A Whitepaper by
Dolce Vita IT Solutions LLC
Business Continuity in Chiropractic Environments
Chiropractic environments are typically in smaller office settings and are often more cost-constrained than other medical environments. This means that they are often subject to third-party IT and office management offers which frequently do not protect the practice’s data as well as the owners believe. Based upon experience in assisting chiropractor offices and other small medical practice clients, some guidelines are offered for chiropractic practice owners to follow in order to limit risks to sensitive data.
Sources of sensitive data
The chiropractic environment has several sources of sensitive data which need to be protected, some of which are not necessarily obvious:
Routine patient data in chiropractic practice management software
Requirements for protecting data
Protection of data in a chiropractic environment does not differ greatly from that in other business environments. To understand some of the risks, consider the most typical ways for data to be lost (or stolen).
Firewall and Content Filtering
It is not uncommon to find practices with residential-quality firewalls and wireless systems, without content filtering or the ability to detect malicious encrypted traffic common with ransomware exploits. This is a situation which should be looked at closely and remediated.
AntiVirus and AntiSPAM
With regards to ransomware, which is one of the most prevalent risks facing businesses, there are a number of important conditions which owners should be aware to ask about:
Backups and Business Continuity
It is generally acknowledged in the technology industry that ordinary file/folder backups are no longer adequate for business continuity. It is essential to have a business continuity plan which includes the ability to recover not only files and folders encompassing all of their patient data, but also recovery of imaging data, documents, correspondence, accounting and business planning data, as well as recovery of email. In addition, any critical servers or workstations should be protected at least on-site by imaging software…this allows a failed workstation to have a recent backup image used to restore to new hardware if needed.
Unfortunately it is common to see situations where the only patient data recoverable was that in the chiropractic practice management system. This is only a portion of the data required to be recoverable. It is the business owner’s responsibility to know where all critical data resides, verify that it is backed up, and verify that it is recoverable.
The typical storage situation in chiropractic offices includes two to five workstations, often with one designated as a "server", but which is running a workstation operating system. In the typical case, the data which is critical is spread across a number of devices…if the patient records database is the only data being consistently backed up then there is a problem. To simplify the storage environment it is possible to have scanned documents and other data reside on a server, network-attached storage device or other converged storage. This can simplify the backup protocols as well, resulting in one device with critical data to be backed up.
Recovery Risk Matrix
Once the storage environment is planned, then it is critically important to work with whoever provides the practice’s IT to review its highest-risk, highest probability downtime scenarios, and ensure reasonable steps are taken to protect data as well as ensure that the owner understands the timeframe for recovery of data based upon the current infrastructure. A risk matrix is one of the most useful and dynamic methods used for business continuity planning.
It is useful at this stage to review the distinction between backups and business continuity, because the difference is exceptionally important from a cash flow perspective. The term ‘backups’ is used to describe the fact that a copy or image of critical data is kept on separate media allowing data to be recovered in the event the original media or device is damaged, etc. The term backup does not account for the time required to recover data.
The term ‘business continuity’ is used to describe the practice of backing up data as an image in such a way that it is recoverable in an acceptable timeframe to minimize cash flow impact on a business. This can be critically important and is illustrated by two recent real-world examples.
The client is an educational institution whose primary file server failed late on a weekend due to a failure of multiple hard drives. This required that the drives be replaced and a “bare-metal” recovery be performed to different hardware.
The data recovery for this 1.5TB server required approximately 20 hours for the backup system to complete. The business impact extended from about 0800 Monday morning until about 4 PM Monday, and the school acknowledged no serious impact on their organization.
The client is a high-tech manufacturer serving the oilfield and aviation industries. They had a critical database server fail due to live system modifications being made by an application developer. They had over 50 personnel as well as five 18-wheel transports idled by this data incident, at an estimated downtime cost of approximately $2500 per hour. The business was up and running with a server image in under 30 minutes due to the business continuity system in place. In addition, the server data was restored outside of regular business hours to minimize disruption to the client.
This illustrates the need for owners to understand recovery timeframes and their impact on cash flow. In the chiropractic setting, it can create a significant inconvenience, but usually will not cause a significant cash flow disruption, so long as the data is recoverable. With regards to cash flow impact it is useful to plan around the potential absence of key data for the duration of various recovery scenarios, and to at least plan for work process adjustments to accommodate this and minimize patient care impact.
Example Risk Matrix
A risk matrix is a basic listing which includes a list of all of the significant information repositories, such as patient images, front office scans, patient records, accounting data, etc. Then each repository is used to identify the business impact (i.e. on a scale from 1 to 10, with 10 effectively not allowing business to be conducted or being extremely damaging). Then each repository is evaluated on the likelyhood of damage occurring (again, from 1 to 10). Effectively the risk factor is:
Risk factor = business impact x likelihood
Of course the higher the risk factor, the more it may need to affect how that repository is protected. Businesses should re-evaluate risk factors on at least an annual basis, and should test data recovery on at least a monthly or quarterly basis. Our clients with major potential cash flow impacts are set up with automated testing of their backups on a daily basis.
It is important for chiropractic practice owners to be involved in the appropriate protection of their data. Involvement in identification of all critical data sources and decision making regarding continued availability of that data will serve to reduce risk to the business and can ensure better quality of service for patients. Making assumptions about current quality of service data protection is irresponsible and potentially dangerous for the business and for quality of care. It is easy for business owners to feel intimidated about this process, but their IT service provider should be able to provide assistance to make this a reasonably painless process.
Dolce Vita IT Solutions LLC
About the author: Dolce Vita IT Solutions is an Edmond, Oklahoma based IT consulting firm specializing in providing IT support to small and mid-sized businesses in the medical, insurance, manufacturing, banking, and other business verticals. In business since 2002, Dolce Vita works with businesses from 2 to 500 users. Lane can be reached at firstname.lastname@example.org .