Article Written by Veronica
Miller, compliance solutions manager, Bluelock
The healthcare
industry has undergone a radical digital shift in the past decade. As of 2014,
more than 80 percent of U.S. hospitals adopted some type of electronic health
record (EHR) system. Now, an industry that used to be dominated by thousands of
tons of paper is finally shifting to a paperless way of life. The amount of
data is expected to grow as technological innovations and interaction points
with data proliferate.
While electronic
data has brought ease to healthcare, luxury comes with dangers. Privacy,
security, accessibility and continuity are among the top. HIPAA and HITECH
regulations are calling for greater protection measures for personal health
information (PHI) and the EHR environment.
Pressure from
regulators plus major advancements in disaster recovery methodologies makes it
the ideal time to establish or revamp your disaster recovery plan with Disaster
Recovery-as-a-Service (DRaaS). Healthcare providers are increasingly moving
disaster recovery (DR) to the cloud because of the costs and personnel required
to manage a DR solution internally that will actually work when needed.
The following are
the five simple steps for achieving HIPAA contingency plan compliance with DRaaS:
1.
Establish procedures to create and
maintain retrievable copies of electronic health information.
Data should be
frequently backed up to a completely secure, off-site location. This will give
you access to your data even in the event of a disaster. Newer, cloud-enabled
replication technology called Continuous Data Protection (CDP) makes any new
data and system update sync instantly in real-time to your designated off-site
location to ensure no data is lost. There's also the option of using traditional
backup technology to point your backup data to the cloud and store copies of
the data in a secure, encrypted cloud-based repository.
To comply with HIPAA
requirements, your DRaaS provider must also support continuous protection of
your workload while recovering data off-site.
2.
Establish procedures to restore any loss
of data.
One of the most
important parts of guarding your electronic data is organizing a plan for emergency
data recovery. To do this, you should prepare a customized runbook for your
disaster recovery plan that is regularly updated and tested as your organization
evolves. This single document can ensure your organization's ability to quickly
get back up and running.
Be sure your team
understands the procedures and processes of your disaster recovery plan,
including how to access each application, its requirements for recovery and how
it connects to other applications. Your DRaaS provider may offer assistance
building your runbook, as well as provide training for your team.
3.
Create an emergency mode operation plan.
HIPAA requires an
emergency mode operation plan that ensures your organization not only has an
emergency plan, but can also operate securely in an emergency state. Certain DRaaS
providers can enable your organization to run production and applications at a
high level of security and efficiency at the DR site throughout an emergency. Depending
on your provider, this level of security can be equal to or even higher than
your day-to-day operations.
Although your
team should have extensive training on executing your emergency mode operation
plan, your DRaaS provider should be able to execute your runbook for data and
application recovery in case your team cannot access key systems. Key items to
work out beforehand include recovery point objectives (RPO) and recovery time
objectives (RTO) as this will determine how far back your data is recovered and
how quickly that recovered data will be fully accessible again.
4.
Complete periodic testing and revision of
contingency plan.
In order to spot
weaknesses and make adjustments to your contingency plan, be sure to regularly
test your processes. With DRaaS, testing is more affordable and simpler than
ever. This makes it easy to implement disaster recovery testing biannually, as
recommended by standard IT best practices.
Your testing
should analyze your organization's response to scenarios in which the
circumstances are not ideal, such as corrupted backups or the failure of major
systems. This will allow you to include plans for these scenarios in your
disaster recovery runbook so your team doesn't have to make last minute
decisions in the middle of a disaster."
5.
Assess the relative criticality of
specific applications and data
Take time to
prioritize which applications and data are most crucial to your organization.
This will help your DRaaS provider ensure those highest on your list are top
priority in recovery efforts. Customizing the recovery level of each
application and data will let you restore the most important data immediately,
while waiting to recover less important data during an emergency. Your recovery
provider should be able to identify and recommend recovery levels for
applications based on importance and criticality so your business can run its
key systems in the event of a disaster.
Following these
simple steps with DRaaS will help you comply with the HIPAA regulations for IT
contingency plans. And when a disaster strikes, the preparation work your
organization has completed will allow you to side step much of the challenge
during a disaster event. For more detailed information on this process, check
out this downloadable whitepaper.
##
About the Author
As Compliance Solutions
Manager, Veronica Miller is responsible for audit and compliance management, license
management, client compliance and audit support, and process improvement
initiatives. She is highly involved in Bluelock's vendor selection and
management, internal IT management, as well as special projects and
initiatives.