Here's how HIPAA can impact disaster recovery planning.
By Mike Talon
Better known as HIPAA, the Health Insurance Portability and Accountability Act of 1996 is becoming a major force in disaster recovery (DR) planning. In fact, several TechRepublic members recently requested that I cover this topic.
While the majority of HIPAA doesn't directly affect most DR planning, areas exist that directly impact day-to-day DR operations. HIPAA requires the safe and ethical storage, transport, and sharing of individually identifiable health information (IIHI).
To put it simply, HIPAA essentially requires that patients are aware of what healthcare organizations are doing with their IIHI, and it requires that any organization handling such information must protect it and follow all the guidelines set by the providers that originated the information.
The majority of HIPAA directly impacts security concerns, with necessities for secure transport protocols and encrypted file systems taking center stage. Concerning the disaster recovery arena, all of these new security measures affect how organizations properly protect the data in question from disasters, just as security precautions protect it from attack and theft.
First and foremost, organizations must be able to prove that backup tapes, DR server systems, and any other device or media that holds IIHI can store it securely. This means storing backup tapes in a secure facility and transporting them to that facility in a manner that prevents interception.
While it's not difficult to contract for such secure transport and storage--many companies specialize in this type of tape storage--it can become very expensive, very fast. To avoid using up the DR budget before completing your plan, involve your organization's compliance personnel in DR discussions to ensure you don't do more than you absolutely need to.
HIPAA also directly impacts DR planning because it determines how your company can and cannot replicate and otherwise transport information from one location to another. HIPAA requires the storage of IIHI in a secure format (either completely shielded from the outside world or maintained in an encrypted format at all times).
This means that whatever replication strategy you use must be able to handle the encryption systems you put into place. On the surface, this sounds pretty easy--until you analyze the components in question.
On each of the systems in use (both the production systems and the receiving systems), you must move to and from an encrypted file system--or otherwise be ready to prove they're impenetrable systems. Because it's typically going to be nearly impossible to prove that a system that transmits and receives replicated data is impenetrable, you need a replication tool that can maneuver between encrypted file systems.
In addition, you almost definitely need a protected connection of some form, such as a secure VPN, IPSec encryption, etc. The protected connection meets the HIPAA requirements regarding IIHI data in transmission not being subject to potential tampering and theft. Once again, you need to ensure your replication tool can either encrypt data natively or that it can run over already encrypted connectivity.
HIPAA regulations and disaster recovery systems can coexist with proper planning. If you work closely with compliance staff (usually your organization's legal advisors), you can create a DR solution that meets both the requirements of HIPAA and your company's business continuity plan.
Mike Talon is an IT consultant and freelance journalist who has worked for both traditional businesses and dot-com startups.