The Importance of Disaster Recovery for HIPAA Compliance

Why DR for HIPAA Compliance Cannot be an Afterthought

In March 2016, a cyberattack was launched on MedStar Health, a healthcare chain in the DC area. The Federal Bureau of Investigations (FBI) actually investigated the incident.

With the IT system inaccessible, MedStar Health simply decided to temporarily halt any admissions of patients to 250 outpatient clinics and 10 hospitals. Without being able to get into healthcare notes, images, and lab records to treat people, the healthcare system decided that it was incapable of responsibly proceeding. Needless to say, MedStar did not have any disaster recover (DR) in place 

Disaster recovery matters to healthcare for various key reasons, in part because it is a central component of a high-availability HIPAA compliant ecosystem. Advice from across the industry is strongly in favor of setting up a DR plan because cloud systems provide a reliable and cost-effective option.

Why disaster recovery matters to healthcare

In life, it is always frustrating to not to be able to access key files. However, clearly, there is a scale of gravity related to types of information. One of the absolutely important pieces of digital data is electronic protected health information (ePHI) protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). “A Netflix outage is annoying,” noted Gartner Research Vice President Barry Runyon, “but if you can’t access medical records, it could be life-threatening.”

Beyond the concern with patient safety, downtime is also incredibly costly – and those expenses are rising. The average price tag when a data center goes offline was nearly three-quarters of a million ($740,357) in 2016, per the Ponemon Institute, up from a 2010 estimated cost that was just over half a million ($505,502).

Why disaster recovery is key to HIPAA compliance

The needs for data recovery strategies and a HIPAA contingency plan in order to maintain HIPAA compliance are clear from the Administrative Safeguards (see the Security Rule within Title II, the Administrative Simplification provisions).

A disaster recovery (DR) plan will describe the processes that will be followed if an emergency occurs and who the specific individuals are with responsibility for certain tasks. Clearly, having a strong HIPAA compliant communications protocol is important in ensuring the responsibilities are understood and carried out. The document should also discuss how data can be migrated in a manner that is compliant with the HIPAA Privacy and Security Rules.

The plan should also include instructions on how ePHI and the defense systems that protect it will be put back into place if they do go down. The HHS Department does not state mandatory steps that must be taken to establish this plan or these protections. However, if you do not recover from a disaster reasonably, the organization could be charged with a HIPAA violation.

Management advice related to HIPAA compliance and disaster recovery

Here is some advice from professionals in the HIPAA compliance field related to the importance of disaster recovery and how to respond when you have a compromise or other emergency:

• Avoidance of data loss is critical to healthcare. Concern with disaster recovery in part has to do with getting systems back up and running, but it also has to do with avoiding data loss in the process. A survey from CDW, the Data Loss Straw Poll, collected the perspectives of 151 executives in the healthcare IT field. One-quarter of those surveyed (26%) said that they had suffered data loss at least once in the previous 24 months. That is probably the reason that more respondents listed data loss as their biggest current concern related to data protection. Additional security challenges that were listed by those polled were mobile, viruses, worms, and breaches in general. Electronic health records (EHR) and other sensitive personal data of patients or employees were the focus in attacks on nearly two-thirds of healthcare organizations surveyed (63%).
• Have simple plans for breaches. Preparation for a breach or other disaster can be stressful but should be straightforward. The focus on security should be system-wide, not just centered within IT. Paul Luehr, Stroz Friedberg’s Chief Privacy Officer, notes that security is often as much about your people as it is about machines – so pay attention to governance and training. Safeguarding data for a natural disaster can be achieved based on the general protections you have for DR. Forensics specialists can often recover data from drives that have either been maliciously damaged or harmed in a natural event, assuming that the drive still spins. If not, it can be manually recovered in a “clean room.” The key thing really is the planning, since the initial 72 hours after a data breach will be key to the final results.
• Focus on preservation. Make sure that the premises are fully protected, and write down anything that is not present. Wait for the assistance of a digital forensics specialist before you check any of the hardware. Note that if business or IT personnel enter any of the devices, they could write over key data points and dates that will help to reveal the nature of an attack and time that it occurred. You do not just need the hard drives and servers but complete backups and log files so that you have comprehensive information when the breach is analyzed.
• Figure out what data has been exposed. Assess what data is affected. Talk with those responsible for it. Partner with forensics consultants, legal, HR, and IT. Look at your emergent risk. Has data been destroyed? Then go with the backup you just collected in the first step.
• Record everything as you go, and communicate. Write everything down as you proceed. You want to make sure that talks you have with key players and law enforcement are documented. You want to keep your data recovery specialists, clients, patients, affiliates, staff, federal agencies, and C-suite aware of what is happening along the way. These updates should be transparent and regular. Be careful about properly setting expectations: investigating the incident could take a month or more.

Look into backup power plans

When you are implementing new technologies, be sure that business continuity can be maintained. Emerson Network Power project manager Brian J. Escott, PE, notes that healthcare facilities often would not be able to stay active for a long power outage. If you do experience a disaster, says Escott, almost all your systems become mission-critical. You can improve the likelihood that your system will respond reliably through monitoring and testing, and you can bolster your contingency plan by thinking in terms of possible scenarios (such as a generator not starting or a breaker malfunctioning). You can use remote monitoring to give you a more proactive stance on upkeep. These systems also allow you to perform testing within non-peak hours.

Setting standards that are more stringent than the collaborative nonprofit guidelines from the National Fire Protection Association (NFPA) and Joint Commission will provide additional confidence that you are prepared for all potentialities. Additionally, notes Escott, it is important to consider that the use of cloud providers to run programs and store data is effectively an incorporation of their business continuity plans. Make sure your DR provider has high-availability infrastructure.

Cloud for healthcare disaster recovery

Clearly disaster recovery is an important priority for healthcare. Beyond the steps described in the above advice, you can also potentially benefit from cloud-based disaster recovery. Using the cloud for DR is increasingly popular because of its simplicity and lack of capital expenditure. The on-demand, pay-per-use structure of HIPAA cloud servers creates a substantially more affordable option for storing images, lab results, and other records than having your own data center.

Whether you choose cloud or not to prepare for disasters, prioritize DR so that you can maintain your compliance – to protect both ePHI and the organization’s own reputation and finances.

This article was written for OnPage by Adnan Raja, Vice President of Marketing for Atlantic.net