so your team can focus on the clinical experience and the health of your communities.

Profile of Veeam’s healthcare customers


Fig. 1: Veeam Top Thirty Customers’ EHR Platforms


Veeam healthcare highlights:

  • 12,000+ healthcare customers worldwide
  • 4,300+ healthcare customers in North America
  • 150,000+ clinical applications protected
  • 30-40% TCO reduction reported by customers
  • Net Promoter Score nearly 3x the industry average over 10 years

Our top thirty customers run every major EHR platform and report substantial savings for the systems we protect. They love our software because it is powerful, easy, and we deliver piece of mind for a critical function: the last line of defense against failure of all kinds. Our customers have used the savings realized by investment in Veeam software to purchase new MRI machines that directly affect the health of the communities they serve. Here are a few other examples: Greenville Health, Roswell Park Cancer Inst, Rochelle Community Hospital, Butler Health.

HIMSS19: Foundations need modernization too

More than 45,000 healthcare professionals will assemble in Orlando for HIMSS19 2/11-2/15 to discuss every challenge of healthcare transformation from care and payment optimization to clinical application strategy and healthcare information security.

Amid the trending topics of artificial intelligence, genomics, interoperability, and the omnipresent challenges of mergers and acquisitions, we must also give time to technology platform basics: agile infrastructure consumption models, rapid scale, data and application portability to cloud, data and information stewardship, business continuity, and assured recovery. Those all sound like table stakes: critical functions that we should have well in hand.

Much of it is not well in hand, however, surveys continue to report gaps in business continuity plans, phishing and ransomware continue to cause service interruptions, and organic disruptive events will continue to affect the Availability of applications and the delivery of care regardless of the technology investments we make. Add to this the further adoption of off-premises platform options from Amazon, Microsoft, and Google, Software as a Service applications such as Microsoft Exchange Online, and we require new solutions and practices to ensure protection of healthcare information and the Availability of related clinical applications.

Closing thoughts

Foundations are easy to lose sight of, overshadowed by more visible elements above, but without attention and modernization, all that is built upon them is at risk.

Please visit us at HIMSS19 Booth #4191 to hear our story and see for yourself how we can make a difference in your data center and the community you serve.


The post Streamlined data protection for the healthcare data center appeared first on Veeam Software Official Blog.

Streamlined data protection for the healthcare data center