Disaster recovery planning for health care data and HIPAA compliance regulations

Transcription

1 Disaster recovery care data and HIPAA compliance regulations

2 Disaster recovery care Disaster recovery planning takes on special importance in health care organizations dealing with patients and care delivery. This e-guide walks through the steps to follow when considering a Disaster recovery plan and implementing procedures to protect and secure access to electronic protected health information (ephi). By: Anne Steciw As the health care industry moves toward the adoption of electronic health records (EHRs), the need for solid planning (DRP) becomes more important. This tutorial explains why DRP is especially important for health, and provides information for health care CIOs looking to establish or solidify a plan. Why is planning important in health care? Due to the nature of their business, health care organizations -- especially hospitals -- must maintain a high degree of system and network availability. Patients' lives may depend on systems being up and running, and patients' health could be jeopardized by lack of access to health in the event of system downtime. Hospitals devastated by tornadoes in Joplin, MO learned that disaster recovery planning must consider the impact to clinical workflows, especially in the event of a patient surge. As physicians and clinicians become more reliant on clinical applications to deliver patient care, the importance of disaster preparedness and infrastructure resiliency in health care become apparent. Unfortunately, when establishing IT budgets, many health care organizations overlook the importance of developing an effective plan. It's important for health care CIOs to make the business case and receive a budget for planning. Page 2 of 8

3 Disaster recovery care What are the first steps for planning in health care? The first step in planning is to conduct a business impact analysis (BIA). This involves identifying all of your systems and applications, and then determining their impact to the business if they went down. In the case of a health care organization, this includes determining the impact to patients and care delivery. The next step is to identify possible points of failure and develop a plan to address those vulnerabilities. This plan may include establishing a remote data center or working with EHR vendors to determine service level agreements in the event of a disaster or system failure. It's also a good idea to examine the different data replication strategies available and determine which ones best suit your health care organization. What are the HIPAA requirements for planning? A HIPAA covered entity must have a contingency plan in place to ensure continued access to electronic protected health information (ephi) in the event of a system failure. HIPAA requirements also include the need for an ephi data backup plan, along with and emergency mode operation plans. Organizations developing a HIPAA plan must also explain how sensitive health will be moved without violating HIPAA privacy and security requirements. How does virtualization impact planning? Some organizations are turning to virtualized to restore access to health in the event of system downtime. While there are many benefits to using virtualized, it is still crucial for health care organizations to maintain HIPAA compliance. In a virtual setting, planning should also include procedures for restoring backups to virtual hardware and must specify the conditions for use of virtual machines. Page 3 of 8

4 Disaster recovery care but possible By: Ray Lucchesi, Contributor Under federal law, HIPAA covered entities must implement procedures to protect and secure access to electronic protected health information (ephi). What's more, such entities also had to supply a contingency plan to insure continued ephi availability during emergencies or disasters. However, ephi exists only in conjunction with data processing applications and, thus, can only be recovered together with those systems. Consequently, HIPAA requirements state the need for an ephi data backup plan, along with and emergency mode operation plans. The intent of the data backup plan was to create systems that allowed for the restoration of all ephi. The intent of the plan was to identify the processes and procedures needed to insure that ephi data could be restored in the event of loss. Finally, the intent of the emergency mode operation plan was to describe how operations could continue to protect and secure ephi during an emergency. In addition, HIPAA requirements ask that a test and revision procedure and an applications and data criticality analysis for ephi be "addressable" by all covered entities. Addressable regulations such as these could be dismissed by demonstrating that they were not applicable. For example, these policies need only apply to large ephi environments; smaller organizations could address them by documenting reasons why they were not relevant to their contingency plan. Creating a HIPAA data backup plan and choosing an alternate DR site Ordinarily, many data centers provide for system recovery by using data backups or mirroring/replication. Page 4 of 8

5 Disaster recovery care Data backups can be written to removable media, such as tape DVDs or CDs, or they can be placed on alternate storage systems such as virtual tape libraries, other storage or dedicated backup appliances. Data backups are taken periodically, usually duplicated, stored both on and offsite, and preserve multiple versions of data. Meanwhile, data replication or mirroring is used to copy data to another site, which can be a host, network or storage system facility. Mirroring can be scheduled, asynchronous or synchronous. Scheduled data replication can be done every week, every shift or more often. For asynchronous mirroring, data is copied some time after it is modified. In contrast, with synchronous mirroring, copies are made while data is being modified. Any successful will necessarily depend on the use of an alternate or secondary site. There are three types of sites available. A cold site supplies only power, cooling and networking. Servers, switches and storage must be sent to the location. A warm site adds to the cold site sufficient servers, switches and storage hardware to support ephi operations in the event of a disaster. A hot site provides warm site hardware plus continuous data mirroring of ephi data to speed up. Keep the following in mind when choosing a site. Using a cold site will require special contracts with system vendors to drop ship any and all necessary hardware to the site. For both cold and warm sites, backup data must be transported to the disaster site. For all site types, servers, networking and software systems will need to be reconfigured onsite to support emergency operations. Page 5 of 8

6 Disaster recovery care Creating an all-encompassing plan In any case, having a backup of ephi and an alternate site arrangement is required -- but not sufficient -- to support disaster operations. For that to occur, one also needs a and emergency mode operations plan. Although HIPAA requirements place these into two separate policies, many health IT shops cover both mandates with a single, all encompassing plan (DRP). Any DRP should include the following five components. Disaster declaration: The DRP should document the decision process and team participants. Moving operations to an alternate site is always a costly endeavor. Occasionally, temporary or transient issues, such as a power fluctuation, can impact data center operations for a limited time. It's the purpose of the disaster declaration process and team, which generally consist of operations and other senior IT management personnel, to determine if is truly warranted. Disaster list: The DRP should focus on a select set of high-probability and high-impact events such as natural disasters or other catastrophes. Cataloguing these within the DRP can help IT personnel justify investment in costly backup systems, alternate site(s) and application recovery. Data backup: Any disaster will necessarily depend on backups or mirrors of current data and applications. As such, backup systems should be well described in the DRP. This information should include the frequency, type and locations of any data and system backups and/or replication done to offsite location(s). Moreover, how data backups are to be shipped to the alternate site -- with procedures, contact lists and transport duration -- should be supplied. Equally important, offsite repositories should be far enough away to insure backup availability in the face of a disaster impacting the primary site. Similar locality constraints apply to alternate site locations. Alternate site: The DRP should delineate the secondary site capabilities, activation procedures and contact lists. One should also provide instructions as to how technical personnel will access and/or travel to the alternate site. Page 6 of 8

7 Disaster recovery care ephi recovery: The DRP should identify all ephi systems and data requirements. Furthermore, the process for restoring ephi application operations should be fully recorded. Moreover, an application recovery priority list should be produced to determine restoration sequence. Personnel familiar with an application and its operation can often facilitate emergency operations, so names and contact lists for these individuals should be supplied. Summary: Don't neglect DRP testing, modification We have identified most of the critical components of any DRP needed to respond to HIPAA requirements. Although not discussed above, addressable policies could be dealt with inside or outside the DRP. Nonetheless, as ephi applications can be added, deleted or modified, periodic plan tests and resultant corrections are vital to the continuing success of any. Furthermore, with natural disasters and security breaches occurring more frequently, the need for a practicable DRP is more essential than ever. In fact, having a viable DRP is something all covered entities should have in place for their own business survival, regardless of HIPAA requirements. Page 7 of 8

8 Disaster recovery care Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 8 of 8