When Disaster Strikes: Protecting ePHI from all Kinds of Storms


Whether its guidance from HIPAA in the United States or PIPEDA in Canada, healthcare providers have specific regulatory requirements to ensure the safety and security of the data within their care. A detailed Disaster Recovery Plan is a must-have to be prepared for the possible technology-based, natural, or physical threats that can literally strike at any time. Let’s look at best practices for planning ahead and how legacy data management comes into play.

disaster recovery plan

Hurricanes, hardware failure, wildfires and cybercrimes all have the potential to create havoc on a health system’s electronic medical record (EMR) and valuable data.

Healthcare providers in the United States and Canada abide by very specific regulatory guidelines to ensure that no matter what happens, the data remains safe, secure, and usable.

In the U.S., HIPAA’s security rule states that healthcare groups of all sizes must have a data plan for backup, disaster recovery and an emergency mode of operations. While the response to this rule will vary based on the size and scope of the organization, each entity must abide by the regulation that patient care and EHR security is never put at risk.

For Canadian-based healthcare providers, there are even more stringent requirements for data management and they vary by province. Canada’s federal law, the Personal Information and Electronic Documents Act (PIPEDA), is comparable in many ways to HIPAA in the U.S.; however, there are broader expectations and some pockets of differences as each province has the right to have its own rules and regulations, as long as they are similar to PIPEDA.

The most common disasters to prepare for include:

  • Technology-Based Disasters – Ransomware, data breaches, ISP outages, phishing incidents and loss of data through corruption, failure or viruses
  • Natural Disasters – Fire, physical loss of a data center, flooding, storms, pandemics or other health emergencies
  • Physical Disasters – Infrastructure failure such as loss of power or water, a facility problem, break-ins or heating/cooling issues that could make the workplace unstable

For all cases above, it is a best practice to plan ahead to be most prepared when technology-based, natural or physical disasters occur.

The focus from providers on fortifying electronic health record (EHR) and enterprise resource planning (ERP) systems to ward off cybersecurity crimes has advanced disaster recovery and data security strategies overall. The implementation of smart data protection steps help protect ePHI in the event of natural disasters and man-made threats.

There are many resources and vendors that can help providers create and maintain a solid disaster recovery plan. One resource, Healthcare IT News, has a four-part video series developed in conjunction with Sungard.

  1. Identify a Disaster Recovery Team – Provide training on how to prepare for a variety of situations and determine communication guidelines of how the team will communicate to other members of the organization when disaster strikes.
  2. Create a Disaster Recovery Plan – Led by the team, create a written plan that will be reviewed and updated regularly with technology and contact information.
  3. Perform Data Backup – Run regular backups of all current data either to the cloud or offsite.
  4. Test the Plan – Practice drills to confirm that data back ups are working as planned.

Legacy EHR systems can be vulnerable when disaster strikes

Legacy EHR systems create security risks for healthcare delivery organizations of any size. Think about each legacy EHR as a silo of information that will have to weather a storm on its own. Some organizations have 30-50+ legacy EHR systems with varying degrees of security and stability still intact.

Does your IT leadership have a plan to consolidate legacy patient, employee, or business data silos to ensure secure record retention for the next 7, 10 or even 25+ years? Once consolidated, will the data be readily accessible and enabled for interoperability?  Requests for historical patient records are fielded routinely from patients, payers, employers and lawyers.  Keeping the data siloed in outdated applications not only makes your healthcare organization vulnerable from a security standpoint; it also makes it far more difficult and costly to maintain, access and share information.

HealthData Archiver® offers the flexibility necessary and ensures critical patient, employee and business records are available when, where, and how needed. This improves workflows to provide accurate data for patient care and release of information. There are numerous features to HealthData Archiver® that support the instant accessibility of records for a healthcare organization.

Our team is well versed in securely migrating legacy data into a consolidated, searchable active archive that meets HIPAA requirements and helps reduce legacy data management costs and vulnerabilities.

Cold storage for inactive data

Does your organization have data that will rarely need to be accessed but still requires preservation for compliance or disaster recovery? Cold storage can be a cost-effective solution. With dedicated, secure cloud storage and no user interface (UI), HealthData Locker™ is intended for occasional access by a technical resource via file copy or ODBC connection.

Whatever your legacy data needs, we secure historical records and help your team be better prepared for future storms.

Connect with us. We’re ready to help.


Editor’s Note: This blog has been updated from the original post on May 29, 2018.

Dec 21 2021

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

First Name *
Last Name *
Email *

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up