PratikYedek for healthcare providers

A real scenario

A private dental clinic in Istanbul (anonymised reference: Clinic-B) suffered a ransomware attack in January 2025. Malware delivered via a USB drive to the server-room PC encrypted 8,400 patient records, 12,000 panoramic X-ray DICOM files and three years of billing data. The attacker demanded 18 BTC. Backups existed only as a weekly FTP copy whose latest entry was 11 days old — 11 days of appointments, treatment notes and billing were lost.

Root cause: Backup files were stored on the same network in a writable location; ransomware encrypted the backups too.

How PratikYedek solves it

1. Install the desktop app on the clinic server — Patient-data folder + DICOM folder + billing folder.
2. Immutable backups — PratikYedek snapshots are write-once, read-many (immutable). Even if ransomware encrypts the files on the client, the new version is a new snapshot side-by-side; you can roll back to a clean older snapshot.
3. Hourly snapshots — Health data changes frequently; hourly snapshots with 30-day retention recommended.
4. Restore drills — Monthly random selection of 5 patient records, restored as a test.
5. DICOM imaging archive as a separate category; chunk dedup keeps large files (50-200 MB) storage-efficient.

KVKK § 6 + Ministry of Health alignment

Sensitive data

KVKK § 6 classifies health data as sensitive personal data (Turkey's GDPR-equivalent). On top of baseline measures:

• Explicit consent (taken together with the anaesthesia form)
• Mandatory encryption (AES-256 or stronger — PratikYedek uses AES-256-GCM)
• Access audit logs (10-year retention)
• Data controller registration obligation (notification to VERBİS)

• Regulation on Personal Health Data art. 6: The storage system must be protected with authorisation and encryption → met by all PratikYedek plans.
• Regulation art. 7: Access logs must be retained for at least 2 years → PratikYedek default is 10 years (audit_log retention).
• Ministry of Health circular 2024/12: Cross-border transfer is prohibited → PratikYedek runs on 100% Turkish servers.

Recommended plan

• Single-practitioner clinic: Professional + mandatory 2FA + hourly snapshots
• Clinic (5+ users): Enterprise (recommended for sensitive data): 500 GB+, team management, mandatory 2FA, 10-year audit retention, IP allow-listing, SAML SSO

The Starter plan is not recommended for healthcare — 2FA is optional and audit retention is short.

FAQ

A patient is requesting deletion (KVKK § 11/e). How is it done? From the admin panel, mark the patient's folder → open a deletion request → after 30-day retention all chunks are deleted irreversibly. The audit log is retained for 10 years as deletion evidence (for KVKK purposes).

Is there HSYS / e-Nabız integration? Not yet. Planned for evaluation after Phase 5 (API expansion).

My DICOM imaging files are huge. Is there enough storage? PratikYedek applies content-addressed deduplication — the same image backed up twice is stored once. 12,000 DICOM files (~150 MB average) typically use ~800 GB (44% of the raw 1.8 TB).

My patient filed a lawsuit. Do I need to delete their files? No — the retention_locked flag prevents deletion (evidence preservation during judicial proceedings). Once the court process closes, deletion proceeds.