Your data is protected at multiple independent layers. Azure-managed automated backups, immutable audit archives, geo-redundant encryption keys, and a stateless application layer that redeploys in minutes. The one-hour RTO is limited by database restore time — all other components recover faster.
Backup Architecture
-
📈Azure SQL Database — Point-in-Time Restore Full, differential, and transaction log backups managed by Azure. Restore to any second within the retention window. Geo-redundant backup storage — backups survive a full regional failure.
-
📄PHI Audit Archive — WORM Blob Storage Every PHI access event flushed to Azure Blob Storage as append-only JSONL within 30 seconds. WORM immutability policy prevents modification or deletion. SHA-256 hash-chained for tamper detection.
-
🔒Azure Key Vault — Encryption Keys & Secrets Geo-redundant by default — automatically replicated to Azure paired region. Soft-delete (90-day recovery window) and purge protection prevent accidental or malicious key deletion. PHI cannot be decrypted without the per-client DEK.
-
💻Application Code — Git + CI/CD All application code version-controlled in GitHub. Any commit can be deployed to a new App Service in under 30 minutes. Configuration stored in Key Vault — no secrets in source code.
Recovery Time & Point Objectives
| System | Priority | RTO | RPO | Recovery Method |
|---|---|---|---|---|
| Azure Key Vault | P1 Critical | 15 min | Near-zero | Automatic geo-failover; DEK cache provides 30-min buffer |
| Azure App Service (API) | P1 Critical | 30 min | 0 (stateless) | Redeploy from last CI/CD artifact |
| Azure Static Web App (Frontend) | P1 Critical | 30 min | 0 (stateless) | Redeploy from CI/CD; CDN edge serves cached version during deploy |
| Azure SQL Database | P1 Critical | 1 hour | 5 minutes | Point-in-Time Restore (any timestamp in last 35 days) |
| Azure Service Bus (Audit Pipeline) | P2 High | 30 min | Near-zero | Audit events buffered in SQL outbox table during outage; replayed on recovery |
| Azure Blob Storage (Audit Archive) | P2 High | 4 hours | 0 | WORM — no data loss possible; access restored when storage recovers |
| Application Insights | P3 Low | 8 hours | Non-critical | Monitoring only; patient care unaffected |
Recovery Scenarios
App Service Failure
Restart via Azure Portal or redeploy from the last CI/CD artifact. Stateless — all state is in the database and Key Vault. No data loss.
Database Corruption or Failure
Point-in-Time Restore to any second within the last 35 days. Restore to a new database, validate decryption, update Key Vault connection string.
Key Vault Unavailable
Key Vault is geo-redundant — automatic failover to paired region. In-process DEK cache provides a 30-minute operational buffer during brief outages.
Ransomware / Data Corruption
Isolate platform, preserve WORM audit evidence (ransomware cannot modify WORM blobs), identify clean PITR point, restore database, rotate all secrets, patch attack vector.
Full Azure Region Failure
Azure SQL failover groups auto-promote secondary region database. Redeploy App Service and Static Web App to secondary region via CI/CD. Update DNS.
Accidental Data Deletion
Confirm deletion via WORM audit logs (immutable evidence). Point-in-Time Restore to 1 minute before deletion event. Extract and re-insert affected records.
Testing & Verification Schedule
| Test | Frequency | Method |
|---|---|---|
| Backup health verification | Every 4 hours (automated) | BackupHealthService confirms audit blob pipeline live & database reachable |
| DB Point-in-Time Restore drill | Annual (June) | Restore dev DB to prior day, verify row counts + PHI decryption |
| App Service redeploy drill | Quarterly | Deploy prior release tag to staging from CI/CD; verify health endpoint |
| Key Vault failover test | Annual | Simulate KV unavailable in dev environment; verify DEK cache buffer holds |
| Ransomware tabletop exercise | Annual (June) | Walk-through of Scenario D with Security Officer and Tech Lead |
For covered entities with questions about backup verification: VitaAI can provide Application Insights backup health dashboards and point-in-time restore capability evidence under NDA. Contact steven@altnetix.com.