A disaster recovery plan is an HIPPA security standard and its objectives are to establish policies and procedures for responding to an emergency (vandalism, system failure, and natural disaster) that may damage or interrupt systems that contain PHI. In brief, the Health Insurance Portability and Accountability Act, commonly known as HIPAA, was enacted on August 21, 1996, by the United States Congress and signed President Bill Clinton.
HIPPA regulates national standards to protect individuals’ health information that is created, received, used, or maintained by a healthcare industry and nonhealthcare industries. HIPAA Security Rule (Section 164. 308) requires safeguards to ensure the confidentiality and security of electronic protected health information (PHI) which effectively includes data backup, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis (“HIPPA,”). HIPAA violations come in two categories: negligent and intentional.
An example of negligent can be described as connecting unapproved devices like flash drives or personal computers to the secure network, sharing passwords, or emailing documents containing PHI to the wrong person in error. HIPAA violations may also be classified as intentional. An example of an intentional violation is snooping in a patient’s chart. For example, if someone isn’t directly caring for a celebrity or local figure snoops into the patient’s chart, this violates hospitals standards and termination of that staff member will be enforced.
Both categories can cause data breaches (Slaughter, 2017,). In July 2013, Children’s Medical Center of Dallas had to report to the HHS that an unencrypted laptop with electronic protected health information (ePHI) on 2,462 patients has been stolen from its hospital in April. This wasn’t the first time the hospital reported losing an unencrypted device that had ePHI on a BlackBerry in 2010. The hospital was warned as early as 2007 about the risk of allowing its staff to continue using unencrypted devices.
In short, HHS’ Office for Civil Rights (OCR) fined the hospital $1,000 for each patient’s PHI disclosed in the July 2013 breach, up to the annual legal limit of $1. 5million. Furthermore, for violating the “Access Controls (Encryption)” standard of HIPAA’s security rule, Children’s Medical had to pay $1,000 per day from September 30, 2010 until April 9, 2013 totaling $923,000 and $1,000 per day for violating the “Device and Media Controls” standard between September 20. 010 and November 9, 2012, totaling $772,000 (Slaughter, 2017,). Since the HITECH Act was enacted in 2009, hospitals that are in violation of HIPAA standards will see privacy and security penalties increase rapidly. OCR actually assessed Children’s Medical $1,000 per violation which is the minimum allowable penalty under the statute for a violation that was due to reasonable cause and not willful neglect (Slaughter, 2017,).
Data vulnerabilities are increasing as the health care landscape continue to be more interconnected by utilizing technologies such as the internet to share hospital data internally and externally to stakeholders, patients, private practices, and health information exchanges. Today, healthcare organizations are reliant on electronic data and downtime cannot be an option and could be critical to a patients’ outcome. To protect their interests, a comprehensive DRP will no longer sit on a book shelf collecting dust to meet the HIPAA compliance obligations.
Penalties and incentives are enforcing healthcare organizations to update their DRP and stay compliant. An incentive that is driving healthcare organizations towards a DRP is Meaningful Use. To receive incentives, Meaningful Use requires healthcare organizations to effectively recover their EMR (electronic medical record) and electronic patient health information (ePHI) in their hospital information system in the event of a disaster. Another requirement to receive the incentive is to provide patients’ access to download their medical record online within four business days of it being available.
Despite the incentives given from the Federal Government, data breaches and cyber-attacks are on the rise and the increase of technology adoption could have played a factor in the significant growth in data breaches. The Consequences of not having a Disaster Recovery Plan in Healthcare Health Information System (HIS) increasingly plays a mission critical role in the hospital organization. Normally, these systems run silently in the background, reliably providing staff the tools and information necessary to perform their day-to-day duties.
So not having a disaster recovery plan in place would put the hospital’s assets, staff, patients, and stakeholders at risk. The buy-in of a disaster recovery plan in health care starts at the top with senior management who will provide funding to the plan and flow downward to the people that will execute the plan (DeFrangesco, 2009. ). The consequences of not having a disaster recovery plan in healthcare cannot be overstated. Regardless of the industry, when a catastrophic event takes place and brings a hospital’s department day-to-day operations to a halt, a hospital needs to recover as soon as possible to to recover as soon as possible to provide services to their staff and patients.
The consequences of lost data from a disaster are significant and may include the risk of mission critical devices losing data required for patient care that can have life-or-death consequences, great risk of losing credibility and reputation from stakeholders and patients, risk of acquiring HIPAA penalties for non-compliance, which are greater now under HITECH, risk of financial losses from lost business, and the risk of litigation costs if patients litigate the healthcare organization.
The consequences of not having a disaster recovery plan in healthcare cannot be overstated. Regardless of the industry, when a catastrophic event takes place and brings a hospital’s department day-to-day operations to a halt, a hospital needs to recover as soon as possible to provide services to their staff and patients.
The consequences of lost data from a disaster are significant and may include the risk of mission critical devices losing data required for patient care that can have life-or-death consequences, great risk of losing credibility and reputation from stakeholders and patients, risk of acquiring HIPAA penalties for non-compliance, which are greater now under HITECH, risk of financial losses from lost business, and the risk of litigation costs if patients litigate the healthcare organization. Barriers to a successful implementation of a disaster recovery plan
Unfortunately, the path to an effective disaster recovery plan isn’t always a smooth path. There are several barriers that may make it difficult to sell disaster recovery planning to senior management. One of the most challenging things is to get senior management to get buy-in from leadership. For a disaster recovery plan to be effective leadership has to buy into the plan willingly and early (NICHOLS, 2009,). A solid case addressing the concerns of management and employees regarding disasters that may occur and interrupt productivity must be the first task of developing an effective recovery plan.
Senior management buy-in and support must be both highly visible and monetary. Developing an effective disaster recovery plan should not proceed until management is in support (Bilodeau, 2011,). Know that you have senior management attention, your task is to find out the most important things to address when presenting a disaster recovery plan to management. The person that is developing the disaster recovery plan will need to be able to communicate to senior management how the disaster recovery plan will operate in a time of a disaster.
Furthermore, that person must explain to senior management the vulnerabilities that exist, both internally and externally in the organization, the cost associated with the disaster recovery plan, and how the disaster recovery plan will be an asset during an unplanned event. The chances of getting an approval of a disaster recovery plan from senior management has increased because the case has been clearly presented to senior management in a way that they understand the situation.
Especially if the message include a technology perspective that explains the proactive measures that are in place such as a disaster recovery plan that can protect and recover missioncritical systems in an event of an outage (Hilliard, 2011,). Not updating the disaster recovery plan can be a significant barrier to the disaster recovery plan. After you have successfully completed the plan, tested the plan and trained the appropriate employees for the plan, the next step is to set a date to review the plan and amend sections in the plan if needed. As IT infrastructure changes yearly the disaster recovery plan will have to be revised as well.
In closing, senior management may tell you no because the case that you are presenting to them wasn’t strong enough or convincing enough for them to say yes to the disaster recovery plan. The culture of management is about the bottom line. Meaning, how much does it cost to have a disaster recovery plan. The key is to turn the question around to senior management and ask them how much it will cost the organization not to have a disaster recovery plan. A buy-in from the staff member that is introducing the DRP show true commitment to your case and builds strong perception (Clarke, 2016,).
Cost to Implement a Disaster Recovery Plan Recovery plans mean many things to different organizations. Ford Motor Company and General Motors have very different approaches to disaster recovery planning because of their financial situations. Both have plans in place but are very different. As they say, recovery results may vary based on exposure risks involved. “Preparation is the key to ensuring that businesses can quickly rebound after a disaster,” says Tony Adams, principal analyst at Gartner’s IT services group. Businesses now more widely understand that they must prepare in advance to meet the challenges of a disaster (Salamone, 2003,). ”
A written disaster preparedness plan can be cost-effective if the organization understands the cost-savings opportunities and the associated tradeoffs. Every organization is different and a one size fit all disaster recovery plan would not be an ideal plan for all organizations. Assessing the size of a disaster recovery plan is an important step in cost estimation. Lack of funding is often a reason why organizations do not have a disaster recovery plan.
This is a contradiction. Developing a disaster recovery plan costs no money aside from the staff time needed to develop the plan. However, if organizations fail to set aside money in advance for disaster-recovery planning, they will see themselves spending far more money after a disaster. In a Gartner survey of 205 IT manager, it states “24 percent of the respondents said that lack of funds was preventing implementation of a disaster-recovery plan. One in three companies even admitted they would lose critical data or operational capability if a disaster occurred.
And 37 percent indicated they needed additional funding to carry out their disaster-recovery plan (Salamone, 2003,). ” It is true, after writing a disaster recovery plan you may want stakeholders to provide additional funding for the project that would help improve reliability by automating IT infrastructure and sunset systems that are vulnerable to a disaster (Damoulakis, 2010,). Developing a return on investment proposal to senior management and explaining how the disaster recovery plan will save the organization money makes a stronger case when senior management decides on funding a disaster recovery plan.