Disaster recovery (DR) planning often fails to take into
consideration how various regulations and compliance issues will impact the firm
after a disaster strikes. Though it doesn’t impact all businesses, those regulated
by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will quickly find that DR
planning for this regulation is an intricate web of potential pitfalls. One
thing that is clear from HIPAA’s security rule is that producing a DR plan is a
HIPAA requirement; however, the act
is written to be “technologically neutral,” which leaves room for
each covered entity to choose the technology best suited to its needs:

“Each entity needs
to determine its own risk in the event of an emergency that would result in a
loss of operations. A contingency plan may involve highly complex processes in
one processing site, or simple manual processes in another. The contents of any
given contingency plan will depend upon the nature and configuration of the
entity devising it.”
— (From the Department of Health and Human Services, 45 CFR Parts 160, 162,
and 164, Health Insurance Reform: SecurityStandards; Final
Rule)

As you might be able to surmise from this brief excerpt, the
“how” of HIPAA DR compliance is pretty vague. If you are subject to
HIPAA requirements (i.e., a covered entity), here are the three main things
that you must be able to prove:

  • You’ve conducted a formal analysis of the risks
    to your data, including an assessment of the physical access and security in
    addition to technical threats.
  • You have produced a DR plan with policies and
    procedures in place that cover backup, storage, and recovery.
  • Your plan adequately
    and reasonably     addresses the risks identified in your analysis.

So, you have two main concerns when evaluating a DR plan for
HIPAA compliance. First is the ability of your systems to properly move data to
the DR site without violating standards for privacy and security. The second is
to ensure that if you do need to restore operations at another site, you are
also able to restore all the safeguards required for the data as well.

Tips in your inbox

How well can your organization deal with an emergency? The Disaster Recovery newsletter helps you protect your valuable data.

Automatically sign up today!

The HIPAA regulations regarding
the security of digitally stored information are complex and difficult to
navigate at best. Both the government agencies responsible for enforcement
of the law and many private firms have
set up Web sites, white papers, and even entire books on how to get your
enterprise compliant with the regulations. Whether you are sending data
off-site via tape backup, or using more advanced replication and failover
tools, you will need to ensure that you follow all the same rules for the data
in transit and in storage that you follow for data in your live environment.

For tape backup, this means making sure your tape systems
properly and securely encrypt the data to tape. This may sound like an easy
thing to do, but the devil is in the details here. Not only do you have to
decide on the appropriate encryption method, you have to make sure that you
have the ability to decrypt the data at your DR location, even if you may not
know what that location will be in the event of a disaster. This is especially
true if you’re using a third-party repository to store your tape data for
eventual restoration to new equipment. The tapes will be safely encrypted, but
if you lose the original systems, you may inadvertently lose the encryption/decryption
keys as well. Many vendors can assist you in making sure you don’t lose this
vital decryption ability, but it will still be up to you to make sure you
follow all the recommendations necessary to make it happen when you need to get
the data back.

For replication systems, even more considerations come into
play. In addition to being able to get the data back at the other end of the
wire (which is probably automatically done by the replication system or the
network topology used), you’re going to have to ensure that you can properly
protect the security of the data at both sites. This means making sure the same
security protocols are in place on all data systems, production and backup.

After a disaster, you’ve still got work ahead of you. You may
be restoring from tape or other backup systems, or failing over to another set
of servers entirely. You may be doing this at your original site, or at a new
data center. No matter the circumstances, the same security and protection
systems that governed the original data and systems must remain in effect after
a failover. This means redundant security setups if you have multiple sites,
not just to protect the data, but to protect the newly restored systems as
well. In the event of an audit, you will be responsible for proving that data
on restored systems is just as secure, and will be under even higher scrutiny
than normal, as those new systems would naturally be suspect.

HIPAA regulations are designed to make the transmission of
patient and other data faster, easier and more secure. The resulting laws,
however, tend to make your life as a DR professional much more difficult. Planning
for all the possible scenarios is never easy, but the fines that can result
from not following the regulations can far outweigh the problems of avoiding
them in the first place.