Health data is the most strictly protected category under KVKK (Turkey's GDPR-equivalent). § 6/3:
"Sensitive personal data may be processed only if the adequate measures specified by the Board are taken."
KVKK Board decision no. 2018/10 (31 Jan 2018) lists those "adequate measures." Backup is one of them.
Which health data falls under § 6?
- Patient appointment records + diagnoses (ICD codes)
- Prescriptions + medication history
- Lab results
- Radiology images (DICOM)
- Dental X-rays, dermatology photos
- Physical therapy sessions
- Genetic test results (treated as biometric)
⚠️ "Patient name + phone" alone is not sensitive (§ 3 personal data). But "John D. + tooth extraction" combined becomes § 6 health data.
The Board's adequate-measures list (2018/10)
Healthcare providers must implement the following 9 measures:
- Periodic employee training (at least yearly)
- Role-based access control
- Encrypted transmission and storage
- Backup ← the topic of this article
- Antivirus + firewall
- Logging (who accessed what, when)
- Physical security (locked room, cameras)
- Destruction at the end of retention
- Data-breach response plan
Dual compliance with the Ministry of Health
KVKK § 6 + Decree-Law no. 663 set the rules for private hospitals and clinics integrating with the Ministry's e-Nabız + MHRS systems:
- Patient data may not be transferred abroad (§ 9 + Ministry of Health)
- Systems generating e-Nabız reports must be certified
- Backups are subject to the same cross-border restriction
PratikYedek runs 100% on Türkiye-based servers; there is no cross-border transfer concern.
A practical solution for dental clinics
A typical dental clinic (3 chairs, ~80 patients per week):
Assets to back up
| Asset | Size | Frequency |
|---|---|---|
| PMS (Patient Management Software) DB | 500 MB - 5 GB | Hourly |
| Patient X-ray archive (DICOM) | 50-500 GB | Daily incremental |
| Treatment plan PDFs + consents | 5 GB | Daily |
| Billing DB | 200 MB | Hourly |
Retention
KVKK § 7 and the Ministry of Health regulation overlap:
- KVKK: data must be deleted once the purpose ends
- Ministry of Health: patient files must be kept for 30 years (Regulation on Service-Providing Institutions)
Solution: kept encrypted with restricted access throughout retention. PratikYedek supports a 30-year retention lock.
Pharmacy context
Pharmacies must comply with MEDULA and KVKK simultaneously:
- Prescription data is § 6 health data
- MEDULA / SGK data may not leave Türkiye (by law)
- Inventory + financial records: 5 years under VUK
The PratikYedek Phase 5 pharmacy preset:
- Daily MEDULA log backup
- E-signed prescription archive with separate encryption
- Hourly stock-movement snapshots
Physical therapy centres
Patient exercise videos are often-skipped data:
- § 6 biometric (movement is identifying)
- Large video footprint (10-100 GB/month)
- BYOS Google Workspace Drive is usually the most cost-effective fit for PT centres
Restore scenario — HIS outage
Say your dental clinic's HIS (Hospital Information System) breaks down after 15 patient appointments in the last 3 hours.
PratikYedek restore flow:
- Sign in to the dashboard with the master password
- Select the latest hourly snapshot + WAL replay → click "Restore"
- Restore to a fresh empty database (~8 minutes)
- Restart the HIS → all 15 appointments are back
- Net loss: 5 minutes
In the process:
- No patient data was exposed to the server (E2E)
- Audit log captured automatically
- No KVKK § 12/5 breach (recovered from backup, no leak)
Breach scenario — the compliance frame
In case of a leak, you face § 12/5 + Ministry of Health dual notice:
- KVKK Authority within 72 hours (online form)
- Ministry of Health within 24 hours (specific alert)
- Individual notice to patients (e-mail or KEP)
- Criminal complaint (Cybercrime Bureau)
Certification and audit
PratikYedek targets for healthcare:
- ✅ ISO 27001 (Phase 5 target)
- ✅ ISO 27799 (health information security)
- ✅ KVKK-approved standard contract (DPA)
- ✅ Monthly restore drill evidence (audit-ready report)
PratikYedek healthcare package
- ✅ E2E AES-256-GCM (you can even hold the KMS keys)
- ✅ Türkiye-based servers (compliant with the Ministry + § 9)
- ✅ DICOM image support (with compression)
- ✅ 30-year retention lock (Ministry-compliant)
- ✅ Automates 6 of the 9 adequate-measures
Join Early Access — A dedicated healthcare cohort.