(ii) Implementation specifications:
(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Tell Me More:
The Emergency Mode Operation Plan implementation specification is an interesting one! The name suggests a full continuity of operation plan (COOP) or business continuity plan (BCP) while the language actually calls for the entity to ensure “… continuation of critical business processes for PROTECTION OF THE SECURITY of electronic protected health information while operating in emergency mode.” That is, an entity cannot let it’s guard down when operating in emergency mode. That said, a COOP and BCP are equally important.
An emergency mode operation plan contains a process that enables an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure. In a manner similar to disaster recovery planning, budget for and schedule required resources for effective emergency mode operation plan testing.
Questions to consider:
- Does the organization have policies and procedures in place to ensure administrative, physical and technical safeguards remain operational in the event of a need to operate in an emergency?
- Does the organization have policies and procedures for maintaining access to data and maintain data security when in disaster recovery mode?
- Has the organization identified those critical business processes that must occur in order for the organization to continue operations during and immediately after a crisis situation? This will help to focus resources on the most important systems first.
- Has the organizations made reasonable and appropriate arrangements to ensure that its critical business processes can be up and running in an appropriate time frame? This may include having an offsite location ready for operation, mirroring data at a remote site, having agreements with suppliers to rapidly provide equipment, and having an uninterruptible power supply.
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-12 chapter 11 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations