5 ways to boost data disaster recovery plans
Growing pressure from regulators to improve security of protected health information makes this a good time to reexamine your disaster recovery plan. Veronica Miller, compliance solutions manager at Bluelock, a Disaster-Recovery-as-a-Service vendor, or DRaaS, gives some tips.
5 ways to boost data disaster recovery plans
Growing pressure from regulators to improve security of protected health information makes this a good time to reexamine your disaster recovery plan. Veronica Miller, compliance solutions manager at Bluelock, a Disaster-Recovery-as-a-Service vendor, or DRaaS, gives some tips.
1. Establish procedures to create and maintain retrievable copies of electronic health information
Data should be frequently backed up to a secure, off-site location. This will give access to your data even in the event of a disaster. Newer, cloud-enabled replication technology called Continuous Data Protection (CDP) makes any new data and system update sync instantly in real-time to your designated off-site location to ensure no data is lost. There’s also the option of using traditional backup technology to point your backup data to the cloud and store copies of the data in a secure, encrypted cloud-based repository.
2. Establish procedures to restore any loss of data
To comply with HIPAA requirements, a DRaaS vendor must support continuous protection of your workload while recovering data off-site. One of the most important parts of guarding data is organizing a plan for emergency data recovery. To do this, prepare a customized runbook for your disaster recovery plan that is regularly updated and tested as your organization evolves. This single document can ensure your organization’s ability to quickly get back up and running.
Be sure your team understands the procedures and processes of the disaster recovery plan, including how to access each application, its requirements for recovery and how it connects to other applications. Your DRaaS vendor may offer assistance building your runbook, as well as provide training for the team.
3. Create an emergency mode operation plan
HIPAA requires an emergency mode operation plan that ensures an organization not only has an emergency plan, but can also operate securely in an emergency state. DRaaS vendors can enable your organization to run production and applications at a high level of security and efficiency at the disaster recovery site throughout an emergency. Depending on the vendor, this level of security can be equal to or even higher than your day-to-day operations.
Although your team should have extensive training on executing the emergency mode operation plan, the DRaaS vendor should be able to execute your runbook for data and application recovery in case your team cannot access key systems. Key items to work out beforehand include recovery point objectives (RPO) and recovery time objectives (RTO) as these will determine how far back your data is recovered and how quickly that recovered data will be fully accessible again.
4. Conduct periodic testing and revision of the contingency plan.
To spot weaknesses and make adjustments to a contingency plan, regularly test your processes. Implement disaster recovery testing biannually, which is a standard IT best practice.
Your testing should analyze the organization’s response to scenarios in which the circumstances are not ideal, such as corrupted backups or failure of major systems. This will allow you to include plans for these scenarios in the disaster recovery runbook so your team doesn’t have to make last minute decisions in the middle of a disaster.
5. Assess the relative criticalness of specific applications and data
Take time to prioritize which applications and data are most crucial to your organization, and make sure the DRaaS vendor knows what the priorities are to ensure they are included in recovery efforts. Customizing the recovery level of each application and data will let you restore the most important data immediately, while waiting to recover less important data during an emergency. Your recovery vendor should be able to identify and recommend recovery levels for applications based on importance and criticalness so your business can run its key systems in the event of a disaster.
Following these simple steps will help you comply with HIPAA regulations for IT contingency plans. And when a disaster strikes, the preparation work your organization has completed will allow you to side-step much of the challenges during the event.