Embed Size (px)
Citation preview
Recovering from disaster while maintaining HIPAA compliance: an overview
Table of contents
02IntroductionThe HIPAA-compliant DR pre-planning phase
03Contingency planningDeveloping a data-backup plan
04The disaster-recovery plan suitable to your business
05Planning for hour zero: emergency operations modeTesting and revision: critical and often overlooked procedures
06Analyzing for application and data criticalityDon’t forget the cloud connectionSummary
The HIPAA-compliant DR pre-planning phase
While each organization has its own methodology for contingency planning, take the following initial steps before creating the final plan:
1. Develop a contingency-planning policy statement defining your organization’s overall contingency objectives and establishing an organizational framework.
2. Conduct a business impact analysis. The BIA enables your organization to determine and document information system requirements, processes and interdependencies, and then use the information to determine contingency requirements and priorities. A BIA includes identifying critical IT assets, determining how a disaster or other interruption would impact operations, allowable outage times and recovery priorities.
3. Develop preventive measures that mitigate or eliminate the impact of disasters and service disruptions, including environmental controls such as fire-suppression systems and technical security measures, such as cryptographic key management. Document preventive measures as part of the contingency plan and ensure appropriate personnel are trained in how and when to implement them.
4. A key component in creating a contingency plan is the development of recovery strategies to restore IT operations quickly and effectively following a service disruption. Strategies must include a combination of complementary methods, as well as alternatives, to provide recovery capability over the full spectrum of incidents. These strategies should cover minor service disruptions as well as the partial or total loss of primary IT systems.
Flexential.com
Introduction
According to the HIPAA Security Rule, organizations classified as “covered entities” must establish and implement policies and procedures for responding to emergency events that could damage systems containing electronic protected health information. In simple terms, all covered entities are required to have a contingency plan. It’s important to note that the same requirement for contingency planning applies to business associates, as noted in the 2013 HIPAA Omnibus Rule. In general, a business associate refers to an individual or organization that creates, receives, maintains or transmits protected health information.
In most circumstances, cloud services providers are business associates, making them equally liable for meeting the contingency plan requirements when handling ePHI on behalf of a customer that classified as a covered entity. Additionally, a CSP’s responsibility for meeting HIPAA requirements does not free your organization from its obligations to do the same.
There are numerous resources available that provide guidance for creating a contingency plan, including NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. A template is also available in Appendix G of NIST SP 800-66.
Contingency planning
The contingency plan should clearly define roles, responsibilities and procedures associated with restoring an IT system following a disruption. To meet HIPAA requirements, it will also need to encompass five implementation specifications as specified in the HIPAA Security Rule.
The first three are legally required and include:
1. A data backup plan that establishes systems for restoring ePHI.
2. A DR plan that identifies the processes needed to make sure the restoration of ePHI is possible restored in the event of loss.
3. An emergency-mode operation plan that establishes procedures and implements them as needed to ensure your organization can continue the critical business processes necessary for protecting the security of ePHI while operating in emergency mode.
The remaining two implementation specifications are “addressable,” which means the covered entity must decide whether the specification is a reasonable and appropriate security measure to apply within its particular security framework.
They include:
4. Procedures for periodic testing and revision of contingency plans.
5. Application and data criticality analysis.
Developing a data-backup plan
Your organization’s data-backup plan is a “living document,” as it will need to evolve as technology and business needs change. It is important to revisit the data-backup plan regularly to ensure it accurately reflects current backup procedures. The following steps encompass a robust approach to putting together a data-backup plan:
1. Identify the ePHI that needs backed up, whether your IT team handles backup internally or outsources it. Among the information that may need backed up are patient accounting systems, electronic medical records, digitized diagnostic images, electronic test results or any other electronic documents your organization uses.
Determine the appropriate method to use. One reliable method is to use a tiered process for performing disk-to-disk backups for efficient data backup and retrieval. For long-term storage, rotate the backup to tape- or object-based storage. You may also choose to place it on alternate storage systems such as virtual tape libraries or dedicated backup appliances. Duplicating and storing data on- and/or off-site with multiple versions preserved is an option. Another viable method is data mirroring/replication, which copies data to another site (a host and network or storage system facility). The process can be scheduled, asynchronous or synchronous. Scheduled replication can occur every week, every day or as often as desired. Asynchronous mirroring, results in data copying post-modification. Synchronous mirroring results in data copying as modifications occur.
• It is critical to make frequent data backups, regardless of the backup method used. It is best to have a consistent backup schedule, as HIPAA leaves it up to the discretion of covered entities to determine the appropriate backup frequency.
2. If data backups happen off site, there are three types of alternate or secondary sites to consider: cold site, warm site or hot site. All site types require that servers, networking and software systems will need to be reconfigured on-site to support emergency operations:
• Cold site: supplies only power, cooling and networking. Using a cold site will require special contracts with system vendors to drop ship any and all necessary hardware to the site.
• Warm site: adds sufficient servers, switches and storage hardware to the cold site to support ePHI operations in the event of a disaster. For both cold and warm sites, transport backup data to the disaster site.
• Hot site: provides warm site hardware plus continuous data mirroring of ePHI data to speed up disaster recovery.
3. If your organization leverages a cloud services provider for your ePHI, it is also responsible for meeting the requirements of the Security Rule. Look for CSPs that have undergone independent audits for HIPAA compliance. Ask for verification of their compliance and insist that they sign a business associate agreement which documents policies. Consult with legal counsel to ensure all components of the agreement are suitable and in order.
• Like all technology, DR replication is fast-evolving. A recovery cloud offers many advantages complementary to robust compliance measures, such as reliable failover capabilities in the event of a disaster and flexible capacity planning.
• Proper encryption mechanisms are a commonly overlooked detail when it comes to on-target DR. Be clear with your provider on the encryption efforts your technical team has made internally, as well as their strategy around encryption in motion and at rest.
• In general, when using a cloud provider, be conscious of details. Ensure you review all aspects of DR so that you don’t overlook small details.
The disaster-recovery plan suitable to your business
The HIPAA Security Rule also requires a disaster-recovery plan. If your organization already has a DR plan in place, make sure it encompasses the recovery of ePHI. You should also confirm that the DR plan is specific to your operating environment and addresses the restoration requirement of data in terms of order and priority. A copy of your DR plan should always be readily accessible at multiple locations.
Keep in mind that service disruptions and/or disasters are not limited to their impact on servers or storage components; for instance, a failed network switch will easily cause major problems in other areas. Your plan should account for all potential adverse events.
Other components of your DR plan should include:
• Roles and responsibilities for all staff involved in the recovery process, as well as their contact information. Make sure your team members know expectations and that each of them is familiar with all aspects of the DR plan and associated processes and procedures. It is also essential to include any vendors who will provide supplies or technical assistance.
• Your data backup and recovery plan, including the frequency, type and locations of any data and system backups and/or replication done to off-site location(s). If you’re shipping backups get to the alternate site, include the procedures, contact lists and transport method. Make sure any off-site repositories are far enough away to guarantee backup availability in case a disaster impacts your primary site. The same applies to alternate site locations. Additionally, provide instructions as to how technical personnel will access and/or travel to off-site locations or alternate sites.
• Documentation of all ePHI systems and data requirements and the processes and procedures for restoration. Prioritize requirements in order to create restoration sequence. Include contact information for the personnel familiar with each application and its operations.
As is the case with the data backup plan, you’ll need to review and update your DR plan frequently to ensure it accurately documents current procedures for recovering ePHI. Place non-technical, relatively static information in the body of the document and use appendices for the more regularly updated technical information.
Don’t create your DR plan and then set it aside. Test it to identify and correct deficiencies and evaluate the ability of your recovery staff to implement the plan quickly and effectively.
Planning for hour zero: emergency operations mode
The third required component of your contingency plan is the emergency-mode operation plan. Emergency-mode operations take place between restoration activities and when the emergency is over and system functions have returned to normal. The plan outlines how your organization will carry out operations during this time period and the security rules it must follow to protect ePHI.
At a minimum, your emergency-mode operation plan should:
• Include processes and controls that protect the confidentiality, integrity and availability of ePHI on your organization’s information systems.
• Identify and prioritize emergencies that may impact information systems containing ePHI.
• Define procedures for responding to specific emergencies that impact information systems containing ePHI, as well as for maintaining the processes and controls that ensure the availability, integrity and confidentiality of ePHI on its information systems during and immediately after a crisis situation.
• Define a process that ensures authorized employees can enter facilities to enable the processes and controls protecting ePHI while your organization is in emergency mode.
Like the other components of a contingency plan, the specifics of the emergency operations mode plan will vary from organization to organization.
Testing and revision: critical and often overlooked procedures
While the HIPAA Security Rule refers to the testing and revision procedures for contingency plans to be “addressable,” it is best to test all components of the plan and revise as necessary. To avoid disrupting day-to-day operations, consider testing DR and emergency mode operations plans by using a scenario-based walkthrough. The frequency and sophistication of the testing and revision procedures depends on the complexity of your organization, its size, the costs and other factors.
Flexential helps organizations optimize IT transformation while simultaneously balancing cost, scalability, compliance and security. With a focus on building trusted relationships, providing valuable support and delivering tailored solutions and reliable performance, Flexential delivers colocation, connectivity, cloud, managed solutions and professional services to 4,200 customers across the U.S. and Canada.
Flexential and the Flexential logo are trademarks of Flexential Corp.
Analyzing for application and data criticality
The last implementation specification under the HIPAA Security Rule calls for assessing the relative criticality of specific applications and data in support of other contingency plan components. This specification is “addressable,” but it is a component you should conduct in order to meet all of the contingency planning requirements.
The application and data-criticality analysis entails identifying all of your applications that store, maintain or transmit ePHI and then determining how important each is to patient care or other business needs in order to prioritize them for data backup, disaster recovery and/or emergency operations plans. A prioritized list will help you determine which applications or information systems you should restore first and which need to be continuously available.
Don’t forget the cloud connection
It’s important to note that an industry-wide shift in the cloud-based DR landscape is always taking place—technology moves fast. Currently, the benefits of foregoing hardware ownership are increasing. Relying on a cloud provider allows your organization to greatly reduce capital expenditures and save your IT team time on assessing and executing hardware refreshes, which can have the potential to open your organization up to vulnerabilities. Further, if your organization is considerably sizable and you have the internal resources to execute aspects of a HIPAA-compliant DR plan, a hybrid approach may be a feasible option, allowing a CSP to divide aspects of your DR efforts among appropriate individuals.
As organizations at large become more reliant on IT systems, timeframes for recovery decrease concurrently. For many organizations in the healthcare industry, CSPs can provide better and faster protection for ePHI when an outage or disaster occurs than is possible with internal systems. CSPs at the forefront of the industry stay abreast of changing HIPAA requirements, which can be something of a moving target for organizations with other critical focus areas.
The most reliable CSPs are those that regularly have operations and infrastructure independently audited for compliance with HIPAA, as well as a number of other regulatory requirements such as PCI DSS and FISMA. Request a copy of the CSP’s report on compliance to verify that it indeed meets HIPAA audit standards.
Further, confirm that your WAN strategy includes how to reach the DR provider’s data center and includes sufficient capacity for the bandwidth required. This will save your organization a great deal of difficulty in the event of an actual disaster. In addition, a CSP should be willing to sign a BAA, as stipulated under HIPAA.
Even if an organization outsources all aspects of the handling of ePHI to a CSP or any third-party vendor, it will still be responsible for meeting the requirements of HIPAA and having its own contingency plan in place. However, it makes sense to work closely with vendors to ensure you’ve documented and accounted for all aspects of the contingency plan.
Summary
Achieving ongoing HIPAA compliance when it comes to disaster recovery can be a complex undertaking. The HIPAA rules clearly state that a DR plan is required, but implementation methodologies are up to your discretion. All organizations differ in size, budget and practices, thus it is advisable to seek legal and technical counsel and confer with experts on HIPAA compliance.
Make certain that your technical team and your CSP together create a HIPAA-compliant DR solution that meets your objectives. An important aspect of being HIPAA compliant today and in the future includes regular testing.
