This page contains a Flash digital edition of a book.
“ ...with natural disasters and security breaches occurring more frequently, the need for a practicable DRP [disaster recovery plan] is more essential than ever.”


25


storage systems such as virtual tape libraries, other storage, or dedicated backup appliances. Data backups are taken periodically, usually duplicated, stored both on- and off-site, and preserve multiple versions of data.


• Meanwhile, data replication or mirroring is used to copy data to another site, which can be a host, network, or storage system facility. Mirroring can be scheduled, asynchronous or synchronous. Scheduled data replication can be done every week, every shift or more often. For asynchronous mirroring, data is copied some time after it is modified. In contrast, with synchronous mirroring, copies are made while data is being modified.


Any successful disaster recovery will necessarily depend


on the use of an alternate or secondary site. There are three types of disaster recovery sites available:


• A cold site supplies only power, cooling and networking. Servers, switches, and storage must be sent to the location.


• A warm site adds to the cold site sufficient servers, switches, and storage hardware to support ePHI operations in the event of a disaster.


• A hot site provides warm site hardware plus continuous data mirroring of ePHI data to speed up disaster recovery.


Keep the following in mind when choosing a disaster recovery site:


• Using a cold site will require special contracts with system vendors to drop ship any and all necessary hardware to the site.


• For both cold and warm sites, backup data must be transported to the disaster site.


• For all site types, servers, networking and software systems will need to be reconfigured onsite to support emergency operations.


Discover the 5 Parts of a DR Plan In any case, having a backup of ePHI and an alternate


site arrangement is required—but not sufficient— to support disaster operations. For that to occur, one also needs a disaster recovery and emergency mode operations plan. Although HIPAA disaster recovery requirements place these into two separate policies, many health IT shops cover both mandates with a single, all encompassing disaster recovery plan (DRP).


Any DRP should include the following five components:


1. Disaster declaration: The DRP should document the disaster recovery decision process and team participants. Moving operations to an alternate site is always a costly endeavor. Occasionally, temporary or transient issues, such as a power fluctuation, can


impact data center operations for a limited time. It’s the purpose of the disaster declaration process and team, which generally consist of operations and other senior IT management personnel, to determine if disaster recovery is truly warranted. 2. Disaster list: The DRP should focus on a


select set of high-probability and high-impact events such as natural disasters or other catastrophes. Cataloguing these within the DRP can help IT personnel justify investment in costly backup systems, alternate site(s) and application recovery. 3. Data backup: Any disaster will necessarily depend on backups or mirrors of current data and applications. As such, backup systems should be well described in the DRP. This information should include the frequency, type, and locations of any data and system backups and/or replication done to off-site location(s). Moreover, how data backups are to be shipped to the alternate site—with procedures, contact lists, and transport duration—should be supplied. Equally important, off-site repositories should be far enough away to insure backup availability in the face of a disaster impacting the primary site. Similar locality constraints apply to alternate site locations. 4. Alternate site: The DRP should delineate


the secondary site capabilities, activation procedures and contact lists. One should also provide instructions as to how technical personnel will access and/or travel to the alternate site. 5. ePHI recovery: The DRP should identify


all ePHI systems and data requirements. Furthermore, the process for restoring ePHI application operations should be fully recorded. Moreover, an application recovery priority list should be produced to determine restoration sequence. Personnel familiar with an application and its operation can often facilitate emergency operations, so names and contact lists for these individuals should be supplied.


Remember to Test and Modify We have identified most of the critical components


of any DRP needed to respond to HIPAA disaster recovery requirements. Although not discussed above, addressable policies could be dealt with inside or outside the DRP. Nonetheless, as ePHI applications can be added, deleted or modified, periodic plan tests and resultant corrections are vital to the continuing success of any disaster recovery. Furthermore, with natural disasters and security breaches occurring more frequently, the need for a practicable DRP is more essential than ever. In fact, having a viable DRP is something all covered entities should have in place for their own business survival, regardless of HIPAA disaster recovery requirements.


CONNECTION


VOLUME 2 • ISSUE 1


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36