Disaster recovery planning for health care data and HIPAA compliance regulations

Similar documents
Disaster Recovery Planning: Weighing your customer s options

Storage Virtualization Explained

10 Cloud Storage Concepts to Master

E-Guide CLOUDS ARE MORE SECURE THAN TRADITIONAL IT SYSTEMS -- AND HERE S WHY

ADDRESSING TODAY S VULNERABILITIES

Requirements for virtualizing Exchange Server 2010

E-Guide BENEFITS AND DRAWBACKS OF SSD, CACHING, AND PCIE BASED SSD

NETWORK-BASED CONTROLS: SECURING THE INTERNET OF THINGS

Solid State Storage: Trends, Pricing Concerns, and Predictions for the Future

Desktop Virtualization: What Windows Managers Should Know

Utilizing Windows Server 2012 without the GUI Key workarounds for avoiding the Modern UI

AUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER

Server Hardware for Virtualization: Exploring the Options

Data Backup and Contingency Planning Procedure

SECURITY MONITORING: BE EVERYWHERE AT ONCE

Best Practices for the Hybrid Cloud

An introduction to the VDI landscape

VMware vsphere Beginner s Guide

KNOW THE FEATURES OF WINDOWS SERVER 2012 R2

Backup solutions for today s Data Center

WHAT NETWORK VIRTUALIZATION TECHNOLOGY CAN DO FOR YOUR NETWORK TODAY

PREVENTING PRIVILEGE CREEP

Identify and Eliminate Oracle Database Bottlenecks

SUPPLEMENTARY DEFENSES FOR ENDPOINT SECURITY

SSL Certificate Management: Common Mistakes and How to Avoid Them

E-Guide WHAT WINDOWS 10 ADOPTION MEANS FOR IT

Certified Information Systems Auditor (CISA)

Evaluating the Security of Software Defined Networking

Backup Appliances: Key Players and Criteria for Selection

Introduction to Business continuity Planning

HIPAA Security and Privacy Policies & Procedures

AS ATTACKERS TARGET APPLICATION CODING ERRORS, ARE STATIC ANALYSIS TOOLS THE ANSWER?

Disaster Recovery and HIPAA Compliance

Business Continuity Planning: Documentation During EMR Downtime. The webcast will begin shortly...

MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH

The case for cloud-based data backup

HIPAA Compliance and OBS Online Backup

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

BRING SPEAR PHISHING PROTECTION TO THE MASSES

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

BEST PRACTICES TO PROTECTING AWS CLOUD RESOURCES

LESSONS LEARNED FROM AN OFFICE 365 MIGRATION

ADOPTING FIDO SearchSecurity

TEN ESSENTIAL NETWORK VIRTUALIZATION DEFINITIONS

University Information Systems. Administrative Computing Services. Contingency Plan. Overview

WHITE PAPER. Header Title. Side Bar Copy. Header Title 5 Reasons to Consider Disaster Recovery as a Service for IBM i WHITEPAPER

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Disaster Unpreparedness June 3, 2013

INFORMATION SECURITY- DISASTER RECOVERY

Business Continuity and Disaster Recovery. Ed Crowley Ch 12

The simplified guide to. HIPAA compliance

Contents. Chapter 3: Chapter 4: Critical Server Ranking Classifying Systems for Recovery Priority Mission-Critical Only, Please...

SDN Technologies Primer: Revolution or Evolution in Architecture?

A primer to SQL Server 2012

BUYING SERVER HARDWARE FOR A SCALABLE VIRTUAL INFRASTRUCTURE

STORAGE NETWORKING TECHNOLOGY STEPS UP TO PERFORMANCE CHALLENGES

Disaster Recovery Planning

Build a viable plan for disaster recovery and crisis management.

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 13 Business Continuity

FUJITSU Backup as a Service Rapid Recovery Appliance

IPMA State of Washington. Disaster Recovery in. State and Local. Governments

Disaster Recovery Is A Business Strategy

E-Guide DATABASE DESIGN HAS EVERYTHING TO DO WITH PERFORMANCE

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

Thinking Outside the Box on Disaster Recovery

EXHIBIT A. - HIPAA Security Assessment Template -

2015 HFMA What Healthcare Can Learn from the Banking Industry

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Audit & Advisory Services. IT Disaster Recovery Audit 2015 Report Date January 28, 2015

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Records Information Management

DATA BACKUP AND RECOVERY POLICY

Backup vs. Business Continuity

Security and Privacy Governance Program Guidelines

Support for the HIPAA Security Rule

A CommVault White Paper: Business Continuity: Architecture Design Guide

Planning for disaster recovery in a health care setting

Cloud & Managed Server Hosting for Healthcare Professionals

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

a publication of the health care compliance association MARCH 2018

3.3 Understanding Disk Fault Tolerance Windows May 15th, 2007

High Availability through Warm-Standby Support in Sybase Replication Server A Whitepaper from Sybase, Inc.

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Information Systems. Data Protection Disaster recovery Backups

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Hyper-Converged Infrastructure: Providing New Opportunities for Improved Availability

Cloud-based data backup: a buyer s guide

TEL2813/IS2820 Security Management

First Financial Bank. Highly available, centralized, tiered storage brings simplicity, reliability, and significant cost advantages to operations

Disaster Recovery Planning Blackout. Katrina

CCISO Blueprint v1. EC-Council

Memorandum APPENDIX 2. April 3, Audit Committee

Module 4 STORAGE NETWORK BACKUP & RECOVERY

WHITE PAPER- Managed Services Security Practices

THE STATE OF CLOUD & DATA PROTECTION 2018

HIPAA Federal Security Rule H I P A A

Business continuity management and cyber resiliency

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Disaster Recovery Planning: Is Your Plan in Place? Presented by: Steve Shofner, CISA, CGEIT

Transcription:

Disaster recovery care data and HIPAA compliance regulations

Disaster recovery care Disaster recovery planning takes on special importance in health care organizations dealing with patients and care delivery. This e-guide walks through the steps to follow when considering a Disaster recovery plan and implementing procedures to protect and secure access to electronic protected health information (ephi). By: Anne Steciw As the health care industry moves toward the adoption of electronic health records (EHRs), the need for solid planning (DRP) becomes more important. This tutorial explains why DRP is especially important for health, and provides information for health care CIOs looking to establish or solidify a plan. Why is planning important in health care? Due to the nature of their business, health care organizations -- especially hospitals -- must maintain a high degree of system and network availability. Patients' lives may depend on systems being up and running, and patients' health could be jeopardized by lack of access to health in the event of system downtime. Hospitals devastated by tornadoes in Joplin, MO learned that disaster recovery planning must consider the impact to clinical workflows, especially in the event of a patient surge. As physicians and clinicians become more reliant on clinical applications to deliver patient care, the importance of disaster preparedness and infrastructure resiliency in health care become apparent. Unfortunately, when establishing IT budgets, many health care organizations overlook the importance of developing an effective plan. It's important for health care CIOs to make the business case and receive a budget for planning. Page 2 of 8

Disaster recovery care What are the first steps for planning in health care? The first step in planning is to conduct a business impact analysis (BIA). This involves identifying all of your systems and applications, and then determining their impact to the business if they went down. In the case of a health care organization, this includes determining the impact to patients and care delivery. The next step is to identify possible points of failure and develop a plan to address those vulnerabilities. This plan may include establishing a remote data center or working with EHR vendors to determine service level agreements in the event of a disaster or system failure. It's also a good idea to examine the different data replication strategies available and determine which ones best suit your health care organization. What are the HIPAA requirements for planning? A HIPAA covered entity must have a contingency plan in place to ensure continued access to electronic protected health information (ephi) in the event of a system failure. HIPAA requirements also include the need for an ephi data backup plan, along with and emergency mode operation plans. Organizations developing a HIPAA plan must also explain how sensitive health will be moved without violating HIPAA privacy and security requirements. How does virtualization impact planning? Some organizations are turning to virtualized to restore access to health in the event of system downtime. While there are many benefits to using virtualized, it is still crucial for health care organizations to maintain HIPAA compliance. In a virtual setting, planning should also include procedures for restoring backups to virtual hardware and must specify the conditions for use of virtual machines. Page 3 of 8

Disaster recovery care but possible By: Ray Lucchesi, Contributor Under federal law, HIPAA covered entities must implement procedures to protect and secure access to electronic protected health information (ephi). What's more, such entities also had to supply a contingency plan to insure continued ephi availability during emergencies or disasters. However, ephi exists only in conjunction with data processing applications and, thus, can only be recovered together with those systems. Consequently, HIPAA requirements state the need for an ephi data backup plan, along with and emergency mode operation plans. The intent of the data backup plan was to create systems that allowed for the restoration of all ephi. The intent of the plan was to identify the processes and procedures needed to insure that ephi data could be restored in the event of loss. Finally, the intent of the emergency mode operation plan was to describe how operations could continue to protect and secure ephi during an emergency. In addition, HIPAA requirements ask that a test and revision procedure and an applications and data criticality analysis for ephi be "addressable" by all covered entities. Addressable regulations such as these could be dismissed by demonstrating that they were not applicable. For example, these policies need only apply to large ephi environments; smaller organizations could address them by documenting reasons why they were not relevant to their contingency plan. Creating a HIPAA data backup plan and choosing an alternate DR site Ordinarily, many data centers provide for system recovery by using data backups or mirroring/replication. Page 4 of 8

Disaster recovery care Data backups can be written to removable media, such as tape DVDs or CDs, or they can be placed on alternate storage systems such as virtual tape libraries, other storage or dedicated backup appliances. Data backups are taken periodically, usually duplicated, stored both on and offsite, and preserve multiple versions of data. Meanwhile, data replication or mirroring is used to copy data to another site, which can be a host, network or storage system facility. Mirroring can be scheduled, asynchronous or synchronous. Scheduled data replication can be done every week, every shift or more often. For asynchronous mirroring, data is copied some time after it is modified. In contrast, with synchronous mirroring, copies are made while data is being modified. Any successful will necessarily depend on the use of an alternate or secondary site. There are three types of sites available. A cold site supplies only power, cooling and networking. Servers, switches and storage must be sent to the location. A warm site adds to the cold site sufficient servers, switches and storage hardware to support ephi operations in the event of a disaster. A hot site provides warm site hardware plus continuous data mirroring of ephi data to speed up. Keep the following in mind when choosing a site. Using a cold site will require special contracts with system vendors to drop ship any and all necessary hardware to the site. For both cold and warm sites, backup data must be transported to the disaster site. For all site types, servers, networking and software systems will need to be reconfigured onsite to support emergency operations. Page 5 of 8

Disaster recovery care Creating an all-encompassing plan In any case, having a backup of ephi and an alternate site arrangement is required -- but not sufficient -- to support disaster operations. For that to occur, one also needs a and emergency mode operations plan. Although HIPAA requirements place these into two separate policies, many health IT shops cover both mandates with a single, all encompassing plan (DRP). Any DRP should include the following five components. Disaster declaration: The DRP should document the decision process and team participants. Moving operations to an alternate site is always a costly endeavor. Occasionally, temporary or transient issues, such as a power fluctuation, can impact data center operations for a limited time. It's the purpose of the disaster declaration process and team, which generally consist of operations and other senior IT management personnel, to determine if is truly warranted. Disaster list: The DRP should focus on a select set of high-probability and high-impact events such as natural disasters or other catastrophes. Cataloguing these within the DRP can help IT personnel justify investment in costly backup systems, alternate site(s) and application recovery. Data backup: Any disaster will necessarily depend on backups or mirrors of current data and applications. As such, backup systems should be well described in the DRP. This information should include the frequency, type and locations of any data and system backups and/or replication done to offsite location(s). Moreover, how data backups are to be shipped to the alternate site -- with procedures, contact lists and transport duration -- should be supplied. Equally important, offsite repositories should be far enough away to insure backup availability in the face of a disaster impacting the primary site. Similar locality constraints apply to alternate site locations. Alternate site: The DRP should delineate the secondary site capabilities, activation procedures and contact lists. One should also provide instructions as to how technical personnel will access and/or travel to the alternate site. Page 6 of 8

Disaster recovery care ephi recovery: The DRP should identify all ephi systems and data requirements. Furthermore, the process for restoring ephi application operations should be fully recorded. Moreover, an application recovery priority list should be produced to determine restoration sequence. Personnel familiar with an application and its operation can often facilitate emergency operations, so names and contact lists for these individuals should be supplied. Summary: Don't neglect DRP testing, modification We have identified most of the critical components of any DRP needed to respond to HIPAA requirements. Although not discussed above, addressable policies could be dealt with inside or outside the DRP. Nonetheless, as ephi applications can be added, deleted or modified, periodic plan tests and resultant corrections are vital to the continuing success of any. Furthermore, with natural disasters and security breaches occurring more frequently, the need for a practicable DRP is more essential than ever. In fact, having a viable DRP is something all covered entities should have in place for their own business survival, regardless of HIPAA requirements. Page 7 of 8

Disaster recovery care Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback