To comply with HIPAA, healthcare companies and their business associates must formulate a robust contingency plan in case of an event that disrupts operations.
These plans have smaller component plans such as a Disaster Recovery Plan (DRP) and an Emergency Mode Operation Plan, or Contingency Plan.
This business continuity strategy requires healthcare organizations to be capable of recovering critical IT systems that handle Electronic Patient Health Information (ePHI) into a disaster recovery location while ensuring critical business functions continue in the event of a crisis.
The aim of the emergency mode operation plan and disaster recovery plan is to establish the role, responsibilities, and procedures needed in a real-world disaster recovery scenario. Disaster recovery planning will typically define 5 key specifications.
The Data Backup Plan
Essentially, all ePHI must be identified and backed up using a HIPAA compliant backup solution. The data backup schedule should be pre-defined according to the organization’s specific needs, but might typically be a daily, monthly and annual backup policy.
A number of HIPAA security safeguards should be enforced in storing ePHI backup data, such as encryption at rest and encryption for transferred data. The data backup plan must also include controls over how backup data is accessed and by whom, especially when considering restoration of data.
The HIPAA Disaster Recovery Plan (DRP)
The HIPAA disaster recovery plan is a detailed set of processes and procedures that defines how a healthcare organization and the business associate responsible for IT services will respond to a disaster scenario. A HIPAA disaster recovery plan will typically aim to answer:
- What Is a Disaster Recovery Scenario? – A typical disaster scenario will be when access to electronic protected health information (ePHI) data and systems is severely interrupted for some reason, such as a technical outage, human error, terrorism, or a natural disaster. A good example to consider: what would happen if your production data center were destroyed? How would the healthcare provider continue to operate, and how would the managed service provider (MSP) recover from such a disaster? Under HIPAA requirements, the MSP must empower the healthcare organization with the ability to failover production services to a secondary disparate location, restore critical IT systems and services, and restore the electronic protected health information to a specific point in time prior to the disaster.
- When to Declare a Disaster Scenario – The healthcare organization and the IT service provider will have a business agreement that will stipulate when to declare a disaster. This could be from a certain timeframe since a system outage began, or the HIPAA disaster recovery plan might be invoked by approved personnel, usually a senior manager or executive. In most managed service companies, invoking DR is a manual process that must follow a strict authorization procedure.
- How to Invoke Disaster Recovery – Healthcare personnel must be aware of how to invoke the HIPAA disaster recovery plan. For example, phoning the IT Provider and providing a pre-agreed security key to approve HIPAA disaster recovery plan activation. The MSP must also have a strategy of how to escalate to on-call technical experts or stakeholders. This is usually done through a DR Lead who is responsible for communications channels. This process may also involve moving technical personnel to a remote command center if the hosting site has been compromised.
- Who to Contact and How Communication Flows During a DR Scenario – Modern MSPs have automated monitoring systems that automatically notify DR personnel; however, the names and contact numbers of key persons must be published within the HIPAA disaster recovery plan. Each personnel must know who they report too, and how communication flows in a disaster recovery scenario. This is usually done via a call tree.
- Description of Key Roles and Responsibilities of Anyone Assigned to the Recovery Team – All DR personnel must understand their role and where they fall within the chain of command in a DR scenario, including network engineers, server engineers, and database engineers.
- Define Recovery Time Objectives – The HIPAA disaster recovery plan will state the contracted RTO objectives. This refers to how long the healthcare organization can operate without critical IT systems and the time allowed for the MSP to be able to set up new IT infrastructure in a secondary location. This may be set to 24 hours, meaning the MSP has 24 hours to get the servers and infrastructure running in DR. With today’s modern cloud failover technologies, the RTO can be as low as near zero.
- Define Recovery Point Objectives – The HIPAA disaster recovery plan will state the contracted RPO objectives, which show what point in the processing cycle an organization can recover to, or what point in time data can be restored to. For example, an RPO of 15 minutes means the data cannot be more than 15 minutes old.
The Emergency Mode Operation Plan
An emergency mode operation plan must also be pre-defined and practiced, ensuring HIPAA disaster recovery plan processes are achievable while keeping electronic protected health information secure.
The MSP will be responsible for ensuring that the correct technical and management teams are available during a HIPAA disaster recovery scenario and ultimately that they are responsible for restoring the service.
It is important that the MSP work with the healthcare organization so that HIPAA specifications of the emergency mode operation plan can be met:
- How to Keep the Business Running in the Event of a Disaster – This will define what critical IT infrastructure is needed to keep the healthcare organization operating. Source machines requiring restoration to the cloud during a DR scenario will be identified (meaning any server containing ePHI). Priority must be allocated to HIPAA-compliant servers and systems that are business critical, such as Active Directory services, database systems, networking hardware, and backend storage with ePHI data.
- Define What the Recovery Process is and Create a Definition of Required Activities – This will be a step-by-step process from the MSP outlining how they are going to restore services to ensure minimal disruption in line with RPO and RTO specifications, sometimes referred to as service blueprints. If the system is automated, it will form a recovery plan run book of how to bring the systems back online and in what order. HIPAA compliance rules stipulate that only authorized users can perform these processes and require that all ePHI data is protected.
- Conduct Post DR Activities and Review Lessons Learned – Once services have been failed over and systems are running in DR, the MSP and healthcare organization must work together to test systems and access. Any issues experienced must be resolved or captured in a “lessons learned” meeting for future reference.
Testing and Revision Procedures
The testing and any subsequent revisions of the data backup plan, disaster recovery plan, and emergency mode operation plan are a highly recommended (although not mandatory) part of HIPAA compliance.
Essentially, the healthcare organization and MSP must test all of the above plans, as well as test the technical aspects of the failover and failback process, ensuring that the process works and that the system is capable of disaster recovery in a secondary site.
Annual DR tests are advised. If during testing and revision procedures changes to the plan are required, they should be enacted immediately after testing. Recommendations and changes should be discussed and implemented under change control to ensure future tests are successful.
Application and Data Criticality Analysis
Another non-mandatory recommendation for HIPAA compliance is to identify the systems that store and manage ePHI data and ensure priority is given to data backup and continuity planning – this is called application and data criticality analysis.
Most MSPs follow this recommendation, as it forms the basis of any automated failover strategy. The MSP needs to know what systems are classed as critical and which contain ePHI. That way, the best RPO can be delivered by restoring service to critical systems and restoring critical business processes as a priority.
To summarize, HIPAA Disaster Recovery and Business Continuity Planning are a significant part of HIPAA compliance. HIPAA compliance demands the MSP can transfer critical business systems containing ePHI into a disaster recovery location.
MSPs and healthcare organizations must not overlook the importance of HIPAA Disaster Recovery, and businesses need to comprehend what may happen to them if they fail to have a working DR strategy.
By choosing a HIPAA-compliant MSP, you can have peace of mind that these rigorous criteria have been met and exceeded.