By Laurie Head
AIS Network VP, Marketing Communications
Well, it’s off to Bath County to sponsor the 2013 Annual Conference of the Virginia Association of Counties (VACo), which is beginning on Sunday at the Omni Homestead Resort.
As you may already know, AISN hosts the commonwealth portal, Virginia.gov, and provides hosting services for numerous state agencies and localities, under its contract with the Commonwealth of Virginia (VA-120416-AISN). As a conference exhibitor, AISN will showcase its high security/ high compliance cloud hosting with a focus on how it can help Virginia’s counties back up their mission-critical data and apps and protect their information technology infrastructure from natural disasters such as hurricanes, blizzards, ice storms and earthquakes as well as human error.
We’re pretty excited to present our high performance hosting and disaster recovery capabilities at this year’s VACo annual conference. AISN has long admired VACo’s commitment to advocacy on behalf of Virginia’s counties, and we are very proud to do our part too by offering counties state-of-the-art IT services that they can actually afford during these cost-conscious times. We will show them how they can use our contract with the Commonwealth of Virginia to safeguard their IT infrastructure in a way that will also reduce expenses and improve operational efficiencies.
AISN is Virginia-based and SWaM-certified. We are a leading supplier of IT disaster recovery and private cloud hosting solutions for those organizations with the most demanding security and compliance requirements. Our state contract empowers AISN to serve agencies, counties, municipalities and all other public entities throughout the Commonwealth of Virginia.
Hope to see you there!
By Sarah Morris, KirkpatrickPrice
If you’re hosting data classified as patient health information (PHI), it’s always your responsibility to take appropriate measures to comply with the HIPAA Security Rule. Beginning September 23, as a business associate of a healthcare entity, you can now be fined directly by the Department of Health and Human Services for not complying with the law.
That’s right—next week, the level of accountability is increasing for those providers serving the healthcare market. What does this mean? Simply signing a Business Associate Agreement (BAA) is no longer enough! All Business Associates must ensure their compliance by establishing appropriate physical, administrative, and technical safeguards to protect PHI.
In light of the changes to the Security rule, it’s in the best interest of all hosting providers to simplify an internal process for handling all client data, thus ensuring compliance with the various frameworks governing controls. Many companies have established a policy to treat all data as PHI so that systems don’t have to be segmented for compliance purposes.
So, what if we’re doing everything to make sure the proper policies and procedures are in place and there’s still a breach? Even in the tightest of security environments, breaches can still happen. However, there’s a difference between being negligent after a data breach and doing everything you can to resolve the issue while communicating this to your client. Taking immediate action to remediate a breach can be the difference in costing your company large amounts of money in fines administrated by the Office of Civil Rights.
KirkpatrickPrice has pointed out three useful tips to help hosting providers prepare for these new changes and potential audits.
1. Do you have someone overseeing your compliance efforts? Make sure your organization is establishing and implementing physical, administrative, and technical safeguards to protect PHI. Are those policies and procedures formally written? If your client scheduled an onsite audit, could you produce adequate evidence to show you are following your procedures? Protection from data breaches should be top priority among your organization.
2. Do you know who your vendors are? Now that you’re required to be responsible for your own compliance, you need to make sure the companies you’re partnering with can be trusted. This can be the difference in costing your company money and reputation over the loss of data. So what if you have all necessary controls in place to protect PHI if the companies you’re working with aren’t doing the same? Check to see if a potential vendor complies with the necessary security controls to protect PHI before engaging them in business.
3. Are you assuring your chain of custody? Signing a BA agreement used to be all that was necessary to satisfy a client’s contractual requirements. Now they must go further by asking you for written policies and procedures at a minimum. Are you prepared for your clients to perform a HIPAA risk assessment on your organization?
Taking a fresh look at the HIPAA requirements is very important before the upcoming changes take effect. Contact us at KirkpatrickPrice for help with looking at the HIPAA Security Rule standards against what you’re currently doing.
Disaster recovery plans are a key component of business continuity. Below is a brief checklist to help guide you:
Business Continuity Plan (BCP) Project Approach
1. Business Impact Analysis
a. Review existing business continuity capabilities:
i. Evaluate the risk to business process failures
ii. Identify critical and necessary business functions/processes and their resource dependencies
iii. Estimate the financial and operational impacts of disruption and the required recovery timeframe for these critical business functions
iv. Assess the effectiveness of existing risk reduction measures
b. Compile BIA Report:
i. Financial impact of disruption
ii. Operational impact of disruption
iii. Prioritized critical functions for business continuity
iv. Recover time frames for critical functions
v. Required resources (i.e., computer systems, vital records, telecommunications and work areas) for business continuity
2. Strategy Selection
a. Identify a range of specific recovery strategies to address interruptions of production processes
b. Identify the computing resources required to recover the various distributed processing environments
c. Document alternative recovery strategies within a Recovery Strategy Selection report
3. Business Continuity Plan Documentation
a. Create new Business Continuity Plan including:
i. Emergency notification and disaster declaration procedures
ii. Recovery team procedures
iii. Facility and business restoration procedures
iv. BCP testing and maintenance cycles
v. Appendices for master contact lists, equipment inventories, connectivity schematics, etc.
Twelve Business Continuity Plan (BCP) Components:
2. Technology Components
3. Data Center Recovery Alternatives
4. Backup Recovery Facilities
5. Geographic Diversity
6. Backup and Storage Strategies
7. Data File Backup
8. Software Backup
9. Off-site Storage
12. Other Considerations
For more on IT disaster recovery, take a look at some recent blogs on the subject.
By Sarah Morris
In late October 2012, Hurricane Sandy left devastation in parts of the Caribbean, Mid-Atlantic and Midwestern states, and Eastern Canada. With winds up to 80 mph, this Category 2 hurricane wreaked havoc along the eastern seaboard of the United States from Florida to Maine.
Sandy was declared the largest Atlantic hurricane on record with a measured diameter of 1,100 miles, affecting 24 states. Severe flooding and power loss in New Jersey and New York left an approximated $63 billion dollars in damage.
Many companies and businesses were left inoperable and critical systems were left unavailable and unsecured. Without proper planning for a disaster like the wake of destruction left by Sandy and many of her predecessors, businesses suffered.
Fortunately for some, there were those that took steps toward preventative action by developing Business Continuity Plans and Disaster Recovery Plans. These plans for preparedness can help any business analyze potential risks and threats that present themselves to the operation and functionality of the business in the path of disaster.
Blue World, Inc., a service organization that specializes in data collection, software application development, and marketing services, is located in lower Manhattan in New York City.
After Sandy hit, Blue World COO Ted Locke told Gary Boardman, their Information Security Auditor with KirkpatrickPrice, that the building “had 5 to 6 feet of water through the first floor and filled the basement to a level 35 feet deep.” He went on to comment, “There is not a single first floor business in lower Manhattan that was not destroyed. Most of the buildings in lower Manhattan will not be operational for months.”
Despite the destruction of Sandy, Blue World never missed a day of operation. Blue World engaged information security specialists at KirkpatrickPrice to develop a Business Continuity Plan, which they practiced and tested to its very limits.
“It has worked,” said Locke. Blue World deployed their BCP on the Sunday before the storm, and when asked about their experience with engaging KirkpatrickPrice, said, “If it weren’t for our work with KirkpatrickPrice these last two years, Blue World would not exist today.”
Blue World’s Business Continuity Plan left them ready to operate through any disaster.
What exactly is a Business Continuity Plan and how did it help support Blue World’s operation?
The process of developing a Business Continuity Plan helps service organizations analyze the impact that potential risks could have on business functions and processes. This allows them to prioritize critical functions and strategize accordingly to develop recovery processes.
There are many components that must be considered when developing a BCP, including personnel, technology components, backup and storage facilities, and communications. With proper preparation and testing of disaster recovery plans, service organizations can mitigate any risk of operational failure.
The key is preparing, whether you think disaster will happen or not. Planning ahead is the only way you can protect your business and ensure that you’ll remain up and running.
To emphasize the severity of preparing for disaster, Locke summed up Blue World’s success by saying, “If you approach your BCP as if its enactment is an inevitability, rather than a possibility, you will be much more successful in its development and deployment.”
By Jay Atkinson
AIS Network CEO
If you’re a company in the health care industry, you have just 47 days to get your act together on planning for IT disaster recovery.
That’s right. Beginning Sept. 23, the HIPAA/HITECH rules governing protected health information (PHI) secure data backup and recovery will be enforced, and some businesses will face increased exposure to penalties.
What does this mean? It means that the HIPAA privacy and security regulations are changing in ways that impact every health care industry entity, including providers, clearinghouses, insurers, health plans, eprescription networks, business associates, and other various industry entities.
If you’re among these organizations, you’ll need to review your HIPAA compliance, policies and procedures to see if you are prepared to meet the new finalized requirements in the HIPAA rules for Privacy and Security of Protected Health Information. These include:
- more stringent requirements that covered entities have data backup and IT disaster recovery specifications
- more rules on data encryption (that’s another blog entirely)
- important changes to patient privacy and security rights
- modifications of marketing and fundraising rules
- a change in how PHI breaches are determined
- increased enforcement efforts
So why the rush? More businesses will face direct liability for violations and the penalties are substantial.
The enforcement rules have toughened up considerably. The new HIPAA four-tier violation schedule has increased minimum and maximum fines. If you are found to be in willful neglect of compliance, mandatory fines begin at $10,000. Violations that are not corrected promptly are subject to mandatory minimum fines starting at $50,000 and capping at $1.5 million.
With the newly revised audit program set for relaunch in Q4, time is running out to review your HIPAA compliance and get busy on meeting the new disaster recovery requirements.
Why is disaster recovery so important? All electronic PHI must be protected by a backup/disaster recovery plan. Or else.
If a storm like last year’s Hurricane Sandy hit your area tomorrow, how much ePHI would your practice or business lose? How would you get it back? In the past, backup and recovery processes were typically performed using tapes. But like VHS tapes, those days are gone. Virtualization technologies are providing more comprehensive protection — and faster recovery rates — far more cost effectively than ever before.
- See more at: http://www.capturebilling.com/hipaa-privacy-and-security-changes-in-the-hitech-act/#sthash.0ESkQD9x.dpuf
- See more at: http://www.capturebilling.com/hipaa-privacy-and-security-changes-in-the-hitech-act/#sthash.0ESkQD9x.dpuf
I Don’t Have a Disaster Recovery Plan. What Do I Do?
If you haven’t yet planned for a worst case scenario, act now to establish the critical processes and develop a clear understanding of how the cloud can help.
First, check out the HIPAA/HITECH Section 164.308 Administrative Safeguards language pertaining to data backup and disaster recovery, specifically part 7:
(7) (i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
(ii) Implementation specifications:
(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.
Next, here are some steps that you can take to get started:
1) Identify risks. List and categorize threats associated with natural and man-made disasters and their impact on various systems.
2) Inventory IT assets. Which are most critical to maintaining business continuity? What’s your tolerance for loss of those assets? The cost of the response should be balanced against your tolerance for system downtime.
3) Define your goals. When disaster strikes, can your business close? Or, does it need to recover somewhere else? Define goals in terms of RPO (Recovery Point Objective, “How much data can we lose?”) and RTO (Recovery Time Objective, “How long can we be down?”).
4) Develop a plan. Include “IT Assets Inventory,” data protection procedures and contingency plans, notification/activation schedules, a list of roles and responsibilities, a list of resource requirements and details about training provisions. A good plan includes maintenance and backup/recovery testing schedules (all delivered in time).
5) Understand the cloud’s benefits. Virtualization technolgies make backup and disaster recovery vastly faster, cheaper and easier. For HIPAA-focused health care clients, we recommend deploying backup and disaster recovery solutions within a fully managed, high security private cloud.
6) Implement the plan. If executives understand the consequences of system disruptions, you can win their support and funding for contingency policies.
7) Test the plan. Testing and keeping plans updated will help ensure business survival.
Are you ready now? If not, contact us and we can help you get on track.
Choosing the right HIPAA-compliant backup and disaster recovery solution, deployed in a high security private cloud infrastructure, will help you protect your company’s PHI and avoid penalties for noncompliance.*
With the burden of compliance eased, you can turn your focus back to providing great patient care.
* Remember, these measures do not ensure HIPAA compliance. Rather, they are simply a component of your overall HIPAA compliance plan.