Data Backup And Restoration Standard

Overview

All owners of Information Systems, shared files and electronic media containing Electronic Protected Health Information (EPHI), Personally Identifiable Information(PII), or financial data must adhere to defined standards for managing this data. These standards include the requirement that such data be securely stored and backed-up.

Purpose

To provide standards for the backup and restoration of Information Systems.

Scope

This standard applies to all UVA Health System Information Systems Owners.

Description

All system owners must:

  • Identify and adhere to specific legal requirements for rentention periods for data under their management. 
  • Identify and adhere to specific technical requirements for backup operations (such as those required by active databases which cannot be backed up during operation, but must instead provide daily data export files to be captured and backed up)
  • Maintain documented backup and restoration procedures in place for all Information Systems in which they manage.
  • Regularly test these back up and restoration procedures.
  • Any ata that may contain ePHI, PII, or financial information must be backed up to a secure device.  Such devices should be both physically secured and electronically secured.  For inquiries regarding the adequacy of security measures, please consult available guidelines such as the University of Virginia's Institutional Data Protection Standards or University of Virginia Policy IRM-003:  Data Protection. If questions remain, please contact MCCSECURITY@hscmail.mcc.virginia.edu.

Health Information and Technology (HIT) runs nightly backups of all shared folders (O:, Z:, etc.) and personal folders (F:) so that information may be recovered if needed. Backups are stored for 90 days.

  • Customers may request a restoration of shared (O:, Z: etc.) or personal drive (F:) by contacting the HIT Helpdesk at 434-924-5334 as soon as they notice the file is missing. Please be aware that after 14 days the file may not be able to be recovered.
  • HIT manages backup and restoration of Information Systems such as Epic to ensure EPHI is protected and available when needed.
  • Any backup of information that may contain electronic protected health information (ePHI), personally identifiable information (PII) or financials must be backed up in a secure location (i.e, secure server, departmental drive).
  • Backups containing ePHIPII or financials must never be backed up to Desktop, C: drive, USB devices or any other location considered insecure.

In meeting these requirements, note that existing backup infrastructure may be providing this service for your data:

HIT-Managed Server Solutions (e.g. EPIC)

Backup schedules here are determined by the application needs. If you are a designated system owner for such a solution, you may contact the HIT administrator assigned to your solution for details regarding the currently-implemented backup procedures.

HIT-Managed Network Storage Locations: 
Health Information and Technology (HIT) performs nightly backups of all shared folders (O:, Z:, etc.) and personal folders (F:).

  • Monthly backups (one day of the month on which all data on the share is preserved) are kept for three months
  • Weekly backups (one day of the week on which all data on the share is preserved) are kept for four weeks
  • Daily backups (one point in time each day at which all data on the share is preserved) are kept for two weeks

Note that the backup schedule above impacts which files may be available for recovery. Consider the following hypothetical scenario:

The current date of the hypothetical scenario is July 1st.

  • For some set of data, monthly backups were taken on the following days for the past three months:  June 10th, May 10th, and April 10th.
  • For the same set of data, weekly backups are available for the past four weeks:  June 24th, June 17th, June 10th, and June 3rd)
  • For the same set of data, daily backups are available for the past two weeks:  July 1st through June 17th

Should a file have been created on April 11th (and therefore not captured by the monthly backup on April 10th), and then deleted or otherwise lost on May 9th (and therefore not captured by the monthly backup on May 10th), no copy will be available for restoration, as no existing backup retains this file.

However, should a file have been created on June 11th (and therefore not captured by the monthly backup on June 10th), and then deleted or otherwise lost on June 30th, copies of this file will be available for restoration from the daily backups taken between June 17th and July 1st.

For any data recovery operations required of HIT-managed backup solutions (such as shared drive backups), customers may request that this data be restored by contacting the HIT Help Desk at 434-924-5334. 

Document Supporting Resources