HIPAA Compliance – Disaster Recovery Planning

Many of our pharma customers deal in the US, and as such are subject to HIPAA, the US federal security standard that protects the availability, confidentiality and integrity of PHI. One topic I frequently get asked about is the HIPAA Security rule. In a previous blog, I talked about cyber security compliance in relation to HIPAA, so today I thought it would be useful to share some information on HIPAA compliance in relation to disaster recovery planning.

In addition to technical and physical safeguards for your PHI, the administrative safeguards of the HIPAA Security Rule require a contingency plan to:

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

The Contingency Plan standard includes five implementation specifications:

1. Data Backup Plan
2. Disaster Recovery Plan
3. Emergency Mode Operation Plan
4. Testing and Revision Procedures
5. Applications and Data Criticality Analysis

So how does this translate into practicalities?

Well some of the things I would recommend considering would be:-

1. Implementing a multi-layered backup strategy.

It is not enough to rely on a single backup solution these days, as recovery from different types of disasters may require a different backup strategy. For example, real-time replication of data to a backup server is a very useful way of providing almost instantaneous recovery from a hardware failure of the live server. However, if we take a disaster like a ransomware attack (where your files are encrypted) or a software corruption, then the problem with real-time replication is that the corruption or malware is immediately replicated to the backup server too, rendering it useless.  In these types of cases, an offline backup or periodic “snapshot” of your systems and data is much more effective as it allows you to restore your data and systems to a point in time before the incident occurred.

2. Considering your Required RTO and RPO

The RTO, or Recovery Time Objective, is the amount of time your business could cope without access to some or all of your data and systems. This is likely to vary depending on the nature of the data/system – for example, patient health records or email may require an RTO of only a few minutes, whilst an archived projects folder may have an RTO of several days.

The RPO, or Recovery Point Objective, is the amount of data loss that your business could survive. This will dictate the frequency of your backups. For example, if you only backup overnight, then in a disaster that necessitated restoring the previous night’s backup you could lose up to a full day’s data updates and emails. Is that acceptable to your business? How would you know what data has been lost and how would you re-create it? What about emails?

3. Carrying out Regular Testing

Testing is paramount to expose any flaws or omissions in the disaster recovery plan. Our use of technology is moving on at speed the whole time, and there is no guarantee that a D/R plan that was created a year ago will work today. Equally, the RPO and RTO which were deemed acceptable by the business a year ago, may be anything but acceptable now. Increasing pressure on the whole supply chain may also mean that your D/R plans need much more frequent review, testing and updating in order to be in-line with your customers’ expectations.

4. Running a Business Continuity and Disaster Recovery Assessment

It is a good idea to get an independent disaster recovery audit of your business network, including all servers and workstations, which will provide a benchmark of your current D/R position and a customized, data-driven list of recommendations for improving the backup and disaster recovery of the network.

I hope this article has given you some useful insight into the type of issues to be considering around disaster recovery planning for HIPAA compliance. If you have any questions, or you would like information on Epoq IT’s range of data backup, disaster recovery and independent D/R assessment services for pharmaceutical companies, then please do not hesitate to contact me on 01494 444065 or email gary.swanwick@epoq-it.co.uk when I will be happy to arrange a no obligation conference call.

Epoq IT work with small and medium size pharmaceutical businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals.