Backup and Recovery

To meet the backup and recovery requirement, you must run secure backups that are encrypted, stored offsite (or in a secure cloud), and proven recoverable through regular restoration tests that meet your RTO/RPO. Build this as an auditable program: defined scope, monitored jobs, tested restores, and retained evidence. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Key takeaways:

• Encrypt backups end-to-end and control access to backup systems as high-value assets. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Store backups offsite or in a secure cloud with clear retention, immutability, and separation from production risk. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Prove recoverability with routine restoration testing tied to documented RTO/RPO, and retain artifacts auditors can verify. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Backup and recovery is one of the few security requirements that has a simple test: can you restore the data and systems you rely on within the time and data-loss limits your business accepts? HICP Practice 4.5 expects you to implement secure backup procedures that include encrypted backups, offsite storage, and regular restoration testing, aligned to recovery objectives. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

For a Compliance Officer, CCO, or GRC lead, the operational goal is to turn “we back up our servers” into a controlled, evidenced process that covers critical clinical and business systems, includes third-party and cloud services, and produces repeatable proof. That proof needs to stand up to an exam-style review: clear scope, documented RTO/RPO, backup success monitoring, restore test results, and access controls over backup platforms.

This page is requirement-level guidance. It tells you who needs to comply, what “good” looks like in practice, how to implement step-by-step, and what artifacts to retain so you can answer the predictable questions from auditors, customers, and internal risk committees. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Regulatory text

HICP Practice 4.5 (excerpt): “Implement secure backup procedures with encrypted backups, offsite storage, and regular restoration testing.” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Operator interpretation (what this means in practice):

• You must encrypt backups (not just the production database) and manage keys so unauthorized parties cannot read backup data. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• You must store backups offsite or in a secure cloud location so a local outage, ransomware event, or facility incident does not destroy both production and backup copies. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• You must perform regular restoration testing and show the results. Backup success logs alone do not prove recoverability. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Your backup design and testing must align to your RTO/RPO for the systems that matter (how fast you must restore and how much data loss is acceptable). (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Plain-English requirement

Maintain encrypted, recoverable copies of important data and systems in a separate location, then routinely prove you can restore them within business-defined recovery objectives. If you cannot demonstrate recoverability, you do not have an effective backup and recovery control, even if backups “run.” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Who it applies to

Entity scope

• Healthcare organizations that store, process, or depend on clinical/operational data and systems. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Health IT vendors (and broadly, third parties) that host or handle regulated healthcare data, provide EHR/EMR platforms, revenue cycle systems, patient engagement tools, or managed infrastructure. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Operational context (where the requirement bites hardest)

• Production environments with EHR/EMR databases, imaging systems, lab systems, identity systems, and directory services.
• Cloud/SaaS services where your organization still needs data export, configuration backup, or provider-supported restore paths.
• Ransomware-threatened environments where attackers target backup consoles, backup credentials, and backup storage because restores stop the payout.

What you actually need to do (step-by-step)

1) Define scope: “what must be recoverable”

1. Build an inventory of in-scope systems and data sets: critical apps, databases, file shares, VM images, identity systems, and security tooling configs. Map each to an owner.
2. Classify “crown jewels” and set recovery objectives:
   • RTO per system (maximum tolerable downtime).
   • RPO per system (maximum tolerable data loss). (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
3. Document dependencies: restoration often fails because teams forget DNS, IAM, certificates, encryption keys, or integration endpoints.

Deliverable: Backup and Recovery Scope & Objectives register (system, owner, backup method, RTO/RPO, retention).

2) Design the backup architecture (secure by default)

1. Select backup types by workload:
   • Databases: native dumps, snapshots, or agent-based backups.
   • VMs/servers: image-level backups plus config backups.
   • SaaS: vendor-supported backup, export jobs, or third-party backup tooling.
2. Implement encryption:
   • Encrypt in transit to backup storage and at rest on backup media. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
   • Define key management ownership and access. Treat backup keys as “break-glass” secrets with tight control.
3. Implement offsite storage:
   • Separate administrative domain where possible.
   • Cloud storage or physically separate location. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
4. Add resilience features that reduce tampering risk:
   • Immutability/WORM where feasible.
   • Separate backup credentials from standard admin accounts.
   • MFA on backup consoles and storage admin.

Deliverable: Backup Architecture Standard (encryption, storage separation, credential model, retention, immutability expectations).

3) Operationalize backup execution (run it like a production service)

1. Set schedules that meet RPO:
   • Frequency by system criticality.
   • Include configuration backups for infrastructure, network devices, and identity.
2. Implement monitoring and alerting:
   • Backup job success/failure alerts to a ticket queue.
   • Daily review of exceptions by an accountable role.
3. Establish retention rules:
   • Define how long you keep backups and what triggers deletion holds (litigation, incident response, patient record rules where applicable).
4. Control access:
   • Least privilege for backup operators.
   • Separate roles for restore approval vs restore execution for sensitive systems.

Deliverable: Backup Operations Runbook (schedules, monitoring, escalation paths, restore approvals).

4) Prove recoverability with restoration testing (the part auditors care about)

1. Define a restoration test plan:
   • What gets tested (by tier).
   • How restores are validated (data integrity checks, application startup checks, user acceptance checks).
   • Success criteria tied to RTO/RPO. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
2. Run tests on a routine cadence you can sustain:
   • Mix of file-level restores, database restores, full VM restores, and environment rebuild drills.
3. Capture evidence:
   • Start/end timestamps.
   • Screenshots/log exports.
   • Tickets and approvals.
   • Lessons learned and corrective actions.

Deliverable: Restore Test Reports + Corrective Action Log. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

5) Address third parties explicitly (SaaS, hosted platforms, managed services)

1. For each critical third party, confirm:
   • Who performs backups (you, the provider, or both).
   • Encryption and key ownership model.
   • Offsite/storage separation approach. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
   • Restore process, timeframes, and customer responsibilities (what you must provide to restore).
2. Contract and due diligence:
   • Ensure the agreement and security exhibits describe backup, retention, and restoration support.
3. Test the real restore path:
   • Run at least one “provider-assisted” restore exercise for systems where only the provider can restore.

Where Daydream fits: If your backup dependencies include third parties, Daydream can centralize the due diligence requests, store the provider’s backup/restore commitments, and track restore-test attestations and evidence so you can answer audits without hunting across email threads.

Required evidence and artifacts to retain

Keep evidence in a GRC repository with clear version control and ownership.

Core artifacts

• Backup and Recovery Policy/Standard covering encryption, offsite storage, restoration testing, and RTO/RPO alignment. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• System inventory with tiering and assigned RTO/RPO. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Backup architecture diagram(s) showing storage location, separation, and encryption points.
• Backup schedules and retention configuration exports (or screenshots) for key systems.
• Backup job reports: success/failure logs and exception tickets.
• Access control evidence for backup consoles (role listings, MFA settings, break-glass procedure).
• Restore test plans and restore test results, including validation steps and corrective actions. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Third-party documentation: contract clauses or security exhibits describing backups and restores; any provider attestations; evidence of restore exercises.

Common exam/audit questions and hangups

Expect reviewers to press on “prove it” points.

Typical questions

• “Show me which systems are in scope and the RTO/RPO for each.” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• “Are backups encrypted? Show configuration and key controls.” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• “Where are backups stored? What prevents a site incident from destroying them?” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• “Show your last restore test for a critical system and the evidence that it met RTO/RPO.” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• “Who can delete backups or change retention? How do you detect tampering?”
• “How do SaaS systems get restored? Show the runbook and a completed exercise.”

Hangups that delay a clean result

• No documented RTO/RPO, or RTO/RPO exists but is not linked to the backup schedule and test criteria. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Restore tests are ad hoc, not repeatable, or lack evidence artifacts. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails the requirement	How to avoid it
Backups “enabled” but not encrypted	Exposes backup media and undermines secure backup procedures	Enforce encryption in backup tooling; document key ownership and access controls. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
Offsite copy exists but shares admin credentials with production	Attackers compromise one plane and destroy backups	Separate identities/roles; require MFA; restrict destructive actions to break-glass.
Only file restores are tested	Doesn’t prove critical app/database recoverability	Test full-stack restores for Tier 1 systems; validate app function and data integrity. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
RTO/RPO treated as theoretical	Testing doesn’t measure what the business needs	Make RTO/RPO the acceptance criteria for restore tests and remediation. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
SaaS backup responsibility assumed	Many SaaS restores require provider steps or separate backup tooling	Document the shared responsibility model and test the real provider-assisted restore process.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions.

Operationally, weak backup and recovery shows up as:

• Extended downtime after ransomware or system failure because restores are slow, incomplete, or blocked by missing dependencies.
• Regulatory and contractual exposure if clinical operations cannot access required records or systems and you cannot demonstrate reasonable safeguards aligned to HICP guidance. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Third-party concentration risk if a hosted provider’s restore process is untested or contractually vague.

Practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Assign an executive owner and an operational owner for backup and recovery.
• Build the in-scope inventory and set RTO/RPO with business and clinical stakeholders. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Identify gaps: unencrypted backups, no offsite copy, missing monitoring, no recent restore tests. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Draft or refresh the Backup and Recovery Policy/Standard with clear minimums for encryption, offsite storage, and restore testing. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Next 60 days (implement controls and produce evidence)

• Turn on or enforce encryption across backup repositories and backup media; document key management. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Confirm offsite/cloud storage separation; restrict admin access; enable MFA on backup consoles.
• Implement monitoring with ticketed exception handling and daily review.
• Write restore runbooks for Tier 1 systems (steps, dependencies, approvals, validation checks).

Next 90 days (prove it works and close audit gaps)

• Execute restoration tests for Tier 1 systems and document results against RTO/RPO. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Run at least one third-party restore exercise for critical hosted/SaaS services where restores require provider involvement.
• Track corrective actions to completion and schedule the next test cycle.
• Centralize evidence: store policies, logs, test reports, and third-party commitments in a system of record (many teams use Daydream for third-party evidence collection and ongoing tracking).

Frequently Asked Questions

Do we need to encrypt backups if production disks are already encrypted?

Yes. The requirement is about secure backup procedures, and backup media can be copied, exfiltrated, or mishandled. Encrypt backups and control the keys so the backup copy is protected independently. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

What counts as “offsite storage”?

Offsite means the backup copy is stored in a location separate from the primary environment so a local incident does not destroy both. Secure cloud storage can qualify if access is controlled and the backup is not easily destroyed from compromised production admin accounts. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

How do we define “regular restoration testing” without a prescribed frequency?

Pick a routine cadence you can sustain and justify based on system criticality and RTO/RPO. Document the rationale, run tests, and retain artifacts that show the restore succeeded and met your objectives. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Are backup success logs enough to satisfy auditors?

Usually not. Logs show jobs ran; they do not prove you can restore a working system and validate data integrity. Keep restore test reports with evidence and acceptance criteria tied to RTO/RPO. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

How should we handle backups for SaaS applications where we don’t control the platform?

Document the shared responsibility model, confirm encryption and offsite storage commitments from the provider, and define the actual restore steps (provider ticket, export, rebuild, validation). Run a restore exercise and retain the evidence. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

What evidence is most persuasive in a review?

A short list wins: documented RTO/RPO per critical system, configuration evidence showing encryption and offsite storage, and a recent restore test package with timestamps, validation steps, and remediation for any gaps. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)