In March 2016, a cyberattack was launched on MedStar Health, a healthcare chain in the DC area. The Federal Bureau of Investigations (FBI) actually investigated the incident.
With the IT system inaccessible, MedStar Health simply decided to temporarily halt any admissions of patients to 250 outpatient clinics and 10 hospitals. Without being able to get into healthcare notes, images, and lab records to treat people, the healthcare system decided that it was incapable of responsibly proceeding. Needless to say, MedStar did not have any disaster recover (DR) in place
Disaster recovery matters to healthcare for various key reasons, in part because it is a central component of a high-availability HIPAA compliant ecosystem. Advice from across the industry is strongly in favor of setting up a DR plan because cloud systems provide a reliable and cost-effective option.
In life, it is always frustrating to not to be able to access key files. However, clearly, there is a scale of gravity related to types of information. One of the absolutely important pieces of digital data is electronic protected health information (ePHI) protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). “A Netflix outage is annoying,” noted Gartner Research Vice President Barry Runyon, “but if you can’t access medical records, it could be life-threatening.”
Beyond the concern with patient safety, downtime is also incredibly costly – and those expenses are rising. The average price tag when a data center goes offline was nearly three-quarters of a million ($740,357) in 2016, per the Ponemon Institute, up from a 2010 estimated cost that was just over half a million ($505,502).
The needs for data recovery strategies and a HIPAA contingency plan in order to maintain HIPAA compliance are clear from the Administrative Safeguards (see the Security Rule within Title II, the Administrative Simplification provisions).
A disaster recovery (DR) plan will describe the processes that will be followed if an emergency occurs and who the specific individuals are with responsibility for certain tasks. Clearly, having a strong HIPAA compliant communications protocol is important in ensuring the responsibilities are understood and carried out. The document should also discuss how data can be migrated in a manner that is compliant with the HIPAA Privacy and Security Rules.
The plan should also include instructions on how ePHI and the defense systems that protect it will be put back into place if they do go down. The HHS Department does not state mandatory steps that must be taken to establish this plan or these protections. However, if you do not recover from a disaster reasonably, the organization could be charged with a HIPAA violation.
Here is some advice from professionals in the HIPAA compliance field related to the importance of disaster recovery and how to respond when you have a compromise or other emergency:
When you are implementing new technologies, be sure that business continuity can be maintained. Emerson Network Power project manager Brian J. Escott, PE, notes that healthcare facilities often would not be able to stay active for a long power outage. If you do experience a disaster, says Escott, almost all your systems become mission-critical. You can improve the likelihood that your system will respond reliably through monitoring and testing, and you can bolster your contingency plan by thinking in terms of possible scenarios (such as a generator not starting or a breaker malfunctioning). You can use remote monitoring to give you a more proactive stance on upkeep. These systems also allow you to perform testing within non-peak hours.
Setting standards that are more stringent than the collaborative nonprofit guidelines from the National Fire Protection Association (NFPA) and Joint Commission will provide additional confidence that you are prepared for all potentialities. Additionally, notes Escott, it is important to consider that the use of cloud providers to run programs and store data is effectively an incorporation of their business continuity plans. Make sure your DR provider has high-availability infrastructure.
Clearly disaster recovery is an important priority for healthcare. Beyond the steps described in the above advice, you can also potentially benefit from cloud-based disaster recovery. Using the cloud for DR is increasingly popular because of its simplicity and lack of capital expenditure. The on-demand, pay-per-use structure of HIPAA cloud servers creates a substantially more affordable option for storing images, lab results, and other records than having your own data center.
Whether you choose cloud or not to prepare for disasters, prioritize DR so that you can maintain your compliance – to protect both ePHI and the organization’s own reputation and finances.
This article was written for OnPage by Adnan Raja, Vice President of Marketing for Atlantic.net
Gartner’s Magic Quadrant for CC&C recognized OnPage for its practical, purpose-built solutions that streamline critical…
Site Reliability Engineer’s Guide to Black Friday It’s gotten to the point where Black Friday…
Cloud engineers have become a vital part of many organizations – orchestrating cloud services to…
Organizations across the globe are seeing rapid growth in the technologies they use every day.…
How Effective Are Your Alerting Rules? Recently, I came across this Reddit post highlighting the…
What Are Large Language Models? Large language models are algorithms designed to understand, generate, and…