Disaster recovery planning and business continuity planning is essential for all businesses, no matter the industry, but it takes on special significance in healthcare thanks to HIPAA. If you’re a healthcare provider or an application provider in the healthcare space, here are six things you need to know.
1 Disaster recovery plans are required by HIPAA
According to the HHS security series white paper #2, which covers administrative safeguards, HIPAA requires covered entities to create contingency plans that “establish strategies for recovering access to EPHI should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations.”
2 What “availability” means isn’t clear
Depending on the type of emergency, the availability of EPHI (electronically protected health information) data could significantly impact the outcome of recovery efforts, so it’s understandable that HHS would want to ensure the continued availability of data during a disaster. However, HIPAA stops short of specifying recovery objectives, leaving it up to the covered entity to determine this for themselves in their own risk assessment.
See our recent post, A Short FAQ on Disaster Recovery as a Service, for a brief discussion on setting recovery objectives.
3 Natural disasters aren’t the only disasters you need to worry about
Though hurricanes, wildfires, and other natural disasters get much of the media attention, HIPAA requires the covered entity to ensure the availability of EPHI no matter the cause of the disruption. According to the Ponemon Institute’s most recent study, the three most common causes of data center downtime were UPS failure (25 percent), human error (22 percent), and security breaches (22 percent). Your disaster recovery plan should include contingencies for different types of disasters.
4 Security and disaster recovery plans must be aligned
The third most common cause of data center downtime (security breaches) highlights a common issue with many disaster recovery and business continuity plans in the healthcare industry. The organization’s recovery plans may outline procedures and protocols for recovering from a flood, fire, or other natural disasters, but say nothing about what to do if IT systems are brought down by ransomware or a sustained Distributed Denial of Service (DDoS) attack.
Hopefully, your security plans cover this contingency, but your security and disaster recovery plans should be aligned. That’s not to say they need to be managed by the same team, but your compliance officer or some other top-level executive should be charged with ensuring that security disasters are adequately covered as a contingency.
5 Business associates must also have an adequate disaster recovery plan
If your business requires you to share the EPHI you collect with a business partner, you must have a signed Business Associate Agreement with that partner. This includes IT providers like Connectria that help you manage the systems that process EPHI. Section 164.314(a)(2)(i) of the HIPAA rules state that business associates must also:
“Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronically protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity…”
The key here is to remember that per the clause cited above “safeguard” includes not only protecting the confidentiality of the data but also the integrity and availability as well. When vetting potential third-party vendors, remember to discuss disaster recovery as well as security.
6 Security during a disaster requires unique protocols
Finally, at no time is your data likely to be at greater risk than during a disaster. For example, DDoS attacks are often used to cover up other types of cyberattacks. While your security professionals are trying to shut down the attack, cybercriminals can sneak in undetected and steal data.
Likewise, if your systems are brought down by a more traditional disaster, such as a backhoe through a data cable, you need to ensure EPHI data is kept secure at every step of your restoration procedures, such as the physical transportation from offsite storage facilities or the transfer of data to temporary systems.
Hope for the best, prepare for the worst
Connectria has helped hundreds of companies create disaster recovery plans that ensure the continued security, integrity, and availability of their data, regardless of the loss event. Here are a few case studies related to our work with healthcare providers:
- TCS Healthcare Technologies
- ePreop: Managed Services and HIPAA Compliance on Microsoft Azure
- DocuTap: An Advanced HIPAA/HITECH Urgent Care Solution in the Cloud
Contact Connectria directly if you’d like to speak to one of our representatives about your unique situation.