Disaster recovery (DR) planning often fails to take into consideration how various regulations and compliance issues will impact the firm after a disaster strikes. Though it doesn't impact all businesses, those regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will quickly find that DR planning for this regulation is an intricate web of potential pitfalls. One thing that is clear from HIPAA's security rule is that producing a DR plan is a HIPAA requirement; however, the act is written to be "technologically neutral," which leaves room for each covered entity to choose the technology best suited to its needs:
"Each entity needs
to determine its own risk in the event of an emergency that would result in a
loss of operations. A contingency plan may involve highly complex processes in
one processing site, or simple manual processes in another. The contents of any
given contingency plan will depend upon the nature and configuration of the
entity devising it."
— (From the Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: SecurityStandards; Final Rule)
As you might be able to surmise from this brief excerpt, the "how" of HIPAA DR compliance is pretty vague. If you are subject to HIPAA requirements (i.e., a covered entity), here are the three main things that you must be able to prove:
- You've conducted a formal analysis of the risks to your data, including an assessment of the physical access and security in addition to technical threats.
- You have produced a DR plan with policies and procedures in place that cover backup, storage, and recovery.
- Your plan adequately and reasonably addresses the risks identified in your analysis.
So, you have two main concerns when evaluating a DR plan for HIPAA compliance. First is the ability of your systems to properly move data to the DR site without violating standards for privacy and security. The second is to ensure that if you do need to restore operations at another site, you are also able to restore all the safeguards required for the data as well.
The HIPAA regulations regarding the security of digitally stored information are complex and difficult to navigate at best. Both the government agencies responsible for enforcement of the law and many private firms have set up Web sites, white papers, and even entire books on how to get your enterprise compliant with the regulations. Whether you are sending data off-site via tape backup, or using more advanced replication and failover tools, you will need to ensure that you follow all the same rules for the data in transit and in storage that you follow for data in your live environment.
For tape backup, this means making sure your tape systems properly and securely encrypt the data to tape. This may sound like an easy thing to do, but the devil is in the details here. Not only do you have to decide on the appropriate encryption method, you have to make sure that you have the ability to decrypt the data at your DR location, even if you may not know what that location will be in the event of a disaster. This is especially true if you're using a third-party repository to store your tape data for eventual restoration to new equipment. The tapes will be safely encrypted, but if you lose the original systems, you may inadvertently lose the encryption/decryption keys as well. Many vendors can assist you in making sure you don't lose this vital decryption ability, but it will still be up to you to make sure you follow all the recommendations necessary to make it happen when you need to get the data back.
For replication systems, even more considerations come into play. In addition to being able to get the data back at the other end of the wire (which is probably automatically done by the replication system or the network topology used), you're going to have to ensure that you can properly protect the security of the data at both sites. This means making sure the same security protocols are in place on all data systems, production and backup.
After a disaster, you've still got work ahead of you. You may be restoring from tape or other backup systems, or failing over to another set of servers entirely. You may be doing this at your original site, or at a new data center. No matter the circumstances, the same security and protection systems that governed the original data and systems must remain in effect after a failover. This means redundant security setups if you have multiple sites, not just to protect the data, but to protect the newly restored systems as well. In the event of an audit, you will be responsible for proving that data on restored systems is just as secure, and will be under even higher scrutiny than normal, as those new systems would naturally be suspect.
HIPAA regulations are designed to make the transmission of patient and other data faster, easier and more secure. The resulting laws, however, tend to make your life as a DR professional much more difficult. Planning for all the possible scenarios is never easy, but the fines that can result from not following the regulations can far outweigh the problems of avoiding them in the first place.