Disaster recovery planning and business continuity planning is essential for all businesses, no matter the industry, but it takes on special significance in healthcare thanks to HIPAA. If you’re a healthcare provider or an application provider in the healthcare space, here are six things you need to know.
#1 Disaster recovery plans are required by HIPAA. According to the HHS security series white paper #2, which covers administrative safeguards, HIPAA requires covered entities to create contingency plans that “establish strategies for recovering access to EPHI should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations.”
#2 What “availability” means isn’t clear. Depending on the type of emergency, availability of EPHI (electronic protected health information) data could significantly impact the outcome of recovery efforts, so it’s understandable that HHS would want to ensure the continued availability of data during a disaster. However, HIPAA stops short of specifying recovery objectives, leaving it up to the covered entity to determine this for themselves in their own risk assessment.
See our recent post, A Short FAQ on Disaster Recovery as a Service, for a brief discussion on setting recovery objectives.
#3 Natural disasters aren’t the only disasters you need to worry about. Though hurricanes, wildfires, and other natural disasters get much of the media attention, HIPAA requires the covered entity to ensure availability of EPHI no matter the cause of the disruption. According to the Ponemon Institute’s most recent study, the three most common causes of data center downtime were UPS failure (25%), human error (22%), and security breaches (22%). Your disaster recovery plan should include contingencies for different types of disasters.
#4 Security and disaster recovery plans must be aligned. The third most common cause of data center downtime (security breaches) highlights a common issue with many disaster recovery and business continuity plans in the healthcare industry. The organization’s recovery plans may outline procedures and protocols for recovering from a flood, fire, or other natural disasters, but say nothing about what to do if IT systems are brought down by ransomware or a sustained Distributed Denial of Service (DDoS) attack.
Hopefully, your security plans cover this contingency, but your security and disaster recovery plans should be aligned. That’s not to say they need to be managed by the same team, but your compliance officer or some other top-level executive should be charged with ensuring that security disasters are adequately covered as a contingency.
#5 Business associates must also have an adequate disaster recovery plan. If your business requires you to share the EPHI you collect with a business partner, you must have a signed Business Associate Agreement with that partner. This includes IT providers like Connectria that help you manage the systems that process EPHI. Section 164.314(a)(2)(i) of the HIPAA rules state that business associates must also:
“Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity…”
The key here is to remember that per the clause cited above “safeguard” includes not only protecting the confidentiality of the data, but also the integrity and availability as well. When vetting potential third-party vendors, remember to discuss disaster recovery as well as security.
#6 Security during a disaster requires unique protocols. Finally, at no time is your data likely to be at greater risk than during a disaster. For example, DDoS attacks are often used to cover up other types of cyber attacks. While your security professionals are trying to shut down the attack, cybercriminals can sneak in undetected and steal data.
Likewise, if your systems are brought down by a more traditional disaster, such as a backhoe through a data cable, you need to ensure EPHI data is kept secure at every step of your restoration procedures, such as the physical transportation from offsite storage facilities or the transfer of data to temporary systems.
Expect the best; prepare for the worst
Connectria has helped hundreds of companies create disaster recovery plans that ensure the continued security, integrity, and availability of their data, regardless of the loss event. Here are a few case studies related to our work with healthcare providers: