2. Establish procedures to restore any loss of data
To comply with HIPAA requirements, a DRaaS vendor must support continuous protection of your workload while recovering data off-site. One of the most important parts of guarding data is organizing a plan for emergency data recovery. To do this, prepare a customized runbook for your disaster recovery plan that is regularly updated and tested as your organization evolves. This single document can ensure your organization’s ability to quickly get back up and running.
Be sure your team understands the procedures and processes of the disaster recovery plan, including how to access each application, its requirements for recovery and how it connects to other applications. Your DRaaS vendor may offer assistance building your runbook, as well as provide training for the team.
3. Create an emergency mode operation plan
HIPAA requires an emergency mode operation plan that ensures an organization not only has an emergency plan, but can also operate securely in an emergency state. DRaaS vendors can enable your organization to run production and applications at a high level of security and efficiency at the disaster recovery site throughout an emergency. Depending on the vendor, this level of security can be equal to or even higher than your day-to-day operations.
Although your team should have extensive training on executing the emergency mode operation plan, the DRaaS vendor should be able to execute your runbook for data and application recovery in case your team cannot access key systems. Key items to work out beforehand include recovery point objectives (RPO) and recovery time objectives (RTO) as these will determine how far back your data is recovered and how quickly that recovered data will be fully accessible again.
4. Conduct periodic testing and revision of the contingency plan.
To spot weaknesses and make adjustments to a contingency plan, regularly test your processes. Implement disaster recovery testing biannually, which is a standard IT best practice.
Your testing should analyze the organization’s response to scenarios in which the circumstances are not ideal, such as corrupted backups or failure of major systems. This will allow you to include plans for these scenarios in the disaster recovery runbook so your team doesn’t have to make last minute decisions in the middle of a disaster.