Disaster Recovery Plan

A disaster recovery plan (DRP) is a set of processes by which an organization aims to recover its information technology and other vital infrastructure resources in the event of partial or total failure due to man-made, natural, or environmental causes. DRPs should strive to ensure that essential resources are preserved in a disaster (i.e. patient data is backed up at off-site data center not directly vulnerable to same potential events as hopsital) , that procedures are in place for continuing operations while resources are down or limited (i.e. downtime forms are available if the clinical information system is inaccessible), and that a strategy exists to resume normal operations in a timely manner (i.e. return the clinical information system to full operational capability and enter clinical data that was generated during downtime). A DRP should be frequently reviewed, updated, and tested. ^[1].

HIPAA Requirement

A disaster recovery plan is a HIPAA requirement under the Administrative Safeguard Standard ^[2].

HIPAA has identified the following information to be included in DRP:

• Outcomes of the covered entity’s identification of vulnerabilities and potential threats in the risk analysis.
• Safeguards adopted by the covered entity to mitigate risks associated with those vulnerabilities and threats.
• Responsibilities of the covered entity’s key workforce members assigned by the Security Official to recover should a loss become a reality and a disaster occur.

Other requirement that must be taken into account:

• Plan for restoring business operations and safeguarding electronic protected health information during loss of electricity.
• Identify how natural disasters harm current systems that include electronic protected health information and create policies and procedures to address situation.
• Include an emergency mode operation plan. Focus on how operations will be executed during an emergency and identify workforce members assigned to perform these tasks.

HIPAA has also referenced the Contingency Planning Guide for Information Technology Systems to assist with the development of a DRP. ^[3]. The following summarized steps were identified in the guide:

• Develop the contingency planning policy statement.
• Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user.
• Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
• Develop recovery strategies. Thorough recovery strategies ensure that the system maybe recovered quickly and effectively following a disruption.
• Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
• Plan testing, training, and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
• Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

References:

1. ↑ Carol Gonzales, Sandra Senft, Frederick Gallegos, and Daniel P. Manson. Auerbach Publications (2004).Information Technology Control and Audit, Second Edition >
2. ↑ Jones, A. E. (n.d.). Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It. http://www.hipaa.com/contingency-plan-disaster-recovery-plan-what-to-do-and-how-to-do-it/
3. ↑ Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J., & Thomas, R. (2002). Contingency Planning Guide for Information Technology Systems. National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce, (NIST Special Publication 800-34).

1. http://en.wikipedia.org/wiki/Disaster_recovery_plan

2. Information Technology Control and Audit, Second Edition. Carol Gonzales, Sandra Senft, Frederick Gallegos, and Daniel P. Manson. Auerbach Publications, 2004.