DRP/BCP Compliance Michael Whitcomb CEO, Loricca, Inc. Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company information for.
Download ReportTranscript DRP/BCP Compliance Michael Whitcomb CEO, Loricca, Inc. Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company information for.
DRP/BCP Compliance Michael Whitcomb CEO, Loricca, Inc. Michael has 25 years experience building and supporting secure systems and protecting patient, customer, and company information for organizations of all sizes. Loricca was founded in 2004 with practices in Healthcare, Financial Services, Insurance, Energy, Communications, Government, and Commercial enterprises. Brian Annulis, JD Ryan Meade, JD Compliance Round-Up Webinars 2nd Tuesday of each month [email protected] www.aegis-compliance.com/compliance-roundup-webinars BCP/DRP Compliance Webinar HIPAA Security Rule: DCP is an obligation of both Covered Entities and Business Associate organizations. OCR expects a DRP to specifically address recovery of ePHI. Email Questions to: [email protected] Agenda Defining DRP/BCP Justifying DRP/BCP How to DRP/BCP Recovery Strategies Building Cost Support What is DRP/BCP? Disaster Recovery Planning – creating a process to recover and protect a business IT infrastructure in the event of a disaster. Business Continuity Planning – creating a plan to continue operations if a location (e.g., an office, work site or data center) becomes unusable. DRP/BCP PCI Compliance PCI DSS (V3) - 12.10.1 thru 12.10.6 Create the incident response plan to be implemented in the event of a system breach. Ensure the plan addresses the following at a minimum: Roles, responsibilities and communication and contact strategies in the vent of a compromise including notification of the payment brands at a minimum. Specific incident response procedures Business recovery and continuity procedures Data backup processes Analysis of legal requirements for reporting compromises Coverage and responses of all critical system components Reference of inclusion of incident response procedures from the payment brands. DRP/BCP PCI Compliance HIPAA/HITECH 45 CFR 164.308(a)(7) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. Data Backup Plan (Required) Disaster Recovery Plan (Required) Emergency Mode Operation Plan (Required) Testing and revision procedures (Addressable) Applications and data criticality analysis (Addressable) Justifying DRP/BCP DRP/BCP Justification It goes beyond compliance Compliance standards require DRP/BCP because its “Best Practice” Large scale events increase risk of data loss and/or breach Unplanned responses damage the business and customers Building a useful plan is complicated and requires input from the business and IT Not “if” it will happen but when Financial customer “if you can’t afford DR then you can’t afford the system” DRP/BCP Justification Examples Joplin MO – St. John’s Mercy Hospital destroyed by tornado Code Spaces – Growing company to out of business in 12 hours Hospital – Water main break next to datacenter Bank Datacenter – Network Outage Thirty one percent (31%) of HIPAA data breaches cost more than one million dollars (each). – Ponemon Institute’s HIPAA Data Breach Economic Impact Study 2012 DRP/BCP Justification A disaster event could affect multiple functional areas. Financial impacts – May include costs from: Investigations Overtime Pay Remediation Penalties/Fines Notifications Capital Costs Lost Revenue DRP/BCP Justification Operational Impacts – Loss of Facilities Loss of Personnel Loss of Equipment Intangible Impacts Harm to Reputation Loss of Future Business Decreased Employee Morale How to DRP/BCP How to DRP/BCP Simple inventory of systems (hardware and software) Data Criticality Analysis Where is my data What kind of data is it (PCI, ePHI, PII, Financial) eDiscovery Business Impact Analysis What is the impact to the business? Who uses the system? What is the cost of NOT having the system? Disaster recovery plans Business continuity plans How to DRP/BCP Data Criticality Analysis System Name Location Contains ePHI Recovery Priority RTO RPO Data Owner 3M Medical Coding/Transcription Data Center Yes 2 48 NA M. Smith ADP Time Card/Time Tracking Data Center No 1 8 24 T. Jones Calendar Creator Scheduling Local No 3 8 NA K. Smith Camera Wound Care Pictures Local Yes 2 8 NA K. Jones Cactus Physician Information Local No 2 24 24 L. Ortiz Citrix Remote Access Data Center No 3 24 NA M.E. Yellow How to DRP/BCP Data Criticality Analysis Priority Process Business Unit 1 In-house, Patient facing/clinical systems, Meditech Emergency, ICU, Lab, Maternity/OB, Nutrition, Radiology, Surgery, IV Therapy. Supporting IS systems, Ctr. f/Family Health 2 In-house – Employee/Pt safety, Communications, IS systems Facilities/Material Management, Security, HR, Critical/Clinical Care Dept. heads. 3 External Patient facing/clinical Home Health, PT, Medical Records, Registration 4 Critical Business Operations (Payroll, Insurance verification, Compliance, Risk Management) Business Office, Finance, Environmental Services, Compliance, Risk Management, Quality, 5 All Other Operations How to DRP/BCP Components of a good plan A process of identifying, qualifying and defining risks Roles and responsibility for the response team Links to detailed system technical procedures and configuration Designation of backup sites and locations Notification plan which includes contact information for all people involved in DR procedures and emergency authorities. Vendor list Insurance and contractual agreements Communication plan (includes PR) Testing and revision A good plan is a living document Recovery Strategies Recovery Strategies • Decision Points • • • • • • • • • Confirm downtime impact/criticality Balance downtime with cost Determine willingness to rely on Internet/cloud Financial impact vs cost Impact to Patient Care (Customer Impact) Employee Impact Potential for Data Breach Change to Methods Used for Management of MIS Balance Technical Solution with Business Requirements Recovery Strategies Decision Point Strength Weakness Lower Cost, Flexible Control of Data, Requires Internet, Technically Complex Outsource to DR Vendor (eVault, Sungard) Reduced Complexity, Stability Control of Data, Cost, Requires Contracts, Requires Internet Build Internally Flexible, Less Reliant on Internet, Scalable High Cost, Significant Technical Support, Less geographic protection Team with Another Hospital Flexible, Moderate Cost, Reduced Infrastructure Requires Internet, Significant Technical Support Cloud Hosted Servers (aka Amazon) Building Cost Support Building Cost Support “It’s required for compliance” doesn’t usually work Is DR an IT cost or a Business cost? Who uses the application? What does it cost the business to not have the application? The BIA will quantify business cost Additional cost justification is usually necessary Cost of downtime vs DRP/BCP cost Engage business users through BIA process to gain their support Michael Whitcomb www.loricca.com [email protected]