To comply with HIPAA, healthcare companies and their business associates must formulate a robust contingency plan in case of an event that disrupts operations. These plans have smaller component plans such as a Disaster Recovery Plan (DRP) and an Emergency Operations Mode Plan. This business continuity strategy requires healthcare organizations to be capable of recovering critical IT systems that handle Electronic Patient Health Information (ePHI) into a disaster recovery location while ensuring critical business functions continue in the event of a crisis.
The aim of the Contingency Plan and DRP is to establish the role, responsibilities and procedures needed in a real-world DR scenario. This plan will typically define 5 key specifications:
The Data Backup Plan
Essentially, all ePHI must be identified and backed up using a HIPAA compliant backup solution. The data backup schedule should be pre-defined according to the organization’s specific needs, but might typically be a daily, monthly and annual backup policy. A number of security safeguards should be enforced in storing ePHI backup data, such as encryption at rest and encryption for transferred data. There must also be controls over how backup data is accessed and by whom, especially when considering restoration of data.
The Disaster Recovery Plan (DRP)
The DRP is a detailed set of processes and procedures which defines how a healthcare organization and the business associate responsible for IT services will respond to a disaster scenario. A DRP will typically aim to answer:
- What is a Disaster Recovery Scenario? – A typical disaster scenario will be when access to ePHI data and systems is severely interrupted for some reason, such as technical outage, human error, terrorism, or a natural disaster. A good example to consider: what would happen if your production data center were destroyed? How would the healthcare provider continue to operate, and how would the managed service provider (MSP) recover from such a disaster? Under HIPAA requirements, the MSP must empower the healthcare organization with the ability to failover production services to a secondary disparate location, restore critical IT systems and services, and restore the ePHI data to a specific point in time prior to the disaster.
- When to Declare a Disaster Scenario – The healthcare organization and the IT service provider will have a business agreement which will stipulate when to declare a disaster. This could be from a certain timeframe since a system outage began, or the DRP might be invoked by approved personnel, usually a senior manager or executive. In most managed service companies, invoking DR is a manual process which must follow a strict authorization procedure.
- How to Invoke Disaster Recovery – Healthcare personnel must be aware of how to invoke DR. For example, phoning the IT Provider and providing a pre-agreed security key to approve DR activation. The MSP must also have a strategy of how to escalate to on-call technical experts or stakeholders. This is usually done through a DR Lead who is responsible for communications channels. This process may also involve moving technical personnel to a remote command center if the hosting site has been compromised.
- Who to Contact and How Communication Flows During a DR Scenario – Modern MSPs have automated monitoring systems which automatically notify DR personnel; however, the names and contact numbers of key persons must be published within the DRP. Each personnel must know who they report too, and how communication flows in a DR scenario. This is usually done via a call tree.
- Description of Key Roles and Responsibilities of Anyone Assigned to the Recovery Team – All DR personnel must understand their role and where they fall within the chain of command in a DR scenario, including network engineers, server engineers, and database engineers..
- Define Recovery Time Objectives – The DRP will state the contracted RTO objectives. This refers to how long the healthcare organization can operate without critical IT systems and the time allowed for the MSP to be able to set up new IT infrastructure in a secondary location. This may be set to 24 hours, meaning the MSP has 24 hours to get the servers and infrastructure running in DR. With today’s modern cloud failover technologies, the RTO can be as low as near-zero.
- Define Recovery Point Objectives – The DRP will state the contracted RPO objectives, which show what point in the processing cycle an organization can recover to, or what point in time data can be restored to. For example, an RPO of 15 minutes means the data cannot be more than 15 minutes old.
The Emergency Operations Mode Plan
An emergency mode operation plan must also be pre-defined and practiced, ensuring DR processes are achievable while keeping ePHI secure.
The MSP will be responsible for ensuring that the correct technical and management teams are available during a DR scenario and ultimately that they are responsible for restoring the service. It is important that the MSP work with the healthcare organization so that HIPAA specifications of the Emergency Operations Mode Plan can be met:
- How to Keep the Business Running in the Event of a Disaster – This will define what critical IT infrastructure is needed to keep the healthcare organization operating. Source machines requiring restoration to the cloud during a DR scenario will be identified (meaning any server containing ePHI). Priority must be allocated to HIPAA compliant servers and systems which are business critical, such as Active Directory services, database systems, networking hardware, and backend storage with ePHI data.
- Define What the Recovery Process is and Create a Definition of Required Activities – This will be a step-by-step process from the MSP outlining how they are going to restore services to ensure minimal disruption in line with RPO and RTO specifications, sometimes referred to as service blueprints. If the system is automated, it will form a recovery plan run book of how to bring the systems back online and in what order. HIPAA compliance rules stipulate that only authorized users can perform these processes and require that all ePHI data is protected.
- Conduct Post DR Activities and Review Lessons Learned – Once services have been failed over and systems are running in DR, the MSP and healthcare organization must work together to test systems and access. Any issues experienced must be resolved or captured in a “lessons learned” meeting for future reference.
Testing and Revision Procedures
The testing and any subsequent revisions of the Data Backup Plan, Disaster Recovery Plan and Emergency Operations Plan are a highly recommended (although not mandatory) part of HIPAA compliance. Essentially, the healthcare organization and MSP must test all of the above plans, as well as test the technical aspects of the failover and failback process, ensuring that the process works and that the system is capable of disaster recovery in a secondary site. Annual DR tests are advised. If revisions to the plan are required, they should be enacted immediately after testing. Recommendations and changes should be discussed and implemented under change control to ensure future tests are successful.
Application and Data Criticality Analysis
Another non-mandatory recommendation for HIPAA compliance is to identify the systems which store and manage ePHI data and ensure priority is given for data backup and continuity planning. Most MSPs follow this recommendation, as it forms the basis of any automated failover strategy. The MSP needs to know what systems are classed as critical and which contain ePHI. That way, the best RPO can be delivered by restoring service to critical systems as a priority.
To summarize, Disaster Recovery and Business Continuity planning are a significant part of HIPAA compliance. HIPAA compliance demands the MSP can transfer critical business systems containing ePHI into a DR location. MSPs and healthcare organizations must not to overlook the importance of Disaster Recovery, and businesses need to comprehend what may happen to them if they fail to have a working DR strategy. By choosing a HIPAA-compliant MSP, you can have peace-of-mind that these rigorous criteria have been met and exceeded.