The global health crisis has placed a significant strain not just on hospitals, but on nearly all healthcare-related services. Many of these frontline organizations increasingly rely on digital communications to conduct care via Telehealth and coordinate with fellow healthcare providers, outpatient facilities, and family caretakers.
To manage all of this patient data and improve data operations, connectivity, and accessibility, an increasing number of healthcare companies are leveraging SaaS platforms like Salesforce. According to Gartner, analysts project that by next year public cloud service providers will process more than 35% of healthcare providers’ IT workloads.
Still, even as SaaS platforms have made managing healthcare data easier, more integrated, and more cost-effective, healthcare providers still face significant challenges when it comes to protecting patient data. According to the Ponemon Institute, over 94% of healthcare providers have experienced some sort of data breach, and 50% have experienced five or more data breaches. As you might imagine, these challenges have only been magnified in recent months.
Data protection challenges vary in complexity, and require different solutions. In this post, we’ll explore how those organizations using Salesforce Health Cloud in particular can protect their sensitive data with a comprehensive backup and recovery solution, and what that solution should include.
You are responsible for your data, not Salesforce. While Salesforce is the most secure and available platform in the industry, the company that controls the data, not the cloud provider processing it, is ultimately responsible for the protection of the data from user-inflicted data loss or corruption.
Access critical patient data even if Salesforce becomes temporarily unavailable. Because many healthcare providers rely on patient data to diagnose illnesses and prescribe medications, it’s critical for this data to be available 24/7.
Conduct care via Telehealth without disruption. More and more patients are now using email, text, and web portals as ways to review their health information. However, these patient portals are often accessible over public Internet and can be difficult to secure, putting patient data at risk.
Protect sensitive patient data under HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) was developed to protect sensitive patient data with its Privacy and Security Rules. According to these rules, any company that gathers or uses Patient Health Information (PHI) must have a physical, network, and process security measures in place in order to ensure HIPAA compliance. For further guidance, HIPAA’s Security Rule states that exact copies of electronic PHI must be backed up securely and business entities should be able to fully restore in the event of data loss. Let’s take a closer look at what that entails...
According to their Security Rule, HIPAA requires backups to be:
Frequent: In most circumstances, a daily backup is satisfactory, but sometimes backups must be scheduled to the hour or minute, depending on the type of record.
Encrypted: Backed up data should be encrypted at rest and in transmission.
Secure: Backed up data should have user authentication safeguards, including multi-factor password protection and role-based access controls to partition backup services and control who has access to them.
Tested: Once successful backups have been achieved, the restore process must be tested to confirm the data integrity and how quickly the restore process takes to complete.
Stored Offsite: Backups must be stored in a separate location than production services. For Health Cloud users, this means storing backups outside of Salesforce.
Healthcare organizations have unique challenges when it comes to data protection. Here are the five things that healthcare organizations must consider when it comes to protecting their Salesforce data.
1. Recovery Point Objective and Recovery Time Objective
Because of the sensitive and often life-dependent nature of patient information, it’s critical for this data to be available 24/7. That’s why healthcare organizations must put a strict limit on how much data they can afford to lose and the amount of time it will take to recover after a data loss or corruption. But to do this, you need to define your Recovery Point Objective (RPO) and Recovery Time Objective (RTO).
Your RPO represents how much data your organization is willing to lose. For example, with the Salesforce Weekly Export, your organization should expect to have an RPO of one week, potentially losing a week’s worth of data.
Your RTO measures how long it will take your organization to recover lost or corrupted data. This time frame includes steps like identifying the lost data, finding the lost data, preparing to restore, and actually restoring the data.
2. Data Integrity
When a user discovers a Salesforce data loss or corruption, healthcare administrators can’t always be sure what specific data was lost. Since Salesforce is a relational database, the ability to maintain data hierarchies is a crucial element of a backup and recovery solution. Without this, you’ll only have partial restore capabilities. Specificity of restore is also important for being able to ensure you’re putting the right data back into your environment.
Global healthcare companies have stringent security requirements that must comply with both internal and external regulations. When considering the security of your data, you should rely on a solution that has passed Salesforce security reviews and has built-in platform security features, including data encryption in transit and at rest, and role-based access controls.
Most healthcare compliance regulations require organizations to keep track of whenever data is changed, deleted, or corrupted. A reliable backup and recovery plan should include automated change identification, scheduled backups, proactive data change monitoring, and the ability to contact technical support if needed.
Storing data backups outside of Salesforce is a critical component of a data backup and recovery plan and required by the HIPAA Security Rule. In the rare occurrence that Salesforce becomes temporarily unavailable, you would still be able to access your backups through an independent application.
Remember, only solutions that address these five areas, like OwnBackup, are completing caring for your organization’s Salesforce data.
In addition to OwnBackup’s backup and recovery capabilities, OwnBackup Archiver can help Health Cloud customers manage storage space and comply with HIPAA regulations regarding how long patient data is stored and accessible. To learn more about OwnBackup Archiver for Health Cloud, check out the video below.
As we stated earlier, the global health crisis has stretched nearly all healthcare-related services to their limits. The last thing that these organizations should be burdened with right now is the loss or corruption of highly sensitive, critical patient health information.
As a way to support the healthcare organizations on the front lines of this battle, we launched OwnBackup Gratitude, a program which provides comprehensive data backup and recovery services to healthcare organizations during the global health crisis free of charge.