- Whether healthcare providers are working to prepare for potential natural disasters like hurricanes or manmade cybersecurity issues (i.e., ransomware attacks, insider data breaches) having a disaster recovery plan is essential.
Entities of all sizes must ensure that patient care is not compromised during periods of downtime, and also that EHR security is never put at risk.
Having a current and comprehensive backup plan and contingency plan are also federal requirements under the HIPAA Security Rule.
The Security Rule requires a data backup plan, a disaster recovery plan, and an emergency mode operation plan.
“Covered entities must have contingency plans that establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI,” the HHS website explains.
Covered entities also need to have policies and procedures in place that cover emergency response where systems containing PHI are damaged. This could include a fire, system failure, or natural disaster.
For example, a hospital could have a backup network or cloud storage options for its ePHI. If the hospital is flooded following a storm, physicians could still access data from another location if computers in the main building are damaged or inaccessible.
Organizations must be capable of backing up their data regularly while having a reliable and tested method for recovering data and applications. Full network visibility, the right infrastructure tools, a thorough understanding of administrative, physical, and technical safeguards, and HIPAA compliance are all critical considerations to ensure patient data is always accessible and secure.
Using HIPAA safeguards for backup, recovery measures
Healthcare organizations can utilize safeguards that are required under HIPAA regulations to help them in the data backup and recovery process.
For example, HIPAA administrative safeguards require that covered entities have a contingency plan and security incident procedures in place.
Administrative safeguards are “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information,” according to the HHS Security Series.
In terms of a contingency plan, HIPAA mandates that organizations consider what to do in a natural disaster or emergency. Strategies must be established for recovering or maintaining ePHI access “should the organization experience an emergency or other occurrence.”
Entities should consider what type of backup is needed, such as recovery discs or a cloud-based server. Power outages may also be a top considerations, and organizations should decide if they require backup generators, for example.
HIPAA technical safeguards will also need to be carefully considered with healthcare disaster recovery planning.
The HIPAA Security Rule states that technical safeguards are “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
There are no specific technologies highlighted that covered entities and business associates must utilize in this regard, HHS maintained. Instead, organizations should find reasonable and appropriate security measures for its needs. This could include data encryption, de-identification of data, or mobile device management.
With disaster recovery for example, a small, one-physician practice might not require the same large-scale cloud backup as a wide-spread hospital system. Perhaps having one separate server, not connected to the main network would be enough for the smaller facility.
How has disaster recovery aided healthcare providers?
With ransomware attacks on the rise, covered entities must remain vigilant in their disaster recovery planning. Having appropriate backups and even working with a vendor or health information exchange (HIE) could be crucial in ensuring that normal operations can continue in the face of disruption.
East Central Kansas Area Agency on Aging (ECKAAA) experienced a ransomware attack on September 5, 2017. ECKAAA said that its files were encrypted and made inaccessible by a Crysis/Dharma ransomware variant.
ECKAAA added that it had data backups in place, which allowed it to restore the data and continue providing patient care.
Erie County Medical Center (ECMC) was also a ransomware attack victim, but said that it was able to recover because of its partnership with Western New York's clinical information exchange (HEALTHeLINK).
“When the crisis hit, there was a lot of data on ECMC patients that we had available to them because they had been a data source,” HEALTHeLINK Executive Director Dan Porreca told HealthITSecurity.com. “I would encourage provider organizations to leverage, to learn about, and to work with their local HIEs and then build them into their business continuity plans and crisis response plans.”
ECMC Vice President of Communications and External Affairs Peter Cutler said that ECMC started to use laptops that were being deployed in MiFi for internet access. Usernames and passwords were then reset, and staff members were able to use the bridge with HEALTHeLINK to gain access to patient data and continue care.
The hospital’s EMR systems, including e-prescribe and CPIE, took approximately two weeks to be put back online. However, Cutler maintained that there were no diversions in patient care. The vast majority of appointments – including some surgeries – were able to stay on schedule.
“We knew it was going to be a daunting challenge,” Cutler stated. “The HEALTHeLINK component made that decision easier because we knew our clinicians in those critical care units were at least being able to see patient health records.”
Utilizing disaster recovery options for holistic cybersecurity
Healthcare organizations cannot avoid having a disaster recovery plan, especially with cybersecurity threats continuing to evolve. A holistic approach to cybersecurity includes assessing and prioritizing risk. Preparing for different types of disasters is a critical part of reviewing potential risk.
Organizations should conduct thorough research to see which options are necessary and applicable to their needs. It will also be important to remain up-to-date on all federal and state requirements with regard to contingency planning and backups. From there, entities will be better equipped to handle adverse events.