Presentation on theme: "DRP/BCP Compliance Michael Whitcomb Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company."— Presentation transcript:
Michael Whitcomb Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company information for organizations of all sizes. Loricca was founded in 2004 with practices in Healthcare, Financial Services, Insurance, Energy, Communications, Government, and Commercial enterprises. CEO, Loricca, Inc.
Brian Annulis, JD Ryan Meade, JD
Compliance Round-Up Webinars 2 nd Tuesday of each month
BCP/DRP Compliance Webinar HIPAA Security Rule: DCP is an obligation of both Covered Entities and Business Associate organizations. OCR expects a DRP to specifically address recovery of ePHI. Questions to:
Agenda Defining DRP/BCP Justifying DRP/BCP How to DRP/BCP Recovery Strategies Building Cost Support
What is DRP/BCP? Disaster Recovery Planning – creating a process to recover and protect a business IT infrastructure in the event of a disaster. Business Continuity Planning – creating a plan to continue operations if a location (e.g., an office, work site or data center) becomes unusable.
DRP/BCP PCI Compliance PCI DSS (V3) thru Create the incident response plan to be implemented in the event of a system breach. Ensure the plan addresses the following at a minimum: Roles, responsibilities and communication and contact strategies in the vent of a compromise including notification of the payment brands at a minimum. Specific incident response procedures Business recovery and continuity procedures Data backup processes Analysis of legal requirements for reporting compromises Coverage and responses of all critical system components Reference of inclusion of incident response procedures from the payment brands.
DRP/BCP PCI Compliance HIPAA/HITECH 45 CFR (a)(7) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. Data Backup Plan (Required) Disaster Recovery Plan (Required) Emergency Mode Operation Plan (Required) Testing and revision procedures (Addressable) Applications and data criticality analysis (Addressable)
DRP/BCP Justification It goes beyond compliance Compliance standards require DRP/BCP because its “Best Practice” Large scale events increase risk of data loss and/or breach Unplanned responses damage the business and customers Building a useful plan is complicated and requires input from the business and IT Not “ if ” it will happen but when Financial customer “if you can’t afford DR then you can’t afford the system”
DRP/BCP Justification Examples Joplin MO – St. John’s Mercy Hospital destroyed by tornado Code Spaces – Growing company to out of business in 12 hours Hospital – Water main break next to datacenter Bank Datacenter – Network Outage Thirty one percent (31%) of HIPAA data breaches cost more than one million dollars (each). – Ponemon Institute’s HIPAA Data Breach Economic Impact Study 2012
DRP/BCP Justification A disaster event could affect multiple functional areas. Financial impacts – May include costs from: Investigations Overtime Pay Remediation Penalties/Fines Notifications Capital Costs Lost Revenue
DRP/BCP Justification Operational Impacts – Loss of Facilities Loss of Personnel Loss of Equipment Intangible Impacts Harm to Reputation Loss of Future Business Decreased Employee Morale
How to DRP/BCP
Simple inventory of systems (hardware and software) Data Criticality Analysis Where is my data What kind of data is it (PCI, ePHI, PII, Financial) eDiscovery Business Impact Analysis What is the impact to the business? Who uses the system? What is the cost of NOT having the system? Disaster recovery plans Business continuity plans
How to DRP/BCP Data Criticality Analysis System NameLocation Contains ePHI Recovery Priority RTORPOData Owner 3M Medical Coding/Transcription Data CenterYes248NAM. Smith ADP Time Card/Time Tracking Data CenterNo1824T. Jones Calendar Creator Scheduling LocalNo38NAK. Smith Camera Wound Care Pictures LocalYes28NAK. Jones Cactus Physician Information LocalNo224 L. Ortiz Citrix Remote Access Data CenterNo324NAM.E. Yellow
How to DRP/BCP Data Criticality Analysis PriorityProcessBusiness Unit 1 In-house, Patient facing/clinical systems, Meditech Emergency, ICU, Lab, Maternity/OB, Nutrition, Radiology, Surgery, IV Therapy. Supporting IS systems, Ctr. f/Family Health 2 In-house – Employee/Pt safety, Communications, IS systems Facilities/Material Management, Security, HR, Critical/Clinical Care Dept. heads. 3 External Patient facing/clinicalHome Health, PT, Medical Records, Registration 4 Critical Business Operations (Payroll, Insurance verification, Compliance, Risk Management) Business Office, Finance, Environmental Services, Compliance, Risk Management, Quality, 5 All Other Operations
How to DRP/BCP Components of a good plan A process of identifying, qualifying and defining risks Roles and responsibility for the response team Links to detailed system technical procedures and configuration Designation of backup sites and locations Notification plan which includes contact information for all people involved in DR procedures and emergency authorities. Vendor list Insurance and contractual agreements Communication plan (includes PR) Testing and revision A good plan is a living document
Decision Points Confirm downtime impact/criticality Balance downtime with cost Determine willingness to rely on Internet/cloud Financial impact vs cost Impact to Patient Care (Customer Impact) Employee Impact Potential for Data Breach Change to Methods Used for Management of MIS Balance Technical Solution with Business Requirements
Recovery Strategies Decision PointStrengthWeakness Cloud Hosted Servers (aka Amazon) Lower Cost, Flexible Control of Data, Requires Internet, Technically Complex Outsource to DR Vendor (eVault, Sungard) Reduced Complexity, Stability Control of Data, Cost, Requires Contracts, Requires Internet Build InternallyFlexible, Less Reliant on Internet, Scalable High Cost, Significant Technical Support, Less geographic protection Team with Another Hospital Flexible, Moderate Cost, Reduced Infrastructure Requires Internet, Significant Technical Support
Building Cost Support
“It’s required for compliance” doesn’t usually work Additional cost justification is usually necessary Is DR an IT cost or a Business cost? Who uses the application? What does it cost the business to not have the application? The BIA will quantify business cost Cost of downtime vs DRP/BCP cost Engage business users through BIA process to gain their support