How to attain and maintain a compliant medical practice

Patricia A. Trites

Contingency Planning

In light of many recent natural and unnatural disasters experienced in the United States, a sound emergency action plan is both reasonable and appropriate. The Security Rule states that each medical practice must “establish (and implement as needed) policies and procedures for responding to an emergency or other occurance (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The rule expands this further with implementation specifications for a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Operation Mode Plan. All of these elements are important to any medical practice that maintains an electronic system and can be reasonably accomplished. Most medical practices underastand that creating and maintaining backup copies of their computer systems is not only important, but imperative to maintain daily operations. Unforunately, these backup tapes or discs can be left sitting on top of the computer or server and then re-used without checking for a valid backup. Other medical practices will perform the backup procedures only once a week, if they remember, and then place the backups in an off-site location that is unsecured.

What happens when the medical practice has some form of system failure and must use the backup to restore the system? Has this ever been attempted? Many who have had to restore their backup media have found that it doesn’t work as advertised! That is why having a tested disaster recovery plan in place will help. Each medical practice should research alternative methods for backup systems as well as protecting the backup media.

There are many ways to prepare for disaster, each medical practice will have to assess its own risks, but developing appropriate policies and procedures and having them in place is the first step. This is called an Applications and Data Criticality Analysis in the Security Rule. The more critical the data, the more important it is to implement robust policies and procedures. For example, a medical practice that has converted to a paperless office, with medical records, lab, billing, etc. all on the computer system, will be more at risk than a medical practice that has only medical practice management billing records on its computer system. How will a paperless office operate if it loses power? How will it operate if a flood destroys its computer systems? How does the medical practice contact employees when a disaster happens in the middle of the night? Is being in the middle of a disaster the time to find out that the medical practice doesn’t have its employees’ contact information and that half of the staff have unlisted phone numbers? These are the types of questions each medical practice must ask about its organization; it then must come up with reasonable solutions to the potential disasters. These answers will make up the medical practice’s Emergency Operation Mode Plan.

One of the most important steps in developing a disaster recovery plan, backup plan, and emergency mode operations plan is testing the plans before they are needed. This is actually an addressable specification in the Security Rule, but isn’t it reasonable to test the systems the medical practice put into place? Once tested, the medical practice can make any modifications necessary to further refine the plans or correct any issues that occured. It is just as important to re-test the plans if the medical practice does make any modifications. If anything changes within the medical practice, sucs as setup of a new computer system, the plans should be revised and retested to make sure they work with a new system.

Disaster Recovery Planning for IT Sector

Shray Kapoor, published Nov 20, 2007

Information is the key attribute for any business, its software and hardware resources make business policies. Every business can suffer natural or man-made disasters, which can range from flooding, earthquake to a malformed SQL query which can corrupt the data-centre of business application. Therefore it is not only important to protect the IT resources, but also to recover them in case of any emergency. Business continuity planning also termed as disaster recovery plan caters to the above argument of efficiently recovering information and critical resources on which business depends for its continuity. DRP consists of a set of policies and procedures for reacting and recovering from IT disabling disasters, based on the severity of critical resources and probability of occurring an incident. [1]

Planning proceeds in steps, with a feedback loop to assess current strategies. Steps involved are: -

1) Assessment -

An assessment is an act of measuring and comparing. For IT sector assessment implies exploring and defining risks. Risk assessment starts with defining resources, such as software, hardware resources, communication nodes etc. This assessment is carried out using internal and external audits which are done on cycle basis, regularly by an auditing team. After doing an initial assessment of resources, they are ranked quantitatively according to their importance and likelihood of getting compromised. Quantitative analysis focus on estimated loss a threat can cause. Any outrage which can disrupt the normal functioning of business is qualified as a threat. Threat to IT sector is generally manmade such as a security incident or a viral infection, natural threats (flooding, earthquake) do have a major impact but their rate of occurrence disqualifies them quantitatively. Assessing security threats is known as vulnerability testing or penetration testing, which is generally done by third-party vendors and tools specifically designed to assess vulnerabilities in computer systems. [4]

Deliverables of Assessment phase are – Vulnerability assessment and resource definition document Business impact analysis report Detailed definition of requirements.

2) Establishing policies and procedures

Purpose of this step is to plan policies and procedures to mitigate the risk as far as possible. Policy establishes “what is and what is not required?” in context of business goals. A policy should be comprehensive and compact, because bulk of information renders it unmanageable. Every policy should meet the compliance of every department and every user involved in the business. In context of IT sector, policies should address:-

Authorization and authentication management Acceptable IT resources management Data restoration and backup policy Account management Log review Incidence response policies

Procedures to implement the policies include building of recovery teams from among the IT staff to take care of every issue. Procedures define how to deal with various aspects of resources addressed by policies, who is responsible and how the recovery process occurs. For example data recovery procedure should define how frequent the backups should be scheduled, what should be recovered first and how the plan moves in case of any incident?

3) Budgeting

Once the risks and policies are figured out, next step is to calculate the cost of implementing the plans so that they can befit business objectives. During budgeting one is required to assess the overall IT budget against the cost required for implementing a recovery plan. This phase should try to exactly forecast the overall cost and Return on investment (ROI) in implementing the plan. It depends on the risk levels to critical resources and their impact on overall business. Risk assessment matrix thus serves as a vital parameter for deciding which assets should be considered for recovery. Both IT and the business units must agree on which data and applications are most critical to the business and need to be recovered most quickly in a disaster. Ultimately it is the management sector who decides which threats are tolerable and to what extent. Cost estimates for recovery plan is only one part of budget. Staffing requirements, software subscriptions, hiring third-party consultants, performing vulnerability testing, training costs etc. are some other factors which contribute to the overall budget. Final requirement of an effective budget is that it should not be resilient; one should stick to the budget throughout the recovery phase.

4) Initial Plan Implementation and Testing

After having fixed the budget and respective plans, next phase is to implement and test those plans. Testing strategies tailored to the environment are setup and individual policies and plans are tested accordingly [3]. For example, database recovery plans can be tested by doing realistic assessment of backup procedures in a qualified environment with test data. Testing procedures should not interfere or affect any normal functioning of involved systems. In security aspects, implementing a security plan starts with procedures which aids in reducing risk levels, by first mitigating high risks and moving forward towards low risk areas. Penetration testing is done in this phase to test the security plan. Implementation and testing involves educating users, administrators and training them so that they become aware of new policies and meet security standards. Testing results should be recorded to update the DRP for any shortcomings. After the initial implementation and testing, policies are deployed in real environment and monitored regularly.

5) Reporting

Reporting is necessary and important part for any IT program. Reporting mainly addresses the management issues, management need to be made aware of how information and resources are being managed in the organization and what policies are in effect. Reports should include project progress report, risk measurement and ROI documents. Project progress report depicts current progress against schedules, minor and major issues involved and expected progress deadlines. Risk assessment is done on security metrics which involves, measuring vulnerability detection, number of security incidents, number of manmade disasters corrupting data resources, blocked attacks etc. Reporting should address not only security aspects but also malfunction of nodes operating within the network. Ultimately, report is the only document by which management can assess the effectiveness of any DRP.

The final objective of a DRP is to effectively respond to disasters. DRP response guidelines should meet the following objectives: -

Limiting business loss and human injuries Recover and contain the disaster as far as possible Initial assessment of damage.

References:

[1] Glen Kunene, How to Create a Disaster Recovery Plan Available at www.devx.com

[2] ISO 17799, Sarbanes – Oxley, & HIPAA Compliant: Disaster Recovery Plan Template

[3] Computer Security Administration, University of Toronto: Disaster recovery planning

[4] Eric Maiwald and William Sieglein, Security Planning & Disaster Recovery

[5] The security risks analysis directory: An introduction to risk assessment

You Never Know when a Disaster May Occur but You Can Know What to Do If One Does Occur

Alan Cohen, published Sep 26, 2005

Hurricane Katrina taught us a lesson. Disaster recovery is important! Hopefully we will never again have to experience the devastation that this natural event wreaked upon us. However, that event got many businesses thinking – “How safe is my data?” This article provides some basic steps that will help you recover your business’s data in case of a disaster.

How much data are you willing to lose? It may sound like a dumb question but it will help you determine your disaster recovery strategy. For example, many financial institutions use a technique called data mirroring or data shadowing. Every time a transaction is written, that same transaction is written to another disk at another location. For example, if your business is in New York City, a copy of your data is written or mirrored to a site in Philadelphia or wherever your backup site is located. If your business suffers physical damage, you have up-to-date data at another location. In theory, only the transaction being processed at the time of the disaster is lost.

This process is costly; you need to either purchase or rent extra computer equipment. You also need to enter into a contract with a company that provides data storage. Obviously this may not be cost-effective for your company. So, how much data are you willing to lose?

How often does your business backup its data? Every hour? Twice a day? Once a day? Once a week? Your backup schedule answers the previously asked question. If you backup twice a day you are willing to lose half a day’s worth of data. If you only backup weekly, you are willing to lose a week’s worth of data.

Backing up is extremely important. However, if your office is damaged, what about your backup media?

Store your data at an off-site facility. There are many companies that provide archiving and storage services. Be smart. Choose a facility at least 50 miles or so from your office. If there is a flood in your community, you don’t want your storage facility in the same town or city.

A main concern is resolved; you have your data. However, depending on the disaster, your office may be gone. Data is no good unless you have the technology available to put that data to work.

How long can you afford to be out of business? One day? One week? One month? Not at all? The answer to this question determines the type of off-site facility, if any, that you have.

There are three types of off-site facilities. They are: hot, warm, and cold. Many financial institutions, health care companies, and other critical companies use a hot site.

A hot site is a complete off-site replica of your data center. It includes all of the computer equipment, networking equipment, and any other technologies that are part of your data center. You are quite close to being up and running. This site is also the home of your off-site data storage. The data is ready to go. In some scenarios, there are desks, phones, and other office equipment ready to use.

A hot site is expensive. In addition to the cost of renting or purchasing the technology, you are also incurring a monthly rent. This type of site is like insurance; you pay monthly and hope that you never have to use it.

A warm site has the technology but is not as up-to-date or ready to use. You may have to supply some additional equipment to make this a replica of your office. You may also have to install programs and data because your off-site storage may not be part of this site. This type of site is less expensive, but it requires more time and work to have it run your business.

A cold site is a bare bones facility. You will need to bring in equipment, restore your data, and so on. It is the least expensive of the three solutions, but it incurs the more down time.

Certainly there are other solutions. If you are a small business, you may be able to quickly purchase some computers, restore your data and temporarily rent space until you can rebuild or relocate. The key is to have a plan. Don’t wait until the disaster strikes!

A good plan is documented. This fact is often overlooked. Don’t let your employees convince you that the information is in their head; they will know what to do. They may not be working for you anymore, or God forbid, depending on the type of disaster, they, the company, and you may not be alive.

Your plan includes all the instructions necessary to rebuild your business. It includes: how to hook up your equipment, instructions for installing software and restoring data, how to rebuild your email system, how to rebuild your phone PBX system, and so on. It includes contact information, who declares a disaster, and it may even include phone scripts that employees use to reassure your clients that your business is still feasible.

Include walk-throughs to ensure that your instructions are correct. Ensure that people read the document, or at least the sections that pertain to their responsibilities.

A disaster recovery plan is the best written-document that you pray will never have to be used. Be prepared. You never know when a disaster may occur but you can know what to do if one does.