TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Similar documents
MassMutual Business Continuity Disclosure Statement

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Please indicate below the principle nature of your department s operations (check all that apply): Student life support.

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

EXHIBIT A. - HIPAA Security Assessment Template -

Maintaining Resiliency Within the Defense Industrial Base Through Preparedness Response and Recovery

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Audit & Advisory Services. IT Disaster Recovery Audit 2015 Report Date January 28, 2015

BUSINESS CONTINUITY. Topics covered in this checklist include: General Planning

Continuity of Business

Memorandum APPENDIX 2. April 3, Audit Committee

Table of Contents. Sample

Business Continuity and Disaster Recovery

Appendix 3 Disaster Recovery Plan

Trust Services Principles and Criteria

Business Continuity Plan Executive Overview

Subject: Audit Report 16-50, IT Disaster Recovery, California State University, Fresno

Subject: Audit Report 18-84, IT Disaster Recovery, California State University, Sacramento

Dude Solutions Business Continuity Overview

DR Planning. Presented by. Matt Stolk Associate Director Northwest Regional Data Center Florida State University

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Any observations not included in this report were discussed with your staff at the informal exit conference and may be subject to follow-up.

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

NW NATURAL CYBER SECURITY 2016.JUNE.16

Statewide Information Technology Contingency Planning

HIPAA Security Checklist

Data Recovery Policy

HIPAA Security Checklist

Business Continuity Management Standards A Side-by-Side Comparison

Introduction To IS Auditing

Disaster Recovery and Business Continuity Planning (Mile2)

The Common Controls Framework BY ADOBE

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

SECURITY & PRIVACY DOCUMENTATION

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

How to Conduct a Business Impact Analysis and Risk Assessment

IT CONTINUITY, BACKUP AND RECOVERY POLICY

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

SERVICE DESCRIPTION MANAGED BACKUP & RECOVERY

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

HIPAA Compliance and OBS Online Backup

Introduction to Business continuity Planning

San Francisco Chapter. What an auditor needs to know

Applications/Data To Include in Survey (include applications that meet one or more of the following criteria)

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Business Continuity Management Program Overview

Template. IT Disaster Recovery Planning: A Template

Security Guideline for the Electricity Sector: Business Processes and Operations Continuity

Data Security at Smart Assessor

HIPAA Security and Privacy Policies & Procedures

Disaster Recovery Planning Blackout. Katrina

Business continuity management and cyber resiliency

Keys To Disaster Preparedness

Understanding IT Audit and Risk Management

Certified Information Systems Auditor (CISA)

NEN The Education Network

TSC Business Continuity & Disaster Recovery Session

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Data Center Operations Guide

Business Continuity Policy

INTERNAL AUDIT DIVISION REPORT 2017/138

Business Continuity Planning

3.4 DISASTER RECOVERY (L , M.3.9, comp_req_id 806)

Contents. Chapter 3: Chapter 4: Critical Server Ranking Classifying Systems for Recovery Priority Mission-Critical Only, Please...

INTERNAL AUDIT DIVISION REPORT 2017/151. Audit of business continuity in the United Nations Interim Force in Lebanon

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

Projectplace: A Secure Project Collaboration Solution

Information Technology General Control Review

Module 4 STORAGE NETWORK BACKUP & RECOVERY

ASSURING BUSINESS CONTINUITY THROUGH CONTROLLED DATA CENTER

Chapter 1. Chapter 2. Chapter 3

INFORMATION SECURITY- DISASTER RECOVERY

Business Continuity: How to Keep City Departments in Business after a Disaster

Florida State University

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 13 Business Continuity

HIPAA Security Rule Policy Map

Business Resiliency in the Cloud: Reality or Hype?

Checklist: Credit Union Information Security and Privacy Policies

Information Security Policy

WHITE PAPER. Solutions OnDemand Hosting Overview

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

Policy Title; Business Continuity Management Policy. Date Published/Reviewed; February 2018

Protecting your data. EY s approach to data privacy and information security

L18: Integrate Control Disciplines to Increase Control and Save Money

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Number: USF System Emergency Management Responsible Office: Administrative Services

CUNY Graduate Center Information Technology. IT Provisioning for Business Continuity & Disaster Recovery Effective Date: April 6, 2018

IPMA State of Washington. Disaster Recovery in. State and Local. Governments

EQUINIX BUSINESS CONTINUITY ADVANCED SERVICES KEEP YOUR BUSINESS UP AND RUNNING

UL and Business Continuity

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

UCLA AUDIT & ADVISORY SERVICES

Information Technology Disaster Recovery Planning Audit Redacted Public Report

Introduction to SURE

1 Data Center Requirements

HIPAA RISK ADVISOR SAMPLE REPORT

Transcription:

JUNE 2017 TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY OVERVIEW The intent of this document is to provide external customers and auditors with a high-level overview of the Tufts Health Plan Corporate Continuity Program (CCP). The document answers the most commonly asked questions about the program, explaining the program s governance, structure, and key features. Program Structure Business Continuity Disaster Recovery Workforce Continuity This overview emphasizes Tufts Health Plan s commitment to provide for the availability of its systems and services through a comprehensive management program that incorporates incident prevention, preparedness, and response. CORPORATE CONTINUITY PROGRAM The CCP promotes Tufts Health Plan s ability to prepare for, and successfully recover from, any business services interruptions. The CCP incorporates industry best practices to manage availability risks, prepare contingency plans, and respond to actual emergencies. Risks and events anticipated by the CCP include natural disasters, critical technological emergencies, events affecting our facilities, workforce interruptions, and any other incidents that could severely affect corporate operations. The program is structured into three focus areas: Business Continuity Disaster Recovery Workforce Continuity

P A G E 2 T U F T S H E A L T H P L A N BUSINESS CONTINUITY Business Continuity (BC) refers BC also includes the to the process of developing development of strategies and continuity strategies that will procedures to manage and enable Tufts Health Plan to mitigate continuity risks. prevent and mitigate Examples of these include interruptions of business secured operation strategies, services. There are four key data backup and offsite activities in this process: storage provisions, system Impact analysis of potential adverse events Classification of business systems and functions Establishment of servicelevel thresholds and recovery time objectives for systems and functions Related procedures for maintaining this information in a changing environment redundancy/failover strategies, and contingency arrangements with key vendors and individual system recovery provisions not requiring a full disaster declaration. Business Impact Analysis Tufts Health Plan prioritizes its service reputation various business functions considerations that are the using a comprehensive basis for Tufts Health Plan s Business Impact Analysis (BIA) Corporate Continuity Policy. methodology. This analysis The BIA is referenced when examines financial, operational, significant changes are contractual, regulatory, and introduced into the Tufts Health Plan environment and routinely reviewed over the course of the year. Business Unit Recovery Plans Each department maintains a formal business recovery plan that outlines the critical business functions that will be recovered, and the time frame for and method of recovery in compliance with the findings of the BIA. These plans also identify any system, personnel, documentation or supply dependencies related to these critical operations. All department business recovery plans are maintained in a centralized and secured continuity software program that is stored offsite and accessible through the intranet. Tufts Health Plan s recovery plans are tested regularly, and include end-user groups as part of the testing protocol to evaluate restored systems. Manual work-around procedures are also used where appropriate and efficient.

J U N E 2 0 1 7 P A G E 3 Secured Operations Tufts Health Plan s critical applications and servers run in a secured Tier 3 data center staffed 24x7x365 by Tufts Health Plan personnel. Access to the data is controlled by using proximity cards, biometrics readers, and digitally-recorded closed-circuit television cameras. Visitors to the data center must be escorted by authorized Tufts Health Plan personnel, and are required to sign in and out when entering and leaving the facility. All computer systems and related equipment are initially supported by two Uninterrupted Power Supplies (UPS), and then by two backup diesel generators that are located onsite. The data center is constructed with floor-to-ceiling walls and is protected by a fire suppression system that includes addressable/intelligent ionization and photoelectric smoke detectors located on the ceiling and beneath the raised access floor. Data Backup and Offsite Storage Tufts Health Plan contracts with an industry-leading vendor to provide offsite storage for critical records and recovery media. Media is encrypted and transported in locked bar-coded containers. Media that is transported offsite is tracked in logs, which are reviewed periodically. Wherever possible Tufts Health Plan uses data replication from its main data center in Watertown, MA to our contracted secure disaster recovery mega center. This includes data at rest from our backup infrastructure, as well as live data replication, where applicable. Backups of all midrange platforms and LAN systems are performed daily, and copies are replicated offsite. Tape-based backups are performed daily for the purposes of maintaining historical data and file-based recovery. Tapes that exceed our data retention periods are automatically recalled to our data center for re-use (overwritten) or disposal. By combining industry best practices with leading edge technologies, Tufts Health Plan is able to reduce or eliminate both recovery times and the risk of data loss, across multiple platforms and applications.

P A G E 4 T U F T S H E A L T H P L A N DISASTER RECOVERY Disaster Recovery (DR) refers to the process of recovering key business systems and services if Tufts Health Plan s primary site becomes severely damaged or otherwise unavailable. Key activities within DR (for both on-site and cloud-based systems) include the development of recovery strategies, the documentation and maintenance of recovery procedures, and the continuous improvement of these services through regular testing and review. Recovery Services Contract As a key component of the DR these facilities is flexible to strategy, Tufts Health Plan has accommodate regional contracted with an industryleading recovery services allows for mobile recovery incidents. The contract also vendor to provide backup equipment to address smaller computer systems, hardware, incidents not requiring a full and facilities for Tufts Health disaster declaration. Plan s use for a large-scale Recovery plans for each systems recovery. Information Systems The contract provides Tufts department include procedures Health Plan with the use of a for the recovery of systems at mega center for the recovery of the vendor s facilities. The critical information systems and plans include these elements: a metro center for business workspace. The location of Defined recovery roles and responsibilities Systems backup and recovery procedures, including offsite media storage retrieval information Detailed production system hardware and software configurations/ specifications Emergency and critical business contact information All departments maintain a continuity plan for both primary and extended recovery periods. Recovery Time Objective Tufts Health Plan has a target Recovery Time Objective (RTO) of 48 hours from the point of disaster declaration for all business critical systems.

J U N E 2 0 1 7 P A G E 5 Recovery Testing Tufts Health Plan conducts regular tests of the corporate recovery plans. This test is conducted over a four-day time period at the recovery services facilities, and includes end-user groups as part of the testing protocol to evaluate restored systems. All systems designated for test recovery are restored using the actual plans maintained by each department. A formal test report is documented that identifies issues and lessons learned for use in continuous improvement. The Tufts Health Plan Internal Audit department may audit recovery exercises as they deem necessary. Departmental observers are also invited to observe the activities. Tufts Health Plan s last recovery test was conducted in June 2017. The next test is scheduled for June 2018. Workforce Continuity Workforce Continuity is the process of putting in place the appropriate telecommuting and collaborative tools and policies in the event employees are unable to meet in the office for any reason. Support of Tufts Health Plan workforce continuity includes: Emergency Communications 1-800 emergency response line: Allows employees to phone in for status updates Mass communication tool: Crisis communication and Alternate Work Locations employee well being Remote work from home Updated lists of contact information: Stored in webbased connectivity, laptops for mission critical staff continuity management tool that can be accessed 24/7/365 also source of record for mass communication tool Alternate site availability with workstations and access to data network and communications Access to email, internal instant messaging, online meeting center Pandemic Preparedness WHO/CDC guidelines, best practices Departmental pandemic policies Mission critical absenteeism plans Surveillance & response planning Collaboration with CDC, Nedrix, AHIP Employee Awareness Plan, test, maintain, and communicate For additional information, contact Diana White at ext. 52182 or diana_white@tufts-health.com. Tufts Health Plan 705 Mount Auburn Street Watertown, MA 02472

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback