Menu Close

Backups and Disaster Recovery

Health IT Backups are designed to meet standards.

    • The RACGP Accreditation Standard v5 – this is the standard Australian General Practice accredits to.
    • The Essential Eight – published by the Australian Government, these are recommended mitigation strategies against cyber security threats.

      Health IT’s standard backup products have been designed to exceed the standards of both GP Accreditation and Maturity Level Two of the Essential Eight.
    • SMB-1001 – a new basic standard designed to secure small and medium business.

      Customers wishing to align with the SMB-1001 Gold Standard or higher will need additional policy to do so.

 

RACGP Accreditation Standard v5 – C6.4 D

Our practice has a business continuity and information recovery plan.

If your practice uses computers to store patient health information, you must have a business continuity plan to protect information in the event of an adverse incident, such as a system crash or power failure.

The business continuity and information recovery plan needs to include:

  • the processes by which all critical information relating to the practice’s operations (such as appointments, billing and patient health information) will be frequently backed up

  • a schedule of regular tests so that backups are being correctly created and can be accessed and read as expected

  • details of the secure offsite location where the backup information is stored

  • standard letters of agreement that external IT providers sign to indicate their commitment.

 

The Essential Eight

Maturity Level Two – Regular backups

  • Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.
  • Backups of data, applications and settings are synchronised to enable restoration to a common point in time.
  • Backups of data, applications and settings are retained in a secure and resilient manner.
  • Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.
  • Unprivileged user accounts cannot access backups belonging to other user accounts.
  • Privileged user accounts (excluding backup administrator accounts) cannot access backups belonging to other user accounts.
  • Unprivileged user accounts are prevented from modifying and deleting backups.
  • Privileged user accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.

SMB-1001 (2025) Gold Standard

3.1.0.0 (Level 4) Implement a backup and recovery strategy for important digital assets 

Implement a strategy to back-up the important digital data and systems your organization needs to operate so that they can be recovered and restored to an operational state with minimum downtime. Important digital data includes all critical, sensitive and operational data like email, working files, client lists, etc., that you require to continuously run your organization. Your recovery strategy must:

  • Be aligned to your digital asset register to ensure that you are backing up the digital assets and systems that are of greatest criticality to your organization operations.
  • Include a register of where all backup files are stored and who has access to them.
  • Include a regular backup schedule or frequency, ideally daily. The frequency between backups must not exceed seven (7) days.
  • Maintain sufficient history of no less than six (6) months that can be efficiently recovered with minimal loss of data or operational downtime.
  • Include a test plan to ensure that all backups can be fully restored to an operational state in an efficient manner that is tested at least once per year.