Presentation is loading. Please wait.

Presentation is loading. Please wait.

DRP/BCP Compliance Michael Whitcomb  Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company.

Similar presentations

Presentation on theme: "DRP/BCP Compliance Michael Whitcomb  Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company."— Presentation transcript:


2 DRP/BCP Compliance

3 Michael Whitcomb  Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company information for organizations of all sizes.  Loricca was founded in 2004 with practices in Healthcare, Financial Services, Insurance, Energy, Communications, Government, and Commercial enterprises. CEO, Loricca, Inc.

4 Brian Annulis, JD Ryan Meade, JD

5 Compliance Round-Up Webinars 2 nd Tuesday of each month

6 BCP/DRP Compliance Webinar  HIPAA Security Rule: DCP is an obligation of both Covered Entities and Business Associate organizations.  OCR expects a DRP to specifically address recovery of ePHI. Email Questions to:

7 Agenda  Defining DRP/BCP  Justifying DRP/BCP  How to DRP/BCP  Recovery Strategies  Building Cost Support

8 What is DRP/BCP?  Disaster Recovery Planning – creating a process to recover and protect a business IT infrastructure in the event of a disaster.  Business Continuity Planning – creating a plan to continue operations if a location (e.g., an office, work site or data center) becomes unusable.

9 DRP/BCP PCI Compliance PCI DSS (V3) - 12.10.1 thru 12.10.6  Create the incident response plan to be implemented in the event of a system breach. Ensure the plan addresses the following at a minimum:  Roles, responsibilities and communication and contact strategies in the vent of a compromise including notification of the payment brands at a minimum.  Specific incident response procedures  Business recovery and continuity procedures  Data backup processes  Analysis of legal requirements for reporting compromises  Coverage and responses of all critical system components  Reference of inclusion of incident response procedures from the payment brands.

10 DRP/BCP PCI Compliance HIPAA/HITECH  45 CFR 164.308(a)(7) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.  Data Backup Plan (Required)  Disaster Recovery Plan (Required)  Emergency Mode Operation Plan (Required)  Testing and revision procedures (Addressable)  Applications and data criticality analysis (Addressable)

11 Justifying DRP/BCP

12 DRP/BCP Justification  It goes beyond compliance  Compliance standards require DRP/BCP because its “Best Practice”  Large scale events increase risk of data loss and/or breach  Unplanned responses damage the business and customers  Building a useful plan is complicated and requires input from the business and IT  Not “ if ” it will happen but when  Financial customer “if you can’t afford DR then you can’t afford the system”

13 DRP/BCP Justification  Examples  Joplin MO – St. John’s Mercy Hospital destroyed by tornado  Code Spaces – Growing company to out of business in 12 hours  Hospital – Water main break next to datacenter  Bank Datacenter – Network Outage Thirty one percent (31%) of HIPAA data breaches cost more than one million dollars (each). – Ponemon Institute’s HIPAA Data Breach Economic Impact Study 2012

14 DRP/BCP Justification  A disaster event could affect multiple functional areas.  Financial impacts – May include costs from:  Investigations  Overtime Pay  Remediation  Penalties/Fines  Notifications  Capital Costs  Lost Revenue

15 DRP/BCP Justification  Operational Impacts –  Loss of Facilities  Loss of Personnel  Loss of Equipment  Intangible Impacts  Harm to Reputation  Loss of Future Business  Decreased Employee Morale

16 How to DRP/BCP

17  Simple inventory of systems (hardware and software)  Data Criticality Analysis  Where is my data  What kind of data is it (PCI, ePHI, PII, Financial)  eDiscovery  Business Impact Analysis  What is the impact to the business?  Who uses the system?  What is the cost of NOT having the system?  Disaster recovery plans  Business continuity plans

18 How to DRP/BCP  Data Criticality Analysis System NameLocation Contains ePHI Recovery Priority RTORPOData Owner 3M Medical Coding/Transcription Data CenterYes248NAM. Smith ADP Time Card/Time Tracking Data CenterNo1824T. Jones Calendar Creator Scheduling LocalNo38NAK. Smith Camera Wound Care Pictures LocalYes28NAK. Jones Cactus Physician Information LocalNo224 L. Ortiz Citrix Remote Access Data CenterNo324NAM.E. Yellow

19 How to DRP/BCP  Data Criticality Analysis PriorityProcessBusiness Unit 1 In-house, Patient facing/clinical systems, Meditech Emergency, ICU, Lab, Maternity/OB, Nutrition, Radiology, Surgery, IV Therapy. Supporting IS systems, Ctr. f/Family Health 2 In-house – Employee/Pt safety, Communications, IS systems Facilities/Material Management, Security, HR, Critical/Clinical Care Dept. heads. 3 External Patient facing/clinicalHome Health, PT, Medical Records, Registration 4 Critical Business Operations (Payroll, Insurance verification, Compliance, Risk Management) Business Office, Finance, Environmental Services, Compliance, Risk Management, Quality, 5 All Other Operations

20 How to DRP/BCP  Components of a good plan  A process of identifying, qualifying and defining risks  Roles and responsibility for the response team  Links to detailed system technical procedures and configuration  Designation of backup sites and locations  Notification plan which includes contact information for all people involved in DR procedures and emergency authorities.  Vendor list  Insurance and contractual agreements  Communication plan (includes PR)  Testing and revision  A good plan is a living document

21 Recovery Strategies

22 Decision Points Confirm downtime impact/criticality Balance downtime with cost Determine willingness to rely on Internet/cloud Financial impact vs cost Impact to Patient Care (Customer Impact) Employee Impact Potential for Data Breach Change to Methods Used for Management of MIS Balance Technical Solution with Business Requirements

23 Recovery Strategies Decision PointStrengthWeakness Cloud Hosted Servers (aka Amazon) Lower Cost, Flexible Control of Data, Requires Internet, Technically Complex Outsource to DR Vendor (eVault, Sungard) Reduced Complexity, Stability Control of Data, Cost, Requires Contracts, Requires Internet Build InternallyFlexible, Less Reliant on Internet, Scalable High Cost, Significant Technical Support, Less geographic protection Team with Another Hospital Flexible, Moderate Cost, Reduced Infrastructure Requires Internet, Significant Technical Support

24 Building Cost Support

25  “It’s required for compliance” doesn’t usually work  Additional cost justification is usually necessary  Is DR an IT cost or a Business cost?  Who uses the application?  What does it cost the business to not have the application?  The BIA will quantify business cost  Cost of downtime vs DRP/BCP cost  Engage business users through BIA process to gain their support

26 Michael Whitcomb

Download ppt "DRP/BCP Compliance Michael Whitcomb  Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company."

Similar presentations

Ads by Google