Executive Summary
- Traditional “set and forget” healthcare data backup is no longer enough under NIS2 and ISO 27001. You need end-to-end data resilience.
- Shift from ad-hoc backups to a designed backup & recovery strategy that covers on-prem, cloud, Office365 backup, clinical apps and SaaS.
- Use data management as a service (DMaaS) to standardize protection, monitoring, testing and reporting across the environment.
- Make your backup & recovery platform a core control in your ISMS and NIS2 compliance story, not an afterthought.
Evolving from “we have backup” to real data resilience.
Most healthcare SMEs still start the conversation with:
“We’re covered, we have backups.”
Then a ransomware incident, a corruption in the EHR database, or a Microsoft 365 account compromise happens and suddenly these questions arrive on your desk:
• How long until we can treat patients again safely?
• Which systems can we restore first, and in what order?
• Can we prove to the regulator that our backups are secure, tested and compliant?
That’s the gap between backup and data resilience.
For healthcare organizations facing NIS2 and ISO 27001, this gap is now a regulatory risk, not just an IT annoyance. Backups that “probably work” are not acceptable anymore. You need a designed, measurable and testable backup & recovery strategy that fits into your security management system.
This article shows how to move from simple healthcare data backup to full data resilience, with a specific focus on:
• Healthcare clinical systems & EHRs
• Office365 / Microsoft 365 backup
• Using data management as a service (DMaaS) to simplify operations
• Aligning to NIS2 and ISO 27001 expectations
Table of Contents
Core concepts: from backup to data resilience
Before the framework, let’s lock in a few definitions.
Data resilience vs. backup
• Backup: Copying data to another location so it can be restored later.
• Data resilience: The ability to continue operations and recover data at acceptable speed and granularity, even in the face of cyberattacks, hardware failure, human error or cloud disruption.
Resilience focuses on:
• Recovery speed and sequence (RTO)
• Data currency (RPO)
• Proven restorability (regular tests)
• Segmentation and immutability (surviving ransomware)
• Governance and evidence (NIS2 / ISO 27001)
Why this matters more in healthcare. Healthcare SMEs have a double problem:
- Patient safety & continuity
Downtime hits clinical workflows directly: appointments, lab results, medication records, imaging, triage systems. - Regulation & liability
NIS2 and ISO 27001 push you to demonstrate risk-based controls, business continuity, and incident response, including backup and recovery capabilities.
So, “we back up to a NAS in the server room” is not even close.
A simple framework: The 5-layer healthcare data resilience model.
Use this mental model when designing or upgrading your strategy:
- Layer 1 – Critical data & workloads
- Layer 2 – Protection architecture
- Layer 3 – Cyber resilience controls
- Layer 4 – Governance & compliance
- Layer 5 – Operations as a service (DMaaS)
We’ll step through each layer with healthcare-specific examples.
Layer 1 – Know what you’re actually protecting
If you ask your team “what are our most critical data sets?” and you get silence or a 400-line spreadsheet, you have your first problem.
Step 1: Map critical healthcare data
Typical healthcare SME data map:
• EHR / EMR systems
Core patient records, consultations, prescriptions.
• PACS / imaging systems
Radiology images, cardiology data, large files.
• LIS / lab systems
Test results, orders, workflow data.
• Line-of-business apps
Scheduling, billing, insurance, patient portals.
• Infrastructure services
Active Directory, DNS, identity systems.
• Collaboration platforms
Office365 / Microsoft 365: Exchange Online, SharePoint, OneDrive, Teams.
• Unstructured clinical content
Shared drives, local file servers, “temporary” storage that became permanent.
Step 2: Assign business impact & priorities
For each system, assign:
• RTO (Recovery Time Objective): how fast must it be back?
• RPO (Recovery Point Objective): how much data loss is acceptable?
Example for a small hospital or clinic group:
| System | RTO target | RPO target | Comment |
| EHR primary database | 2–4 hours | 15 minutes | Core clinical |
| PACS storage | 8–24 hours | 1 hour | Large data |
| AD / identity | 4 hours | 4 hours | Dependency |
| Office365 mail & Teams | 8 hours | 4 hours | Comms |
| Shared drive “Clinical” | 24 hours | 12 hours | Documents |
These RTO/RPO values drive architecture and cost. Without them, you’re just buying storage and hoping.
Layer 2 – Build a protection architecture, not a collection of jobs
Once you know what matters, you design how to protect it.
Step 3: Standardize backup policies
Move from “per system” improvisation to standard policy sets, for example:
Gold policy (Tier 1 clinical)
- – Backup every 15 minutes (log backups / snapshots)
- – Daily full image / VM backups
- – Replication to secondary site
- – 30–90 days short-term retention, plus long-term archive
Silver policy (Tier 2 business apps)
- Backup every 4 hours
- Daily backup to central repository
- 30 days retention
Bronze policy (low criticality)
- Daily backup
- 14 days retention
This is where modern enterprise tools and platforms shine: you define policies centrally and assign them to workloads.
Step 4: Treat Office365 backup as part of the core design
Healthcare organizations are heavily dependent on Office365 for communication, documents and collaboration.
Key points:
- Microsoft is responsible for the availability of the service, not for your long-term backup and compliance.
- Accidental deletions, malicious insiders, and some ransomware scenarios are your problem if you have no Office365 backup.
- For NIS2 and ISO 27001, it is hard to justify ignoring such a central platform in your backup strategy.
So include Office365 in your standard policies:
- Backup Exchange Online mailboxes, SharePoint sites, OneDrive accounts and Teams data.
- Define retention aligned with medical and legal requirements.
- Ensure search and recovery are fast enough to support incident response and audits.
Step 5: Design for hybrid & multi-location healthcare setups
Healthcare SMEs regularly have:
- One or more data centers / server rooms.
- Cloud workloads (Azure, other providers).
- SaaS platforms (EHR in the cloud, portals).
- Branch locations, labs, imaging centers.
Your data resilience architecture should:
- Centralize backup management.
- Use a mix of snapshots, replication and backup copies.
- Provide separate immutable or air-gapped copies (see next layer).
- Avoid 10 different backup tools no one fully understands.
This is exactly where data management as a service (DMaaS) model is powerful: one control plane, multiple platforms underneath.
Layer 3 – Make backup part of your cyber resilience
Ransomware changed the game completely. If an attacker reaches your domain, file systems and hypervisors, they often try to:
- Encrypt or delete backups.
- Compromise service accounts used by backup tools.
- Disable retention or replication.
So data resilience requires specific cyber controls around backup.
Step 6: Implement immutable and isolated copies
For critical healthcare data:
- Use immutable storage for backup copies (object lock, WORM, etc.).
- Maintain at least one logically or physically isolated copy:
- Separate account / tenant, different credentials.
- Ideally, separate platform or storage technology.
This directly supports NIS2 and ISO 27001 requirements for availability and resilience of key services.
Step 7: Harden backup infrastructure
Treat your backup platform as a Tier 0 asset:
- Use least privilege for backup service accounts.
- Enforce MFA and strong authentication on management consoles.
- Network-segment backup servers from user segments.
- Apply security baselines and patching.
- Log activities into your SIEM / SOC for monitoring.
Step 8: Automate recovery testing
Resilience is not what you think you can restore. It’s what you have proven you can restore.
For healthcare:
- Schedule automatic restore tests of key workloads (EHR, PACS, AD, Office365 mailboxes) to isolated environments.
- Document the restore time and success.
- Use these reports as evidence in audits and board reports.
This closes the loop between technical operations and risk & compliance.
Layer 4 – Align with NIS2 and ISO 27001 without drowning in paperwork
NIS2 and ISO 27001 do not prescribe a specific brand or product, but they demand:
- Risk-based controls
- Business continuity & disaster recovery
- Evidence of effectiveness
Step 9: Tie your backup & recovery into the ISMS
In ISO 27001 terms, backup and recovery touches controls like:
- Information security continuity (A.17 in older versions, Annex A.5 & A.8 in the 2022 structure)
- Backup of information and systems
- Logging, monitoring and incident response
In practice:
- Register your backup and data resilience platform as a key information security control.
- Link your RTO/RPO decisions to your risk assessment and business impact analysis.
- Make restore tests part of scheduled internal audits.
Step 10: Use resilience metrics in your reporting
Stop reporting only on “backup job failures”. Executives and regulators care about:
- Recovery readiness: percentage of Tier 1 systems with successful restore tests in the last quarter.
- RTO/RPO compliance: how many systems meet their targets.
- Coverage: proportion of critical systems, Office365 tenants and SaaS apps included in central backup.
- Segregation & immutability: which data sets have ransomware-resilient copies.
Those metrics translate technical work into risk language.
Layer 5 – Use data management as a service (DMaaS) to scale
Healthcare SMEs rarely have the luxury of a large in-house backup engineering team. Yet the environment is complex enough to require enterprise-grade design and constant tuning.
That’s where data management as a service comes in.
What DMaaS changes in practice
Instead of:
• Multiple backup tools managed ad-hoc by busy sysadmins…
You move to:
• A managed data resilience platform, delivered as a service, with:
- Design aligned to your RTO/RPO, NIS2, ISO 27001 needs.
- 24/7 monitoring and remediation of backup jobs.
- Regular restore testing and documented reports.
- Advisory on new systems / applications you add.
Benefits for CISOs and IT managers:
- One partner accountable for outcomes, not just tools.
- Predictable cost vs. surprise CapEx and firefighting.
- Clear evidence pack for audits, regulators and insurers.
- Faster onboarding of new clinics, practices or systems.
In other words: “Protect and restore your data without surprises” becomes an operational reality, not just a slogan.
Example scenario: ransomware in a mid-size healthcare provider
A 300-bed regional hospital with several outpatient clinics experiences a ransomware incident:
- File shares, some VMs and part of the PACS environment are encrypted.
- The attacker attempted to tamper with backup accounts and repositories
With traditional backup:
- Unclear which data is intact.
- No isolated copies, so backups might be compromised.
- No pre-defined recovery sequence.
- IT and clinical leadership make decisions based on guesswork.
With the 5-layer data resilience model implemented:
- Critical workloads are identified and prioritized: EHR, AD, core infra first; PACS and Office365 next.
- Backups of Tier 1 systems are stored in immutable, isolated locations.
- A predefined runbook describes who decides what, in which order systems are restored, and how to communicate with clinicians.
- Regular restore tests provide confidence that recovery is realistic within defined RTO/RPO.
- The CISO and CIO can brief regulators with concrete evidence instead of vague promises.
This is the difference between days of chaos and a difficult but controlled incident.
Leave a Reply