• E-mail
• Print
• RSS

Prepare now for disaster recovery

HIPAA Training Advisor, November 17, 2005

Prepare now for disaster recovery

Focus on business continuity when drafting your plan

HIPAA's security rule requires your organization to have a disaster recovery plan that outlines procedures you would take to restore any loss of data. Although you may have a general disaster plan that meets this requirement, it's important that your plan be specific enough to cover electronic PHI and look beyond the HIPAA regulations.

Disaster recovery planning has less to do with HIPAA regulations and more to do with protecting your business interests, says Robert M. Tennant, cochair of the WEDI's Strategic National Implementation Process group and senior policy advisor for the Medical Group Management Association in Washington, DC. "It's a patient-care issue and a business issue," he says. "If you don't have an appropriate plan, you can't care for a patient properly." And that will cause patients to go elsewhere.

Loss-of-information concerns are different in healthcare than in other industries. "There's so much talk about identity theft, but that's not as much of an issue in healthcare," Tennant says. "It's more about the disruption of workflow. It's so easy to have a problem with a server or even a laptop."

With the security regulations, the government wrote the blueprint on how organizations should protect their businesses, and HIPAA is the first set of such guidelines for the healthcare community, he says. "Hurricane Katrina brought this all home."

Ask the right questions

To prepare your organization for a natural disaster such as a hurricane, you need an effective plan that documents what would be required to keep the plan up to date and manageable to execute, says Kevin Beaver, CISSP, founder and principal consultant at Principle Logic, LLC, in Acworth, GA. To do this, ask why, what, who, when, and where, he says.

"It's absolutely critical to have well-documented response and recovery processes outlining the necessary steps and technical procedures," he says. "Ideally, this includes a graphical flow chart for individual responsibilities that's easy for even the most nontechnical team members to follow."

According to CMS' educational security paper, Security Standards-Administrative Safeguards, questions to consider include the following:

• Does the disaster recovery plan address issues specific to your operating environment?
• Does the plan address what data you will restore?
• Is a copy of the disaster recovery plan readily accessible at more than one location?

Tennant also suggests asking, "What if?" For example, what if you lost a server? What if physicians lost the ability to see their schedules? Other questions to ask include the following:

• How will you back up power?
• What data do you need to protect?
• What operations would specific disasters affect?
• How can you maintain continuity of care?

Address the variables

Despite similarities among all disaster recovery plans, each organization's plan will be different, Tennant says. When developing your plan, consider your organization's finances, complexity of operations, and specific needs, he says. "If you can't afford a full-time [information technology] person, you might use contracted emergency services."

The geographic location of your organization also plays a major role. For example, organizations in the southeast have a better chance of experiencing a hurricane than a snowstorm; those in the northeast have a greater chance of experiencing the opposite, Tennant says. The list of potential nonnatural disasters will differ for each organization based on location as well, he says. "For a facility in a major metropolitan area, theft may be a greater possibility."

Along with natural disasters, consider how your organization would combat a fire, equipment failure, theft, or even inability to contact a staff member who has specific, necessary information.

Identify potential disasters in your plan and assign specific responsibilities, Tennant says. "And have redundancy to make it easier for people to remember their responsibilities."

Test for effectiveness

Beyond drafting your plan, testing should be your top priority, says Harry E. Smith, principal and founder of Timberline Technologies in Lakewood, CO. "It can be very expensive if you do it the right way, but it's necessary," he says. "It's not enough to just put a plan in place."

Testing is an addressable implementation specification in the security rule. "But 'addressable' does not mean 'optional,' " Tennant says. "You can't just assume you're backing up data. You need to run the tape and make sure you're capturing the data. We all have fire drills-it's the same thing."

Test your plan at least annually onsite and at the actual recovery site, if applicable, Smith says. "You need to run through the entire exercise. It's important to learn what parts of your plan do and do not work during testing, not an actual disaster."

Go to www.cms.hhs.gov/hipaa to find CMS' series of educational security papers.

Editor's note: Adapted from "Prepare now for disaster recovery" Briefings on HIPAA, October 2005.

• E-mail to a Colleague
• Print
• RSS
• Archive