In the midst of tropical storm season, we want to remind you of the importance of a Disaster Recovery Plan. The most recent storm, Hermine, has caused floods and flash flooding in many areas of the Southeastern US. Natural disasters like this are exactly why we need Disaster Recovery Plans to protect not only PHI, but all your business data. A Disaster Recovery Plan describes how an organization plans to handle potential disasters, created both by natural causes and human error. HIPAA requires your agency to have a fully developed and tested Disaster Recovery Plan.
For example, consider recent events during the NFL preseason. On August 25th, Dallas Cowboys quarterback, Tony Romo, suffered an L1 compression fracture in his back, but the team had drafted a talented quarterback in Dak Prescott in the 4th round to be ready to lead at any time in case of a disaster.¹ Teddy Bridgewater, quarterback of the Minnesota Vikings, suffered a torn ACL during a non-contact practice drill on August 31st.² The Vikings were hurried to find a replacement, taking a more reactive approach rather than proactive. When it comes to your Disaster Recovery Plan, there must be more than one person trained to keep your (business) systems running; whether it is your servers going down, a natural disaster, or simply a drill. Your business should construct your plan to include more than one person able to quarterback your team to victory during a crisis. So be more like the Dallas Cowboys, prepared to face adversity, rather than the Minnesota Vikings, left scrambling for a fix.
To be proactive, follow these 9 Steps for Creating a Disaster Recovery Plan:
- Designate your primary crisis managers
- List employees and their emergency contact information
- Identify major clients’ contact information
- Keep a record of vital financial relationships
- Inventory your devices
- Design an evacuation plan based on disaster type
- Determine who is in charge of restoring the network
- Create a potential purchase list
- Estimate disaster recovery times
Testing and Feedback
It is not enough to simply have a plan in place; your plan should also be tested because it assures that everyone involved understands the process in depth. Testing can also help you determine which parts of your plan work well and which parts can be improved upon in order to be most effective and successful. After testing your plan, your team should evaluate and document the effectiveness of your plan and your workforce. For more information about different types of tests you can run and what to do after a test, visit our previous blog about Disaster Recovery Plans here.
Backup and Recovery
The most important parts of a Disaster Recovery Plan are the backup and recovery of the data itself. Doing all the planning and testing in the world would be useless if there is no data to recovery. Likewise, there is no purpose in planning if there is no one who knows how to recover the data from the server or PC.
Ensuring the confidentiality, integrity, and availability of all PHI you create, receive, maintain or transmit is required under HIPAA.³ We recommend your organization backup all data on a daily basis to prevent loss in case of accidental deletion, natural disaster, system failure, or corruption.
There are two common ways electronic data is stored. Which one you use will determine your backup method.
- Cloud Computing: Cloud storage providers have the capabilities to allow copies of data to be remotely stored and maintained as a security measure.⁴ Your data is stored in another location and accessed from your device through the internet. This especially comes in handy in the event of a disaster. To assure all areas of the Disaster Recovery Plan are covered by your cloud storage vendor, a Business Associate Agreement is required to be signed by each party.
- Internal Server: If your organization stores data locally on a server(s), there are some precautions to consider. Backing up the server(s) is essential, but what if it’s infected by malware? We recommend you have secondary drives with your data stored at an off-site location (e.g. safety deposit box, safe).
(Here is a interactive infographic from Lenovo about decisions regarding internal servers. Check it out to see the importance of a reliable internal server in the event of a disaster.)
As mentioned previously, multiple people should be trained on how to perform a recovery. Additionally, be sure the people doing the recovery are involved in creating the Disaster Recovery Plan. Employees usually find it challenging to write documentation that is clear enough for another person to use. So if those doing the recovery are involved in creating the document, they should not find the procedures hard to follow. Disaster Recovery Plans should not be a one shot deal; they need to be continually updated to reflect changes within the organization and technology. The Plan should also be broken down by each hypothetical situation, because an electrical surge will necessitate a different strategy compared to flooding in the building.
Consequences for not preparing a Disaster Recovery Plan can result in damage to your business’ reputation, potential penalties and fines by government entities, and greater risk to your clients’ confidential information.