Steve McEvoy
September 18th, 2012
IT Disaster Recovery
How Prepared are You?
Goals
• To discuss technology in a way that might actually be useful to
you in your
practice• Share ideas that you should be able to implement immediately
• Talk will be available to you online so you don’t need to take notes
• Ask your questions to the moderator right when you are thinking about it
Agenda
• What is a Disaster • Disaster Planning • Backups • Passwords • DocumentationDisaster Recovery
Is an exercise in: • Planning
• Preparation • Testing
Most likely not a DIY project • You are the Catalyst
Kinds of Disasters
What forms of Disasters could impact your Practice?
• Fire • Theft
• Flood (natural disaster) • A Hacker
A Disasters Impact
• No Practice Management Software
– No Schedule – No Financials • No Imaging Software • No X-Ray • No Printing • No e-mail • No Patient Communications • …. and more
Recovery Time
If you got hit by a Disaster, how long do you think it would take to be 100%
recovered? – 2 hours? – 4 hours? – 1 day? – 2 days? – 1 Week? – Never?
Recovery Time
Consider the Cost relationship to recovery time.
Decision to Make
It is up to the Practice to decide if
your IT is Business Critical, and if
so, embark on preparing a
complete disaster plan.
Disaster Planning
• Start with a Commitment to do this Properly
• Taking it Seriously
• Prepare to Fund as needed
• Realize there will be Time and Effort
required from a Point person within the Practice
Identify your Goals
• What functions you are worried about
– PM App, Imaging App, X-Ray, etc.
• Set Goals for how quickly you need them reasonably recovered
– PM App within 2 hours
– Imaging and X-Ray within 1 day
• Establish what order you want things recovered in
Discussion Time
Have a planned, in-depth meeting with your IT person to discuss these business goals
• Express desire for a complete strategy
• Have them evaluate if existing processes meet your goals
• How will systems need to be modified (if at all) to meet those goals?
• Document the details of the Plan
Test the Plan
An untested plan is a liability
• Require that the plan be put through a real test
• Schedule a day to perform it on
• Don’t cut corners to make it ‘easier’
– The corner you cut may make all the difference
• Be critical of the way the day unfolds
– Did the unexpected happen?
Test the Plan
Scenario to test with:
• Just shutdown your server
• Explain that the following happened
– Server was stolen
– Onsite Backups were stolen too.
– Essentially the same as Fire and Flood
• All they have to work with is the offsite backup and the other PCs in the office
Adjust the Plan
After the Fire drill, meet again to discuss the result
• Does any of the process need to change? • Finalize the Documentation of the plan
Let the rest of the staff know a plan is in place
Comprehensive
Backup Plan
Comprehensive Backup Plan
Elements of any plan • Who • What • When • Where • Why • How
What ‘is’ your Data?
• Word Documents/Letters • Practice Management – Database – Documents – Custom Templates • Image Management – Database – Images – Custom Templates – Configuration FilesWhat ‘is’ your Data
• X-Ray Systems – Database – Images – Calibration files – Configuration files– These are often NOT on the Server
• Software Installation CDs
– Keep the Latest versions and any ‘codes’ together in one place
What ‘is’ your Data
• Other Applications to worry about
– QuickBooks – Sesame – Televox – Invisalign – OrthoCAD – GeoDigm – SureSmile – …. others
Where ‘is’ your Data
• Common mistake is to assume all this data is in one place on your Server
• Demand that your IT person really
understand where the data is in each of those apps
– A call to vendors can be helpful
• Can it be reconfigured to have all the data in one place on your Server?
How Much Data?
• Now that we have identified what and where your data is, how much is there? • Need to know to ‘size’ the backup
solution
• Typical non-CBCT Practices have <100GB • Develop an estimate of how much Data
you will have over the next 3 years
– Consider big impact changes like CBCT
– Backup technologies evolve, so don’t over invest
Backup Methods
What I would NOT consider
– Tape backup of any kind
– File based backups that only include the data and not recovery of the Operating System
• Veritas Backup Exec
• File Sync utilities or Copy Scripts • Only using an Internet Backup
– Any off-site backup that does not Encrypt the backup
– Backups that can’t automatically notify you if they worked, or didn’t work
Backup Methods
I do like ‘Image’ based backups
• Image based backups ‘photocopy’ the entire drive of the Server
– Operating System – Configuration
– Data
• They can do a ‘bare metal restore’ • They can restore single files
Acronis Software
• Acronis is Image based backup Software • Workstation Version ~ $85
• Server Version ~ $860 • www.Acronis.com
Backup Frequency
• Two backup media sets
– Onsite – Large drive, never removed – Portable – Several, used for off-site
• Consider one for every day of the Week • Keep latest off-site
• Scheduled Automatic Backups in Evening
– Weekdays to Onsite – Weekdays to Portable – Weekly to Onsite
Backup Media
• USB Drives • Speed
– USB 2.0 drives most available
– USB 3.0 much faster, better choice for future
• Computer needs a USB3 port to see the speed
• Size – based on your 3yr prediction
– Onsite drive
• Look for a large drive – 3TB ($200)
– Portable drives
Encryption
• HIPPA Compliance
• Any backup should have some level of protection in case lost or stolen.
• Easiest solution is to ‘encrypt’ the backup when its made
• Keep track of the encryption password – its necessary to restore from the backup
Monitoring
• Expect your backups to have issues over time
• Monitoring is necessary
– Configure to email you when they work, and more importantly whey they don’t
• Validation is necessary
– Periodically perform a test restore to be sure your backups are usable
Special Backups
In addition to scooping up the Server
backup daily, you might consider backing up a few other key things
Special Backups
• SQL Server
– If your applications use Microsoft SQL Server it requires a special backup process
– If its your PM app, consider making SQL
backups more often during the day, maybe noon and 6pm.
• Router Configurations
– Export them to a file
• Software Licensing
Internet Backup
Internet Backup
• Might be NOT be appropriate when:
– Large Amounts of Data (cost)
– Large Amounts of Daily Change (time) – Slow Internet Connection (time)
• Might be appropriate when:
– To supplement an Image Based Backup
• Can fill in what’s missing
Internet Backup
• Still needs to be:
– Encrypted – Monitored – Validated
• Consider the time it would take to download all your data after a crisis • Can the ‘agent’ be:
– Scheduled for non-business hours?
Internet Backup
• Costs
– Personal
• ~$5 per month for unlimited data • Usually cannot be used for business
– Business
• ~$50 per month for <100GB typical • Additional storage is ~$50 per 100GB
Internet Backup
• Be cautious of backup solutions provided by your IT person
• Might seem like a good idea when the relationship is happy, but consider the problems with you break up.
The Who’s
• Who will monitor the backup (seriously)? • Who will swap the drive each day?
• Who will carry the off-site drive?
• Who will perform the recovery in a crisis? • Who will be their backup if they are sick
or on vacation?
• Make sure the who’s know these are their responsibilities
Other Hardware
• If your existing hardware is destroyed or stolen, what will be used?
• ‘Universal Restore’ to adapt backup image to new hardware
• Solution might include a temporary server to hold you over while new hardware is
Keeping things handy
• Designate a spot to store:
– Backup drives
– All your installation CDs – License codes
– Manuals
When you are down…
How will the Practice operate for the period when the network is down?
• Duration of:
– 2 hours – 4 hours – 1 day – Longer
• How could you prepare?
– Print a schedule out in advance the day before?
Password Best Practices
• Every user account should have a password
• The Administrator password should be ‘Hard’
• Any password that could be used for remote access should be ‘Hard’
• Change the passwords when an employee is released
Administrator Password
You should have a ‘Hard’ Administrator password
• One or more special characters such as !@#$%^&*()
• At least one number, preferably two or more • A mix of upper and lower case
• At least 7 characters in length, more is better
• A non-dictionary word, ideally something totally random
Any password that can be used for external access should be ‘Hard”
Know your Passwords!
Document passwords for:
– Server Administrator – Local Administrators – SQL sa
– Backup encryption passwords
– Internet Firewall/Router password – Remote access controller
– Passwords for ALL your user accounts so you can login to any of the staff computers
Lockout Accounts
Windows Servers have a defense against brute force attacks
• They can Automatically Lock Out an
account after several failed login attempts
– Set to lock out account after 5 failures – Unlock the account after 30 minutes
• Not On by default, need to edit GPO
• If you find an account is always locked out, start worrying about why
MME’s Blog
Thank You!
steve@mmeconsulting.com
Presentation Online at
www.mmeconsulting.com/presentations