Backup Coverage Gap Assessment — Healthcare Practice
A multi-provider healthcare practice engaged IT KORR after an internal review raised questions about whether Microsoft 365 workloads were included in their existing backup program. The engagement was structured to validate actual backup coverage scope, identify gaps against the practice's continuity requirements, and confirm whether vendor agreement documentation aligned to HIPAA data handling obligations for cloud-hosted workloads.
Engagement Context
Customer Challenge
The backup vendor's scope had been defined during an earlier infrastructure engagement that predated the practice's expansion of Microsoft 365 use to include clinical communication and scheduling workflows. Backup job reports showed successful completion, which was interpreted by practice leadership as confirmation of comprehensive coverage. The engagement was structured to determine what was actually covered, what was not, whether the existing agreement met HIPAA Business Associate Agreement requirements for cloud workloads, and what recovery capability the practice could actually rely on in a disruption scenario.
Client Profile
Environment
The practice operated across clinical and administrative functions using Microsoft 365 as the primary platform for staff communication, scheduling coordination, referral management, and administrative records. An existing managed backup solution — administered by a third-party IT vendor — covered on-premises file servers and workstations under a service agreement established prior to the practice's adoption of Microsoft 365 for clinical workflows. The practice's administrative leadership had assumed, without verification, that the cloud platform was covered under the existing program.
Risk Assessment
Business Risk
The central operational risk was the gap between assumed coverage and actual coverage — a gap that would only become visible during a recovery event, when the absence of backup for critical workloads would be discovered under time pressure. Clinical communication records in Exchange Online, patient scheduling data in SharePoint, and administrative coordination in Teams were all operationally critical workloads with no independent recovery path. A second category of risk was HIPAA compliance exposure: processing protected health information through a vendor without a current Business Associate Agreement covering the cloud workloads in scope creates regulatory liability that a backup job success report does not address.
Assessment
Technical Findings
- 1Microsoft 365 workloads — Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams — were not within scope of the existing backup vendor agreement. The agreement had been drafted for on-premises infrastructure and had never been updated to reflect the practice's subsequent adoption of Microsoft 365 for clinical and administrative workflows. The vendor had not identified or communicated this gap.
- 2Backup recovery had never been tested for any covered workload. The practice received backup completion reports from the vendor but had no documented recovery test, no validated recovery time objective for any system, and no record of a recovery procedure having been executed in any form since the backup solution was deployed.
- 3The Business Associate Agreement in place with the backup vendor referenced on-premises systems and did not include Microsoft 365 workloads or cloud-hosted data environments. Healthcare organizations processing protected health information through a vendor without a BAA covering that vendor's actual scope of access are in a non-compliant posture regardless of technical controls in place.
- 4Microsoft 365 retention policies had not been configured in Microsoft Purview. Data retention and deletion timing for Exchange Online mailboxes and SharePoint content was governed by Microsoft service defaults — not by policies aligned to the practice's clinical records retention obligations or state-specific healthcare data retention requirements.
- 5No Recovery Time Objective or Recovery Point Objective had been documented for any IT system. Leadership expectations about recovery timing were based on informal vendor conversations from the original implementation engagement rather than formally documented, tested, and agreed-upon objectives.
Engagement Approach
Solution
Microsoft 365 backup coverage established for Exchange Online, SharePoint, OneDrive, and Teams. BAA documentation updated to explicitly cover cloud workloads, first recovery test conducted and documented with recorded recovery time, and retention policies configured in Microsoft Purview aligned to clinical records retention requirements.
Engagement Methodology
Assessment Framework
The diagram below illustrates the structured assessment phases applied in this engagement type.
Execution
Implementation
- 1Backup coverage scope reviewed with the existing vendor and supplemented with a Microsoft 365-capable backup solution, extending independent coverage to Exchange Online, SharePoint, OneDrive, and Teams. Coverage scope documented at the workload level in the updated service agreement.
- 2Business Associate Agreement executed with the backup vendor specifically referencing Microsoft 365 workloads and the cloud-hosted data environment within the backup program's scope, bringing vendor agreement documentation into alignment with the practice's HIPAA obligations.
- 3Recovery test conducted for representative Microsoft 365 workloads — individual mailbox recovery and SharePoint document library recovery — with procedures documented step-by-step and recovery time recorded against explicitly stated RTO benchmarks.
- 4Retention policies configured in Microsoft Purview aligned to the practice's clinical records retention requirements, replacing reliance on Microsoft service defaults with explicitly governed retention behavior across Exchange and SharePoint workloads.
- 5RTO and RPO documentation produced for all covered IT systems, establishing the practice's first formally documented continuity baseline — providing a reference for future vendor reviews, operational planning, and compliance assessments.
Deliverables
Operational Outcome
- Microsoft 365 backup coverage established for Exchange Online, SharePoint, OneDrive, and Teams — closing the coverage gap between the assumed scope and the actual scope of the existing backup program, and establishing an independent recovery path for operationally critical cloud workloads.
- BAA documentation updated to explicitly include Microsoft 365 workloads and associated cloud-hosted data, aligning vendor agreement coverage to the practice's actual data environment and HIPAA obligations.
- First documented recovery test completed for Microsoft 365 workloads, with step-by-step recovery procedures recorded and recovery time documented — providing the practice with evidence of continuity capability that had not previously existed.
- Retention policies configured in Purview aligned to clinical records retention requirements, replacing undefined default behavior with explicitly governed retention and deletion timing across mailbox and document workloads.
- RTO and RPO documentation produced for covered systems, establishing a formal continuity baseline that can be referenced in future operational assessments and vendor reviews.
Regulatory Alignment
Compliance Impact
This engagement directly addressed the following compliance framework(s):
Operational Insights
Business Value
Microsoft 365 backup gaps are the most consistently identified finding in healthcare IT assessments. The platform is widely deployed as the standard for clinical and administrative communication, but backup programs designed around legacy on-premises infrastructure do not automatically extend to cloud workloads. The gap accumulates silently — backup job success reports confirm that on-premises data is being captured, which is interpreted as comprehensive coverage.
Backup job success reports confirm that data was written to the backup destination. They do not confirm coverage scope, recovery capability, RTO alignment, or HIPAA agreement coverage. Organizations that interpret successful backup reports as evidence of comprehensive recovery readiness frequently discover significant gaps when the actual scope is examined — and the discovery happens during an incident or assessment rather than during a proactive review.
HIPAA Business Associate Agreement obligations extend to any vendor with access to systems that process, store, or transmit protected health information — including backup vendors that access Microsoft 365 environments containing clinical communication records, scheduling data, or referral documentation. The obligation is triggered by access, not by the vendor's primary business category.
Recovery Time Objectives that exist only as informal vendor representations — rather than as formally documented, tested, and agreed-upon commitments — are not recoverable evidence. Organizations that discover their RTO expectations were not formally documented typically discover the gap at the worst possible time: during an actual recovery event or a compliance assessment.
Related Services
Operational Assessment
Build Operational Stability Before Problems Become Business Risks
IT KORR helps organizations improve infrastructure visibility, governance alignment, Microsoft 365 operations, and continuity readiness through structured operational oversight.
No commitment required — we respond within one business day.