(ii) Implementation specifications:
(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
Tell Me More:
The Disaster Recovery Plan implementation specification requires covered entities to establish (and implement as needed) procedures to restore any loss of data after an emergency. While called a Disaster Recovery Plan, it is really about a DATA recovery plan as it focuses on “restore loss data”.
The final security rule addresses the need for each entity to have a Disaster Recovery Plan to respond to an emergency or other occurrence, including fire, vandalism, system failure and natural disaster. Disaster Recovery Plan will be scalable depending on the organization. Within Disaster Recovery Plan, the rule addresses Disaster Recovery Plans, emergency mode operation plans, and testing and revision procedures.
The final rule empowers each entity to determine its own risk in the event of an emergency that would result in a loss of operations. A Disaster Recovery Plan may involve highly complex processes in one processing site, or simple manual processes in another. The contents of any given Disaster Recovery Plan will depend upon the nature and configuration of the entity devising it. In addition, depending upon the size, configuration, and environment of a given Covered Entity or Business Associate, the entity should decide if testing and revision of all parts of a Disaster Recovery Plan should be done or if there are more reasonable alternatives. The same is true for the proposed applications and data criticality analysis implementation feature.
The Disaster Recovery Plan is necessary to assure the continued capabilities of the organization by guarding against unforeseen events. Effective data backup and recovery is clearly essential, as without this information operations are directly impacted. Asset management and criticality analysis facilitate the Disaster Recovery Plan and execution processes, while ensuring resources are spent wisely. Disaster Recovery Plans are typically the last priority of many busy organizations; however, there is no replacement for them and they are invaluable when the need arises.
For more information, see “The Truth about HIPAA‐HITECH and Data Backup“.
Questions to consider:
- Has the organization identified those staff responsible to carry out data restoration, including lists of emergency contact names and numbers, important business partners as well as potentially hardware, software and other business supply contact information as would be necessary to allow for a temporary office set-up to support complete restoration of data in order to continue business functioning? Make sure vital information is available offsite in case the site is inaccessible.
- Has the organization performed detailed testing and revision of its plan? Plans may need to be updated and changed on an ongoing basis.
- Has the organization considered secure, offsite electronic vaulting?
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-12 chapter 11 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations