Disaster Recovery & Business Continuity Blog
Patricia A. Trites
Contingency Planning
In light of many recent natural and unnatural disasters experienced in the United States, a sound emergency action plan is both reasonable and appropriate. The Security Rule states that each medical practice must "establish (and implement as needed) policies and procedures for responding to an emergency or other occurance (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information." The rule expands this further with implementation specifications for a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Operation Mode Plan. All of these elements are important to any medical practice that maintains an electronic system and can be reasonably accomplished. Most medical practices underastand that creating and maintaining backup copies of their computer systems is not only important, but imperative to maintain daily operations. Unforunately, these backup tapes or discs can be left sitting on top of the computer or server and then re-used without checking for a valid backup. Other medical practices will perform the backup procedures only once a week, if they remember, and then place the backups in an off-site location that is unsecured.
What happens when the medical practice has some form of system failure and must use the backup to restore the system? Has this ever been attempted? Many who have had to restore their backup media have found that it doesn't work as advertised! That is why having a tested disaster recovery plan in place will help. Each medical practice should research alternative methods for backup systems as well as protecting the backup media.
There are many ways to prepare for disaster, each medical practice will have to assess its own risks, but developing appropriate policies and procedures and having them in place is the first step. This is called an Applications and Data Criticality Analysis in the Security Rule. The more critical the data, the more important it is to implement robust policies and procedures. For example, a medical practice that has converted to a paperless office, with medical records, lab, billing, etc. all on the computer system, will be more at risk than a medical practice that has only medical practice management billing records on its computer system. How will a paperless office operate if it loses power? How will it operate if a flood destroys its computer systems? How does the medical practice contact employees when a disaster happens in the middle of the night? Is being in the middle of a disaster the time to find out that the medical practice doesn't have its employees' contact information and that half of the staff have unlisted phone numbers? These are the types of questions each medical practice must ask about its organization; it then must come up with reasonable solutions to the potential disasters. These answers will make up the medical practice's Emergency Operation Mode Plan.
One of the most important steps in developing a disaster recovery plan, backup plan, and emergency mode operations plan is testing the plans before they are needed. This is actually an addressable specification in the Security Rule, but isn't it reasonable to test the systems the medical practice put into place? Once tested, the medical practice can make any modifications necessary to further refine the plans or correct any issues that occured. It is just as important to re-test the plans if the medical practice does make any modifications. If anything changes within the medical practice, sucs as setup of a new computer system, the plans should be revised and retested to make sure they work with a new system.
