Back to all insights
BackupData ProtectionRansomware

The 3-2-1-1-0 Backup Strategy: Why Your Data Deserves Better Than Hope

B Byzantine Technologies · · 7 min read

The Call Nobody Wants to Make

It’s Monday morning. Staff arrive, turn on workstations, and nothing loads. The server is inaccessible. A ransom note appears on a screen: your files have been encrypted, here is where to send payment, here is the countdown timer. Someone calls the IT contact number. The first question is always the same: “Do you have a backup?”

The answer to that question — and specifically what comes next — determines whether this story ends in three days or three months. Practices that have tested, verified, and isolated backups running to a 3-2-1-1-0 standard recover. Some have systems back online within hours. Practices that discover their backup is also encrypted, or that the backup solution they were paying for hasn’t actually run successfully in four months, are in a different situation entirely.

Ransomware attacks against healthcare practices are not hypothetical. They are a sustained and growing category of incident, specifically because healthcare organizations hold sensitive data, have operational urgency around system availability, and are frequently under-resourced in terms of security controls. A robust backup strategy does not prevent the attack. It determines whether the attack is a serious incident or an existential one.

What 3-2-1-1-0 Means

The original 3-2-1 backup rule has been a foundational principle in data protection for decades. The expanded 3-2-1-1-0 version addresses the specific threats that ransomware and sophisticated attackers present.

3: Three Copies of Data

Keep at least three copies of any data you cannot afford to lose. This means the primary production data and at least two backup copies. The logic is probabilistic redundancy: the probability that all three copies fail simultaneously, due to unrelated causes, is acceptably low. The probability that any single copy fails is not.

For a healthcare practice, “data you cannot afford to lose” encompasses patient records, clinical documentation, billing data, practice management configurations, and any other data whose loss would disrupt operations or trigger HIPAA notification obligations.

2: Two Different Storage Media Types

Storing all copies on the same type of media creates correlated failure risk. If all three copies are on local hard drives and the server room floods or a power surge damages connected equipment, all copies fail together. Using two different storage media types — for example, a local NAS device and cloud storage, or local disk and tape — ensures that a failure mode specific to one medium cannot eliminate multiple copies simultaneously.

For most small healthcare practices, the practical implementation is one or two local copies (on NAS or backup appliance) and one or more cloud copies in a geographically separate environment.

1: One Copy Offsite

At least one backup copy must be stored at a different physical location from the primary data. This protects against site-level disasters: fire, flood, hurricane damage (particularly relevant for Gulf Coast practices), or a physical break-in that destroys on-site equipment. A cloud backup that is geographically separate from the practice’s physical location satisfies this requirement.

“The question is never whether you have a backup. It’s whether you have a backup that ransomware can’t reach, and whether you’ve confirmed it actually works.”

1: One Copy Offline or Air-Gapped

This is the addition that modern ransomware made necessary. Ransomware attacks do not merely encrypt production data — sophisticated variants actively seek out and encrypt backup copies that are accessible over the network. A backup that is continuously connected to the network is potentially accessible to malware that has compromised the network.

One backup copy must be truly offline or air-gapped: disconnected from any network that a compromised system could reach. This could be:

  • Removable media (drives or tapes) that are stored physically disconnected except during the backup window
  • Immutable cloud storage with object lock features that prevent modification or deletion for a defined retention period — even by compromised credentials
  • Cloud-to-cloud backup in an environment with separate credentials and access controls, where a compromise of the primary cloud account cannot cascade to the backup account

Immutable cloud backup — where the backup provider enforces write-once policies at the storage layer — has become the most practical implementation of this requirement for most small practices, eliminating the manual process of physically disconnecting drives.

0: Zero Unverified Backups

The most frequently violated element of this entire framework. The final requirement is that no backup is considered complete or valid unless it has been verified — not just that the backup job ran and reported success, but that the data can actually be restored.

Backup jobs can report success while producing corrupted or incomplete data. Storage media can silently develop read errors. Backup configurations can miss critical directories. The only way to know that a backup is actually useful is to periodically restore from it and confirm that the restored data is intact and functional.

Verification should include:

  • Automated integrity checks run by the backup platform after each job completes
  • Regular manual test restores — at least quarterly, restoring a sample of critical data to a test environment and confirming it is accessible and complete
  • Annual full DR tests for practices with formal disaster recovery requirements — simulating a complete system loss and restoring everything from backup to confirm the full recovery process works and meets RTO/RPO objectives

The “0 unverified backups” standard means that if you cannot confirm a backup is restorable, it does not count as a backup for planning purposes.

Recovery Objectives: Knowing What You Need

Two planning concepts are essential for any practice thinking seriously about backup:

Recovery Time Objective (RTO) is how long you can afford to be without the affected system before the impact becomes unacceptable. For a healthcare practice’s EHR system, the RTO might be a few hours — the practice can operate with paper processes for a short period but not for days. Knowing the RTO tells you how quickly your recovery process must be capable of executing.

Recovery Point Objective (RPO) is how much data loss you can tolerate — measured in time. An RPO of four hours means that losing up to four hours of data is acceptable; therefore, backups running every four hours or more frequently are needed. An RPO of 24 hours means losing up to one day of data is the acceptable worst case, allowing for daily backups.

For clinical data in a healthcare practice, RPO is typically short — losing an entire day of patient documentation is a serious operational and potential compliance problem. Backup frequency should reflect this.

HIPAA and the Backup Requirement

HIPAA’s Security Rule includes explicit requirements around data backup. The Contingency Plan standard requires covered entities to:

  • Establish and implement procedures to create and maintain retrievable exact copies of ePHI (Data Backup Plan)
  • Establish and implement procedures to restore any loss of data (Disaster Recovery Plan)
  • Establish and implement procedures to enable continuation of critical business processes for protection of the security of ePHI during operation of an emergency mode (Emergency Mode Operation Plan)
  • Implement procedures for periodic testing and revision of contingency plans

These are not aspirational guidelines — they are required implementation specifications for covered entities. A practice that cannot demonstrate a documented backup plan and evidence of regular testing is out of compliance with the Security Rule, regardless of whether it has experienced an incident.

Common Backup Failures to Avoid

Beyond the structural gaps the 3-2-1-1-0 rule addresses, several operational failures consistently appear in post-incident reviews:

  • Backup monitoring not configured or not reviewed — backup platforms generate alerts when jobs fail, but those alerts must go somewhere and someone must act on them
  • Retention periods too short — some ransomware variants are designed to lurk in a network for weeks before triggering, to ensure they are inside the backup retention window; at minimum, maintain 30 days of backups, and 90 days is preferable
  • Credentials for backup systems stored in a way that attackers can find them — backup admin credentials that are accessible in the same environment as production credentials are a single-point-of-failure risk
  • No documented recovery procedure — team members need to know exactly what steps to take in a recovery scenario, in the right sequence, ideally practiced before they need it

The Byzantine Takeaway

The 3-2-1-1-0 strategy is not overcautious — it is the current professional standard for data protection in environments where ransomware is a real and present threat. Three copies, two media types, one offsite, one offline or immutable, zero unverified.

The practices that navigate ransomware events without paying ransoms, without losing patient data, and without weeks of downtime are the ones that followed this framework and tested it regularly. The tests are the difference between a strategy and a false sense of security.

Schedule a test restore this month. It is the most important thing you can do for data protection today.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.