Why Is Disaster Recovery Needed for HIPAA Compliance?
|1.7/5.0 (3 votes total)
August 12, 2021
A Disaster Recovery (DR) scenario forms part of a much larger business continuity strategy that is required to achieve a HIPAA compliant status. DR capabilities are an essential technical safeguard designed to protect the integrity of Protected Health Information (PHI). The focus is to preserve access to PHI and keep critical healthcare applications working in the event of a catastrophic failure. Consideration must be given to how your business reacts and responds to the total loss of a primary data center after a major incident.
HIPAA demands that healthcare organizations must be able to restore PHI data in the event of complete failure and having a robust and reliable data backup plan is essential. If all else fails, it must be possible to restore PHI from disk or tape in an unaltered state. Many healthcare organizations choose to outsource this responsibility to an IT managed services provider.
The outsourcing approach ensures the backup service is subject to the guarantees laid out in a business associate agreement, signed by both parties. It helps to guarantee that all in-scope PHI is backed up as per a pre-defined backup and retention schedule, and that technical safeguards such as the required levels of encryption are in place.
The backups are a core element of the initial DR solution, but the main component of DR is a technical solution that maintains the high availability of core healthcare IT services. The DR service must be resilient to failure and tested regularly. Many healthcare professionals also decide to outsource this responsibility, the cost and technical skills required to implement a failsafe solution are substantial.
The HIPAA Security Rule amendment of 2003 introduced DR planning as a required implementation for compliance. The recommendation is to document the entire process in a DR Plan (DRP), the DRP guide offers the recommended processes organizations should follow to overcome a disaster.
What constitutes a disaster, and when should a DR be declared?
Many events may trigger DR with the most recent example being the COVID-19 pandemic. Back in March 2020, global businesses invoked DR practices because the entire workforce was asked to work from home overnight. More traditional events would be around power failures, flooding, fires, or natural disasters.
Knowing when to declare a disaster is much more complicated than it sounds, the healthcare teams and their business associates should agree on what predefined criteria must be met to invoke DR. In healthcare, access to PHI is a major contributing factor if a single server goes down, it’s unlikely to need DR, but if a datacenter is flooded wiping out the entire building - DR should be declared almost immediately.
“Who ya gonna call?”
The healthcare professionals need to know how to get the DR process moving, escalation to key stakeholders is typically required if an automated failover hasn’t kicked in yet. Identify a DR Lead, and have a documented list of critical contacts, phone numbers, and what their role is. Understanding how communication should flow during a disaster is one of the best ways to reduce downtime.
Have you completed a Risk Assessment?
A completed Risk Assessment (RA is hugely important for DR initiatives. RAs are mandatory for HIPAA compliance and are used to define the services needed to keep the business running. You must know what PHI you have, where it is stored, how it is processed, and how it is transmitted over the network.
The information gathered from the RA feeds directly into DR. Technical solutions protect the relevant servers, databases, and application stacks, assigning priority to each one. The RA can help when planning a remote command center (or home working en-masse) and understand the organization’s Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
Can your Technical teams recover the service?
After the decision to invoke DR has been made, next is for a team of technical gurus to implement and monitor the failover process. Most solutions are automated, but still require significant technical acumen to ensure the failover is going as planned and services are being started up in the remote location, in the correct order.
After failover, the techies must validate that all ePHI data is now available in the DR location and available within RTO and RPO service levels. The techies will test the infrastructure, and the end-users will need to test the applications to ensure everything is working as expected.
What are the post DR activities?
Apart from rigorous testing, detailed root cause analysis should be undertaken as well as planning how to fail back the services once normal service is restored. Within seven days of the DR scenario, all of the participants involved, including management, DR leads, technical teams, etc. must meet to discuss what happened. These meetings aim to create an analysis report and get a full understanding of the disaster incident from start to finish.
Dependent on the disaster scenario, there may be a requirement to keep services running in the DR site for a lengthy period. During this time, it is essential to carefully plan a strategy for failing back the data in the original location will most likely be out of sync, so consideration must be made to ensure a complete resync of data.
How can you continuously test and evolve the DR Strategy?
HIPAA compliance requires that DR is a continuous learning initiative, documenting the successes and failures of DR will make the overall process more efficient and worthwhile. The administrative safeguards demand regular reviews, regular tests, and regular training of DR processes and activities to all personnel.
Throughout this article, you will have seen a trend that many healthcare organizations outsource to HIPAA-compliant hosting providers, and with the complexities and costs involved in designing, implementing, and managing DR capabilities, it is easy to see why outsourcing is so popular.
Many health-related businesses can do this in-house, investing millions of dollars in high-tech hyper-converged solutions and employing high-grade technical engineers and solution architects. Due to the rules laid out in HIPAA compliance, there is simply no avoiding DR, it is a mandatory requirement for any covered entity or business associate that handles PHI.
Contributed by Atlantic.Net, Inc.
Atlantic.Net provides HIPAA-compliant hosting. Our state-of-the-art
infrastructure is SOC2, SOC3, HIPAA, and HITECH compliant and housed in secure, climate-controlled facilities with constant monitoring and multiple direct connections to the Internet backbone to ensure availability and data safety.