Re: [GPCG_TALK] backup!

[Richard Hosking]

But the problem is - how to test a backup without touching the data on 
the server already? It is a potentailly dangerous process, particularly 
if only rarely done. This isue is not addressed because so few practices 
actually know they have a complete backup loop by testing it.
Ideally you should have a redundant system - maybe this is what the 
standard should be?
What about some sort of offsite service? This could provide backup 
services for many practices

R
Cedric Meyerowitz wrote:

Greg

Surely if RACGP standards advice we do backups, by implication we should
check if backups work ?  In all the years I have had computers, the
supplyers of my hardware, software (yes even 15 years ago) always advised me
to do regular backups.  And to also check if backup actually works.  If
RACGP standards say: "backups of electronic information are performed at a
frequency consistent with a documented information disaster recovery plan",
I would have thought that it implies to test your backups - otherwise why do
them ?  "Disaster recovery plan" implies one is able to recover data and the
only way to recover data is to have backups and see if they work.

Cedric


----------------------------------------------------------------------------
------------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Greg Twyford
Sent: Monday, 26 March 2007 5:00 PM
To: General Practice Computing Group Talk
Subject: Re: [GPCG_TALK] backup!


[EMAIL PROTECTED] wrote:
 

It has to be part of the Disaster Recovery Plan - Criterion 4.2.2 D It 
doesnt seem to be whatever the accreditation companies decided, it is 
probably what has been added to RACGP 3rd Standards book after GPCG 
recommended it but it is definitely there.

fee
   


Fee,

If you can't see it in print from the standards, then it doesn't exist!

This is from the RACGP website to-day.

 

Indicators

  1. Patient health information in our practice is neither stored nor
   

left visible in areas where members of the public have unrestricted access,
or where constant staff supervision is not easily provided (interview,
direct observation).
 

  2. our facsimile machines, printers and other communication devices are
   

only accessible to authorised staff (direct observation).
 

  3. our GP(s) and staff can describe how they ensure security of patient
   

health records (interview).
 

  4. if our practice uses computers to store patient health information,
   

our practice ensures that:
 

         * our GP(s) and staff have personal passwords to authorise
   

appropriate levels of access to health information
 

         * screensavers or other automated privacy protection devices are
   

enabled
 

         * backups of electronic information are performed at a frequency
   

consistent with a documented information disaster recovery plan
 

         * backups of electronic information are stored in a secure
   

offsite environment
 

         * antivirus software is installed and updated
         * all internet connected computers have hardware/software
   

firewalls installed (document review).
 

  5. if our practice uses computers to store personal health 
information, our practice has an information disaster recovery plan 
that has been developed, tested and is documented (document review).
   


It does NOT specify what should be in the disaster plan. It advises GPs 
to use the following resources, and it notes that these resources 
contain 'suggestions for additional security procedures'. That's NOT the 
same as a requirement.

Again from the RACGP website to-day:

 

The RACGP Handbook for the management of health information in private 
medical practice (www.racgp.org.au), and the General Practice 
Computing Group's (GPCG) Computer security self assessment guide and 
checklist for general practitioners (www.gpcg.org) provide information 
and explanations on the safeguards and procedures that need to be 
followed by general practices in order to meet appropriate legal and 
ethical standards concerning privacy and security of patient health 
information. These documents also contain suggestions for additional 
security procedures.
   


What happens when you let human beings loose to measure the performance 
of other human beings is the problem. People change suggestions into 
requirements. In the absence of any clear authority on the accreditation 
bodies' part to 'improve' on the college's standards, I strongly suspect 
that this has happened in the case of your survey and others.

I prefer my keyboards to be black, so you'll have black ones too. 
Everyone knows that black ones go faster.

Sorry, not part of the standard, it shouldn't be happening like that.

Greg

 

-- Original Message --
Date: Mon, 26 Mar 2007 15:18:22 +1000
From: Greg Twyford <[EMAIL PROTECTED]>
To: General Practice Computing Group Talk <gpcg_talk@ozdocit.org>
Subject: Re: [GPCG_TALK] backup!
Reply-To: General Practice Computing Group Talk 
<gpcg_talk@ozdocit.org>


[EMAIL PROTECTED] wrote:
     

-- Original Message --
Date: Mon, 26 Mar 2007 11:49:55 +1000
From: Greg Twyford <[EMAIL PROTECTED]>
I'd suggest that you read 4.2.2 again. Test restores aren't 
mentioned.

         

Try passing accreditation without being able to prove that test 
restores are being done!

We passed 3rd Standards in Nov and it was definitely a question. Yes 
it
       

is
     

a requirement, and staff ARE meant to understand how, when, where 
and
       

how
   

often this is done. It is meant to be documented and surveyors take 
this subject VERY seriously.

fee
       

Fee,

I don't doubt what you say, as it's exactly what the GP I referred to
experienced. However, all this tells me is that the accreditation bodies

themselves decide what is required.

If they don't follow the College standards, what do they decide to
follow? And where do they get the right to pick and choose what they 
include?

Particularly if the surveyors have no particular IT knowledge.

Moreover, how do practices know what they expect if it isn't in the
college's standards? Do the accreditation bodies send out their own 
lists of requirements to practices beforehand?

Greg
--
Greg Twyford
Information Management & Technology Program Officer
Canterbury Division of General Practice
E-mail: [EMAIL PROTECTED]
Ph.: 02 9787 9033
Fax: 02 9787 9200

PRIVATE & CONFIDENTIAL

***********************************************************************
The information contained in this e-mail and their attached files,
including replies and forwarded copies, are confidential and intended
solely for the addressee(s) and may be legally privileged or prohibited
     

from disclosure and unauthorised use. If you are not the intended
   

recipient, any form of reproduction, dissemination, copying, disclosure,
modification, distribution and/or publication or any action taken or
omitted to be taken in reliance upon this message or its attachments is
prohibited.

All liability for viruses is excluded to the fullest extent permitted 
by law.
*********************************************************************
**
_______________________________________________
Gpcg_talk mailing list
Gpcg_talk@ozdocit.org
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
     

_______________________________________________
Gpcg_talk mailing list
Gpcg_talk@ozdocit.org 
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk


   



 

_______________________________________________
Gpcg_talk mailing list
Gpcg_talk@ozdocit.org
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk