Contingency Planning, Business Continuity and Disaster...

Copyright © 2014 by Atlantic Information Services, Inc. All Rights Reserved.

AIS’s HIPAA Compliance Center

Contingency Planning, Business Continuity and Disaster Recovery Security Section (22) — Page 1

Security Section (22)ContingenCy Planning, Business Continuity, and disaster reCovery

Table of Contents¶1500 Introduction ................................................................................................................3

¶1510 The Terms ...................................................................................................................6¶1511 What Is a Business Continuity Plan? ...............................................................6

¶1512 What Is a Disaster Recovery Plan? .................................................................6

¶1513 What Is a Contingency Plan? ...........................................................................7

¶1520 The Personnel Requirements ...................................................................................9¶1521 The Need for Involvement by Senior Management .........................................9

¶1521.1 Starting from Scratch ...................................................................................9

¶1522 The Strike Team Approach to Contingency Planning .....................................12¶1522.1 The Three Levels of Strike Teams .............................................................12

¶1530 Developing an Effective Contingency Plan ...........................................................14¶1531 Contingency Planning Policy .........................................................................14

Figure 1531–1 Sample Contingency Planning Policy Statement ...............................15

¶1532 Business Impact Analysis (BIA) .....................................................................15¶1532.1 BIA Interview Questions .............................................................................17Figure 1532-1 BIAQuestions and Data Collection Forms ..........................................18¶1532.2 Working with the Results of the BIA ...........................................................23Figure 1532–2 Potential Strategy Development ........................................................24Figure 1532–3 Sample Risk and Mitigation Assessment ...........................................25

¶1533 The Plan Itself ................................................................................................26Figure 1533–1 Outline of Contingency Plan .............................................................27

¶1540 Emergency Operations ...........................................................................................37Figure 1540–1 Sample Action Plan ............................................................................37

Copyright © 2014 by Atlantic Information Services, Inc. All Rights Reserved.



¶1550 Testing ......................................................................................................................39¶1551 Table-Top ........................................................................................................39

¶1552 Critical Areas ...................................................................................................39

¶1553 Complete and Corporate-Wide .......................................................................39

¶1560 Vendors and Partners ..............................................................................................40Figure 1560–1 General Vendor/Business Partner Resiliency Questionnaire ...........40

¶1570 Frequently Asked Questions ..................................................................................44

Copyright © 2014 by Atlantic Information Services, Inc.All Rights Reserved.



Chapter 1500ContingenCy Planning, Business Continuity, and disaster reCovery

Joseph Arnett, MBA, CBCPVice President, Business Continuity Taxation Professionals, [email protected]

Russ Arnett, MBA, PMP, MBCI, CBCPExecutive Vice President, CTO, Taxation Professionals, [email protected]

¶1500 introduCtion

It’s easy to think a disruption or a disaster will never happen to your organization. Yet, busi-ness interruptions occur all around us all the time and from three main sources:

(1) Natural (fire, flood)

(2) Human (error, terrorist acts, sabotage, malicious code, electrical power failure)

(3) Environmental (equipment failure, software error, and power or telecommunication net-work outage)

Joseph Arnett has over 20 years of experience in the contingency planning area. He has been directly involved in the valuation of major companies’ recovery plans and in the recovery of businesses after major disasters, including earthquakes, electrical outages, and hurricanes. He works full time as a recovery planner and is in his doctorate program at a major university.

Russ Arnett has over 40 years of experience in the information technology area with the past 10 years in the health care industry. He has worked with several health care firms in developing recovery plans to meet HIPAA, National Committee for Quality Assurance, CMS, Sarbanes-Oxley, and state requirements. He has direct experience in the recovery of both small and large firms during earthquakes, storms, and hurricanes. Russ is currently the newsletter director for the Orange County chapter of Association of Contingency Planners (www.acpoc.com) and publishes articles in each issue.

We must note that while most of this material is original it has been developed because of our ability to belong and be a part of the Orange County ACP organization. We would suggest that for additional information and great newsletters you visit their Web site. If you would like to ask questions or to provide feedback about this chapter please feel free to send us an email. We both receive emails at [email protected] or of course you can contact us individually if you wish.




Natural, human, and environmental events cause disruption of operations in widely varying scope, and depending on the organization’s size, some of these events can have a critical impact on the operations.

Whatever the causes, a contingency plan is the organization’s best defense for mitigating disruptive events and returning to normal operation after an emergency.

The focus by the federal government on contingency plans is clear from the laws that have been passed, including the Sarbanes-Oxley Act of 2002 (SOX) and HIPAA, both of which require an entity to have contingency plans in place.

The Sarbanes-Oxley Act is having a major impact on public health care companies to meet its new requirements; internal and external auditors are redefining the way they do business; and investors are waiting to see if the objectives of SOX come to fruition.

Understanding what is required to be compliant with SOX is no small challenge. At a high level the requirements appear to be the same from one organization to another. But in actual implementation, final solutions may differ dramatically due to what is defined as a “financial transaction.” In some cases the external auditors claim it is “any” financial transaction, while internal auditors believe that only “significant” financial transactions should apply. The lawmakers and rule makers recognize these differences and, as a result, have consciously avoided making the requirements too specific.

Currently, public corporations must be in compliance with SOX title IV, §404,1which requires executives and auditors to confirm the effectiveness of internal controls for financial reporting. This, the authors believe, implies the need for well-developed business impact analysis and business continuity plan.

Other important aspects of SOX include §302, which requires executives to certify the accuracy of corporate financial reports and disclose any deficiencies and material weaknesses, including fraud in internal controls to audit committees and auditors. Significant changes in internal controls and corrective actions also must be reported. The authors believe this section implies a need for a disaster recovery plan because the company will need to provide proof of compliance if a disaster were to occur.

An added impetus for establishing a contingency plan is the fact that federal and state regulatory agencies are moving closer to intensive audits of contingency plans each year. For example, in a recent a Michigan state audit, the state required proof of current (last 12 months) contingency plan testing results with corrective action plans and executive sign-offs; in this case, the testing had just occurred so it was easy to provide — could your organization do the same? The authors believe that other states will follow the example of Michigan and begin to push health care companies to provide contingency plan results of self-administered

1 Section 404 of the Sarbanes-Oxley Act requires publicly owned companies to (1) have an enterprise-wide security policy; (2) have enterprise-wide classification of data for security, risk, and business impact; (3) have security-related standards and procedures; (4) have formal security-based documentation, auditing, and testing in place; (5) enforce separation of duties; and (6) have policies and procedures in place for change management, help desk, service requests, and changes to applications, policies, and procedures. This current SOX requirement fits into the current mentality of disaster recovery — “Recovery of critical systems/processes” — as though having the systems and data available would keep the business viable without any business processes.




audits and tests; then they will select a group within each health care sector for a full agency audit.

Any plan that is developed to respond to a crisis or event must be designed to address the identified risks. ¶1200 has provided a good primer in risk analysis, so the “how to” is not part of this chapter. HIPAA security requirements have spelled out the need to identify and mitigate risks that either were unknown or ignored in the past.

This chapter is presented for the novice and experienced recovery planner and will provide information that can be used to develop a recovery plan that will meet current standards. There are several variations on recovery plans, and certainly information from the professional organizations DRI International (DRII) and The Business Continuity Institute (BCI) can be obtained for use as well.

TIP: PROFESSIONAL ORGANIZATIONS’ WEB ADDRESSES

DRI International www.drii.org The Business Continuity Institute www.thebci.org




¶1510 the terms

The terms, “business continuity plan,” “disaster recovery plan,” and “contingency plan,” may sound as though they are the same; in fact, while they are similar and have a clear relationship to each other, there are distinctions, primarily based on scope and focus. Consider these definitions from the National Institute of Standards and Technology (NIST) (Appendix E, Contingency Planning Guide for Information Technology Systems, SP 800-34, June 2002):

Business Continuity Plan (BCP). The documentation of a predetermined set of instructions or procedures that describe how an organization’s business functions will be sustained during and after a significant disruption.

Disaster Recovery Plan (DRP). A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.

Contingency Plan. Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster.

¶1511 What Is a Business Continuity Plan?As the definition in ¶1510 illustrates, a business continuity plan (BCP) is broad in scope and focuses on ensuring the continuity of the business. It does not have to be overly extensive; it should be sized to fit the organization; but it does have to be implemented.

TIP

Current experiences with several state regulatory audit groups have shown these agencies are aware that a majority of business continuity plans do not include documented manual recovery processes, and in early 2007 these agencies will demand critical department(s) to provide proof of their documented manual recovery processes.

The needs change for a larger organization in terms of scale, scope, and technology — but not in terms of planning. Regardless of size, a BCP is a process of planning for disruption so that an organization can continue its critical operations during the disruption and make a smooth recovery when the crisis has abated.

¶1512 What Is a Disaster Recovery Plan?Many people think the term “disaster recovery” encompasses both business continuity and disaster recovery. This is a problem, because, as the definition in ¶1510 illustrates, within the information technology field, disaster recovery only pertains to the recovery of data files and even perhaps a physical location. It is a subset of the BCP, and its purpose is to recover essen-




tial information technology (IT) systems, at least to some degree, in the event of a disruption or a disaster. A DRP has a short-term focus on the continuity of services during the disaster period, whereas the BCP is long-term focused and is designed to normalize operations. The DRP addresses

◆ the data center recovery;

◆ user operations during a disaster;

◆ protection of data and information;

◆ IT service capacity and availability during a crisis; and

◆ the restoration of all systems from the disaster recovery mode.

The structure of each DRP will be driven mostly by the organization’s tolerance (or lack of tolerance) for the unavailability of the system. The size of the organization is not necessarily a determining factor. A small office serving a highly critical function (for example, an ambulance dispatching call center) may need aggressive backup schedules and system redundancies to avoid even minute disruptions in service, while a larger division with more system resources may be able to tolerate a down period of multiple days or even weeks.

The disaster recovery plan should proceed in a logical and sequential fashion. In the restoration of a network, for example, network servers should be restored first before turning efforts to workstations and peripherals, such as printers and scanners.

TIP

Don’t count on your technology experts to know whether the printers in claims processing are more important than the databases that support finance. With complex systems, appropriately prioritizing the steps of the disaster recovery plan will require close coordination between business operations and IT managers.

The information technology group should not be expected to be business application use experts—and under HIPAA and Sarbanes-Oxley , the IT group would be prohibited from accessing certain financial and health care information, based on access and “need-to-know” requirements. To expand the horizons of disaster recovery, the organization must include business users, business data owners, and business managers in the process. This is where the separation must be made and kept — business continuity is a business function for the business departments and a support function for the information technology department.

¶1513 What Is a Contingency Plan?A contingency plan is a response plan for systems or operations failure in order to re-estab-lish operations, including computer systems. See ¶1510. As such, it encompasses some of the disaster recovery focus (data and technology) and some of the business continuity plan (maintenance of business during the emergency).

The HIPAA security rule actually consolidates the disaster recovery and business continuity processes into an administrative safeguard standard and labels it “contingency plan.” The




standard, in §164.308(a)(7), has five implementation specifications:

(1) Data backup plan (Required)

(2) Disaster recovery plan (Required)

(3) Emergency mode operations plan (Required)

(4) Testing and revision procedures (Addressable)

(5) Applications and data criticality analysis (Addressable)

Both business operations and technology are present in these five specifications.

The HIPAA security rule (reprinted at ¶10,008) requires covered entities to implement the first three; the other two are addressable. As noted in ¶1500, states like Michigan have decided that all five will be required for an overall contingency plan as part of their audit requirements.




¶1520 the Personnel requirements

No matter what the level of sophistication, no contingency plan will be effective unless the proper personnel, supported by senior management, are involved in the design, creation, and implementation of the plan.

¶1521 The Need for Involvement by Senior ManagementUnless you have a team within the organization that is dedicated to developing recovery plans, you will need to develop a strong relationship within each department at all management levels. This, the authors know from experience, is not easy to do.

Motivation is the key to accomplishing this. The authors, in their role as consultants, ask the executive team to tie management bonuses and increase percentages to completion of the contingency plan tasks. It is up to you to develop the needed relationships and show the value that will be obtained from developing, testing, and maintaining the plan.

The authors have used both the compliance (and in the case of public companies) and internal audit departments within the company for support in explaining the legal and regulatory requirements that are required by both HIPAA and Sarbanes-Oxley.

¶1521.1 Starting from ScratchWhile senior management involvement and commitment is essential to the success of a contingency plan, it is without a doubt the most difficult to achieve because most companies have not experienced a major disaster, and without that experience it is not easy to get sufficient attention, funding, and support. The reasons for ignoring contingency planning, in the authors’ experience as “hands-on” planners, are represented by these rationalizations:

(1) Why should we expend money on this type of project when the return on investment (ROI) cannot be measured until a very unlikely event occurs?

(2) We keep all of our tapes offsite, and when we do need them, we can get them for restor-ing our system.

(3) We have business continuation insurance that will provide coverage if we have a disaster.

(4) Our management is running the business. They do not have time to make these detailed plans that will never be used.

(5) What is the budget going to be?

(6) How long is this going to take?

(7) How do we know it is going to work?




¶1521.1.1 Why Expend Money?The argument about ROI can be answered by doing a simple math problem: look at gross income, and then divide it by 365.

Gross income / 365 = Delayed or Lost Daily Income

This will provide you with the income that at the very least will be delayed for each day the business cannot function. You can add to that the loss of business to competitors, stockholder value (if public), and eventually regulatory fines and sanctions.

¶1521.1.2 Restoring Back-Up TapesThis is such an interesting statement, because unless you have a back-up site or have contracted with a vendor, how are you going to restore these tapes? The authors have been told several times that the tapes have been used to restore user files, and even database files, but seldom have they found that a complete system restoration has occurred within any organization that does not have a DRP. We have also found that critical tapes needed for a month-end restore was backed-up on a tape drive that was no longer owned by the recovery center.

TIP

A point to consider — any tape over a year old may not be restorable.

¶1521.1.3 Business Continuation InsuranceSomeone had better review the provisions of the policy — it will clarify that “due diligence to properly maintain, secure, and restore business functions” are part of most policies that are issued. For example, CNA, one of the largest insurance carriers and underwriters, requires proof of annual testing for recovery and security intrusion for all eCommerce sites that it insures.

¶1521.1.4 Management Does Not Have TimeThis is a simple problem that is caused by lack of support from top management. Management will only follow the person at the very top — so if the top executive does not understand what will be lost when a disaster occurs — management will never have the time. This is more of an issue with a private company, less so with a public company. With the continuing pressure on public companies to come to grips with the potential of terrorist, pandemic, electrical, and weather disruptions, the regulatory demands for a contingency plan for public companies soon will no longer be an option.

For example, as discussed in ¶1500, the Sarbanes-Oxley Act is forcing publicly held companies to create business continuity and contingency plans. This mentality is also being adopted by nonprofit organizations as signals of good governance.




¶1521.1.5 What Is the Budget?While this is difficult to answer, the authors have found over their years of experience that an allocation of 10 percent of the IT budget is usually required for an effective contingency plan. (Experience has shown that the usual allotment is 3 percent or less.)

The budget encompasses the following expense areas:

◆ Software. The authors suggest a Web-based solution that would run from 60K to 500K depending on several factors. But software can be found that will at least provide auto-mated Word documentation under Windows from 200 to 8K, so no excuses, please!

◆ End-user training. In some case you will need to have temporary help for critical area coverage. If so this should be noted as a potential recovery issue.

◆ Consulting support. Consultants can be great resources and should be considered for any of the areas where you would need support or mentoring.

◆ Testing. Even if you have your own back-up site, you should test the availability of public transportation to get there. If you are using a vendor, test the accessibility of the vendor during an emergency.

◆ Meals and overtime. Yes, people do need nourishment, and because staff may be work-ing intense, long hours, be sure they will have the necessary food and water to keep them going.

◆ Materials. The simple things are usually not thought of — pencils, paper, flip charts, flash lights, glow sticks, and even people, are sometimes overlooked.

¶1521.1.6 How Long Will It Take?A standard approach to contingency planning, the authors have found, will require an average of 120 hours per department and will have a time lapse of about two months if everyone cooperates. The authors favor a consolidated approach that uses a pre-determined set of “strike teams” (see ¶1522). This approach is more effective and helps with top management buy-in.

¶1521.1.7 How Do We Know It Will Work?The authors love this question because the answer is straightforward — test, test, and test some more. Ensuring that the plan works and is as tight and correct as possible takes a minimum of three initial tests. The authors recommend rotating department tests during the year — with the annual test covering the entire company. In a public company the chief operating officer (COO) is the person with the ultimate responsibility, but from a Sarbanes-Oxley point of view any personnel with top level executive responsibility are targets if a company cannot maintain its financial viability. In this case it will work eventually because the COO and the management team will need to attest that it does. In a non-public company it is the CIO who is betting his future as well as the company’s— so at some point, the CIO should have enough moxie to get the point and say, “Just do it!”




¶1522 The Strike Team Approach to Contingency Planning Every department within any organization has its “expert,” and if it is lucky it has experts that are multi-talented, and if it is really lucky, it has multi-talented experts that are willing to be part of or lead a “Strike Team.” The authors highly recommend the Strike Team approach.

To get these prime players and back-ups to be leaders or members of a strike team takes a combination of knowing the company and department dynamics and being a good sales person.

Usually these experts are “company people,” so being able to help would be a natural thing for them, and the issue is simply that no one has asked.

In a perfect set of circumstances these teams could be identified after management has bought into the concept of “Let’s keep the company going after a crisis,” but unfortunately it takes actions from the people who really are the “heart and soul” of the company to get the point across.

The “ground-swell” concept could work to the entity’s advantage if senior management is not buying into the importance of contingency planning. Start with what you consider the primary “critical” department, and work with them to get a small and powerful team with back-ups.

This will provide you with a base to provide some upward motivation by developing newsletters and training times. Remember small, smart, motivated teams are the best.

¶1522.1 The Three Levels of Strike Teams There are three levels of “Strike Teams,” and for a business to recover quickly, it is the authors’ view that they all are critical. The teams have some of the same characteristics:

◆ The members have expert knowledge in more than one area.

◆ The members are willing to be involved in the recovery.

◆ The members can step up to a leadership role if necessary.

◆ The members must all be trained and certified in basic Red Cross medical skills.

Each of the levels also has specific authority and responsibilities.

¶1522.1.1 Level One – Executive Level Team MembersThe Level One Strike Team members—

◆ can make the financial decisions and have appropriate board of director’s approval to operate the business in a crisis mode;

◆ are responsible for all media communications and have the skills for interfacing with all levels of media;




◆ are responsible for determining areas to relocate and have the authority to enter into leas-es or rental agreement; and

◆ are responsible for maintaining and invoking internal communication emergency proto-col.

¶1522.1.2 Level Two – Senior Management Level Team MembersThe Level Two Strike Team members—

◆ can manage recovery teams;

◆ can obtain immediate need supplies and equipment;

◆ understand the corporate needs and priorities; and

◆ can stand in for level one management;

◆ must have the ability to cover more than one critical are if needed.

¶1522.1.3 Level Three – Operational TeamsThe Level Three Strike Team members—

◆ includes management and direct knowledge experts;

◆ must have outside contacts that will support recovery efforts;

◆ must have skills to maintain relationships with out side emergency crews;

◆ must be able to communicate remotely if needed; and

◆ must have strong and direct communication skills to assure that issues discovered are documented and addressed in the appropriate priority sequence.

These teams would be identified on the recovery plans as the primary contacts and call out members for the department that they cover and serve.




¶1530 develoPing an effeCtive ContingenCy Plan

So what is involved in putting together the contingency plan? According to the documenta-tion on contingency planning issued by the National Institute of Standards and Technology’s (NIST) Computer Securities Resource Center (CSRC), the following procedure should be used to develop the plans:

(1) Develop the contingency planning policy statement. A formal policy provides the au-thority and guidance necessary to develop an effective contingency plan.

(2) Conduct the business impact analysis (BIA). The BIA, which encompasses an Applica-tions and Data Criticality Analysis, identifies and prioritizes systems and components, including data and applications, that are critical to business operations. For purposes of HIPAA security, these would be data that are electronic PHI (EPHI) and hardware and applications that use and store EPHI.

(3) Identify preventive controls. Measures taken to reduce the effects of system disruptions and service operations can increase system and service availability and reduce contingen-cy life cycle costs.

(4) Develop recovery strategies, including emergency mode operations. Thorough re-covery strategies ensure that the system and operations may be recovered quickly and effectively following a disruption.

(5) Develop a data backup plan and disaster recovery plan. These plans are detailed guid-ance and procedures for restoring a damaged system and recovering data.

(6) Test the plan and provide training and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation. Both activities improve plan effectiveness and overall preparedness.

(7) Maintain the plan. The plan should be a living document that is updated regularly to remain current with system enhancements.1

Before expending any effort to develop a plan, management and other personnel must buy into the concept of, and the need for, contingency planning. See ¶1520.

¶1531 Contingency Planning PolicyThe policy statement is essential to set the overall objective and scope of the contingency plan. The policy should define the organization’s overall contingency objectives, establish the organizational framework, roles, and responsibilities for contingency planning, and address the scope, resource requirements, training, testing, plan maintenance, and backup requirements. The policy does not need to be lengthy but should capture these elements.

1 National Institute of Standards and Technology, Special Publication (SP) 800-34, Contingency Planning Guide for In-formation Technology Systems, p. v; SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule, Ch. 4, 4.7, (http://csrc.nist.gov/publications/nistpubs/index.html).




figure 1531–1 samPle ContingenCy Planning PoliCy statement

XYZ HealtH Care ContingenCY Planning PoliCY

[Covered entity] shall develop contingency plans for each major application or general support system to meet the needs of critical IT operations in the event of a disruption extending beyond 72 hours.

The procedures for execution of such a capability shall be documented in a formal contingency plan by the [designated position such as Contingency Planning Coordinator] and shall be reviewed annually and updated as necessary by [designated position].

The procedures must account for backups every [indicate frequency] and sent to [designated location].

The plan should assign specific responsibilities to designated staff or positions to facilitate the recovery and/or continuity of essential IT functions.

Resources necessary to ensure viability of the procedures shall be acquired and maintained.

Personnel responsible for target systems shall be trained to execute contingency procedures.

The plan, recovery capabilities, and personnel shall be tested annually to identify weaknesses of the capability.

The sample policy to Figure 1531-1 is not specific to HIPAA; instead, it represents the company’s commitment to contingency planning throughout the company. A covered entity must have a contingency planning policy that addresses the HIPAA security requirements specifically. ¶1429 presents a sample policy addressing the HIPAA contingency plan, but the process for obtaining information and writing the plan will be the same as a company-wide plan, only on a smaller scale.

¶1532 Business Impact Analysis (BIA)The policy statement is essential to set the overall objective and scope of the contingency plan, but the most important stage, from an implementation perspective, is the business impact analysis (BIA). As its name implies, the BIA is an attempt to determine the impact on the staff and the business if a particular disaster occurs. (The word “attempt” is used because no one can determine the actual impact of a disaster; each is different in scope and magnitude.)

The BIA begins with a business assessment. The purpose of the business assessment is to gather information in order to determine the importance of each component of the organization and identify those areas critical to the continuing operation of the company during a time of recovery.

The HIPAA security rule specifies an Applications and Data Criticality Analysis as an ad-dressable standard, but unless the covered entity is creating a contingency plan for HIPAA




only, it is likely that HIPAA contingency planning will address HIPAA security in the context of a larger plan. Because the standard is addressable, covered entities may scale the scope of the BIA to the size and complexity of the organization.

The following questions must be answered to ascertain criticality, roles and responsibilities, and resources:

(1) What are the critical departments? Start with those that need to be recovered within 72 hours for the business to be operational. Classify when they need to be operational after a disaster. The ability to determine time frames required are based on analysis provided by both a risk and a business impact assessment.

(2) What plans, if any, currently exist? Can they be recycled? What are the lessons learned?

(3) When are the critical time periods for data processing, reporting, etc.?

(4) Who are the top 10 executives who understand your business and its strategy? These will be crucial to knowledge and eventual support.

(5) Who can step into the main leadership role if a replacement is necessary?

(6) Which departments are the most likely supporters? In the authors’ experience, either internal audit — if one exists within the organization — or the compliance department within health care is useful because they are aware of the state and federal regulations. These supporters will be helpful in obtaining the information required and usually are the departments that have the “regulatory” clout and executive visibility that will be required.

(7) Which vendors that you define as critical have provided you with their plans? This is always a good source of information and may make you evaluate whether to require a plan from your vendors as condition of doing business.

(8) Who are your competitors?

(9) What regulatory bodies are involved in controlling your industry? Do not forget about state and local authorities.

(10) Do any major customers require you to have a plan? Many contracts require a contin-gency plan.

(11) Is there a budget for contingency planning? If not, then you will need to use your skills with senior management.

(12) What is the understanding of the HIPAA requirement?

HIPAA-specific considerations to assess the relative criticality of specific applications and data in support of other contingency plan components include the following key activities and questions:

◆ Identify the activities and material involving EPHI that are critical to business operations.

◆ Identify the critical services or operations, as well as the manual and automated process-es that support them, involving EPHI.

◆ Determine the amount of time the organization can tolerate disruptions to these opera-tions, materials, or services (e.g., due to power outages).




— What hardware, software, and personnel are critical to daily operations?

— What, if any, support is provided by external providers (Internet service providers, utilities, or contractors)?

— What is the impact on desired service levels if these critical assets are not available?

— What is the nature and degree of impact on the operation if any of the critical resources are not available? 2

Answers to these questions require a lot of detailed information from departmental managers and higher-level executives. This information can be gathered by requesting the departments/executives to complete questionnaires and/or by interviewing them, using a format such as the one in Figure 1532-1.

The contingency planning team must become an “expert” about the business and its critical departments. This takes a thorough investigation by qualified, experienced individuals because every factor must be examined, from current network architecture to the history of natural disasters in the organization’s location.

TIP

Do not forget that what your company considers a critical department may not be a critical department to state or federal regulators.

¶1532.1 BIA Interview QuestionsTo gather the information necessary for the BIA, use a current and certified organization chart to identify all business units within the organization. Ask each unit to complete relevant parts of the BIA form, such as the one in Figure 1532-1, and then interview key members of each unit. The interviews should eventually cover all areas to ensure that critical interfaces are not overlooked. Figure 1532-1 has several parts:

◆ Page 1 summarizes the information gathered from each department regarding depart-mental operations that would be disrupted in the event of a disaster.

◆ Part A, “Criticality Analysis,” asks each department to provide information on the de-partment’s critical functions. The department completes Part A for each critical function.

◆ Part B, “Facilities and Equipment Requirements,” gathers information on facilities and equipment to determine which items are required at each point of time in a disaster cycle.

◆ Part C, “Business Impact Summary,” assesses computer applications and documentation necessary for operations.

2 National Institute of Standards and Technology, SP 800-66, An Introductory Resource Guide for Implementing the HIPAA Security Rule, Ch. 4, 4.7, (http://csrc.nist.gov/publications/nistpubs/index.html).




figure 1532-1 Bia questions and data ColleCtion forms

BUSINESS IMPACT ANALYSIS

SUMMARY OF BIA DEPARTMENTAL QUESTIONNAIRES AND INTERVIEWS Page 1

Date___/____/_____ Interviewer:

Department Name: Contact Name:

Interviewee Name(s):

1.______________________________________________________________________________

2.______________________________________________________________________________

3.______________________________________________________________________________

Ext.:

_______________________

_______________________

_______________________

Vendor Requirements:

Internal Departments Dependencies:

Primary Internal and External Customers:

Are manual procedures documented? YES NO

Potential effects of disruptions

Time Frames

< 6 hrs 1 Day 2 Days 3 Days >10 Days

Direct loss of operating Income

Quantify ($)

Loss of Members / Providers

Exposure of fines and regulatory penalties

Loss of staff productivity

Exposure to litigation and adverse awards

Inability to service organizational units




figure 1532-1 Bia questions and data ColleCtion forms (Continued)

A. CRITICALITY ANALYSIS BIA Page 2

Please complete this form for EACH critical function.

Function/Activity:

1. What deadlines does your department meet for this function? (Please circle)

Daily Weekly Monthly Quarterly Semi-annually Annually Other

2. What other departments directly depend on this function?

Please circle

3. Is this a deferrable function? (Please circle) YES NO Hours Days Weeks Months

If no, enter required resumption time.

If yes, enter maximum time deferrable.

If yes, enter maximum time deferrable.

4. Can this function be performed manually? YES NO Hours Days Weeks Months

If yes, how long would it take?

5. Does this function need to be done within certain hours of the day?

YES NO

6. Can this function be performed at employee’s home?

YES NO

If yes, do they have access? YES NO

7. Is this function supported by a mainframe computer?

YES NO

If yes, enter application name.

8. Is this function supported by any nonstandard software?

YES NO

If yes, please describe.

9. Is this function supported by any nonstandard hardware?

YES NO

If yes, please describe.

10. Is this function supported by a contractor? YES NO

If yes, please provider contact information and describe contractor’s role.





A. CRITICALITY ANALYSIS (continued) BIA Page 3

Function/Activity:

11. Reports Produced? YES NO If Yes, circle all applicable.

Name: Hard CopyOnlineCritical for Recovery

12. Reports Received? YES NO If Yes, circle all applicable.

Name: Hard CopyOnlineCritical for Recovery

13. Departmental resources required to complete function (such as manual, hard-copy forms, files, etc.)

14. Is all local critical data that is currently stored on PC hard drives and/or disks prop-erly backed up and stored offsite?

YES NO

15. If this function could not be performed, what would be the effect to the corporation (operationally, financially, legal/regulatory, business loss, etc.)? If possible please apply estimated dollar loss.

16. Based on Item 15, how critical is this function to maintain minimal business operations? (Circle level)

Level 1: The loss of the applications, systems, or data will cause sufficient damage to the business and threaten the exis-tence of the business. The damage is generally beyond the ability of the business to manage. Recovery time — 24 hours

Level 2: The loss of the applications, system, or data will disable one or more elements of the business. The damage is gen-erally manageable but may be irreparable.Recovery time — 72 hours

Level 3: The loss of the applications, system, or data will impair one or more elements of the business. The damage is usually repairable.Recovery time — One week

Level 4: The loss of the applications, system, or data will disturb one or more elements of the business. The damage is gener-ally confined to inconvenience, reduced morale,etc.Recovery time — One month

Level 5: The loss of the applications, system, or data will interrupt one or more of the elements of the business. The damage is limited to delay. Recovery time — One month or greater





B. FACILITIES AND EQUIPMENT REQUIREMENTS BIA Page 4

Function/Activity:

Department: Please indicate any special needs: e.g., Wheelchairs, Ladders, Special Phones

1. How many square feet of office space are needed to process critical work?

2. Do all personnel need to be located in the same building/area?

Inventory requIrements

Equipment required for disaster lasting

24 hours 3 days 1 week 1 month > 1 month

Furniture

Current Inventory

Desks

Chairs

Equipment

Computers

Standard

Nonstandard

Printers

Standard

Nonstandard

Modems

Calculators

Shredders

Copiers

Fax machine

Telephone





C. BUSINESS IMPACT SUMMARYList the main tasks conducted/completed in your department.

BIA Page 5

I. Please list company-owned local computer applications used in your department. (Non-Corporate MIS maintained and installed)

SystemSystem Owner Name

Daily, Weekly, Monthly Usage

Resumption Time Dept. Manager

II. Please list information/documents that are CRITICAL TO IMMEDIATE BUSINESS RESUMPTION. Indicate type of documen-tation, classification, location, information stored, and current processes for duplication, and backup information.

DocumentType of Doc-umentation/ Classification

Location of Docu-ments

Duplication/ Backup Process /Location

Dept. Manager

III. In order of importance, please list all information that is a primary component of your business operations but is not criti-cal to the immediate resumption of business operations.

DocumentType of Doc-umentation/ Classification

Location of Docu-ments

Duplication/ Backup Process /Location

Dept. Manager

IV. Please list any outside sources that provide critical information and relate them to the critical functions identified. Include contact information.

Function Function

Name Name

Phone Phone

E-Mail E-Mail

Web page Web page

Address Address





C. BUSINESS IMPACT SUMMARY (continued) BIA Page 6

IV. List of outside sources and contact information (continued)

Function Functio

Name Name

Phone Phone

E-Mail E-Mail

Web page Web page

Address Address

V. Do you have a current list of contact information for your critical recovery team? Please indicate the last time it was updat-ed. When was the last time “test calls” were made?

VI. Has your critical recovery team been notified individually? Have they been cross-trained? If not, please explain.

VII. Does your critical recovery team have the telephone and contact information they need if there is an incident and they need to declare a disaster?

¶1532.2 Working with the Results of the BIAThere is only one reason for the BIA — to develop and prioritize the recovery strategy or strategies and then to develop a plan on how to implement it. There are components of the strategy that need to be developed. This section addresses the major ones — but be aware that this is a moving target and will change as the organization changes. Figure 1532-2 sets out strategy options that a company may pursue.

One step recommended by NIST (see ¶1530) is to identify preventive controls, that is, measures that can be taken to reduce the effects of system disruptions and service operations. The list of risks developed during the risk assessment can be used to identify actions that will serve as preventive controls. The recovery strategy may be a combination of preventive measures and recovery techniques and technologies. Figure 1532-3 is a simple example of this strategy.




figure 1532–2 Potential strategy develoPment

Strategy Comments

No Strategy

Too many companies have no strategy because they are in a state of denial, “It won’t happen to us.” The authors believe that regulatory pressures will force public companies to, but nonpublic companies also need to abandon this mentality.

Relocate, Rebuild, Restore

This really is impractical unless you are very small and only have a few PCs. A larger company will only be able to maximize their stay at a disaster recovery site for at most six weeks before the financial burden will eliminate all profits (if any). Remember – the first to declare is the first serviced – the others wait!

Cold SiteThis is usually a site that is ready to go once the equipment arrives. As you can surmise, this would certainly take at least a week for preparation and implementation – if your crew is available and the equipment shows up.

Hot SiteCommercial hot sites are designed to recover a computer facility within 12 to 72 hours depending on the company’s budget. It is still first-come, first-served.

Hot Site with Electronic Vaulting

This means when the data is backed up, the output is transmitted to an intermediate location or to a hot site for storage.

Active Recovery Site (Mirrored)

This involves two active sites, each capable of taking over the other’s workload in the event of a disaster. Using this strategy the amount of data lost is based on available band width between locations.

Communications Recovery

This is a critical strategy that will require experts to be involved from different areas.

Voice Communications

Redundancy should be a consideration because communications must be available for not only member/customer/provider contact, but employee contact as well.

Data Communications

If the business uses multiple carriers, understand what the level of service agreement is – it may be a longer downtime than you think. You really need to have a description and drawing of your network.

FacilitiesMaintain contacts with a major real estate broker who can help you obtain office space as quickly as possible.

Power

• Diesel Generator. This does have maintenance and cost issues, but depending on your location might be the best alternative.

• Linkages. Create linkages to several power substations and have each connect to your facility at different locations. This would provide a safe harbor if one sub-station were to go down.

• Wire for diesel generator just in case. There are firms that specialize in providing generators during an emergency.

Staff RecoveryYou must have not only a strategy to contact your employees but one to obtain temporary help in case the ability to get into work is not possible.

Vendor Selection

Most companies have not considered this strategy because they have become very comfortable witht their vendors. All critical vendors should have alternates identified and occasional ordering to establish a credit relationship should be considered.

Plan StrategiesDevelopment of plans must be considered from the point of view of what is needed to get back into a viable state of business that will maintain and provide as much assurance as possible of a full restoration of the business.




figure 1532–3 samPle risk and mitigation assessment

Threats Mitigation Measures

Severe Storms / Hurricanes

• Doors are fortified. • Windows can easily be protected.

Fire/Explosion• Fire detection is installed. • Employees are trained on proper procedures.

Power Loss• On-site power is available. • Critical equipment is protected.

Floods• Data is backed up and stored elsewhere. • Paper documents are stored in protective areas.

Earthquake • Tie downs are used on critical equipment.

External Risks• Visitor entry is monitored. • Electronic entry is required to sensitive office

areas.

Data Processing

• Vendors established to deliver replacement equipment

• Virus checking is conducted. • Access to files is controlled.

Internal• Background checks are conducted.• Computer operations area have controlled access.

The NIST guide to implementing the security rule recommends the following to develop the recovery strategy relevant to EPHI:

Key Activities

◆ Finalize the set of contingency procedures that should be invoked for all identified impacts, including emergency mode operation. The strategy must be adaptable to the existing operating environment and address allowable outage times and associated priorities.

◆ Ensure, if part of the strategy depends on external organizations for support, that formal agreements are in place with specific requirements stated.

The BIA has provided us with a picture of what is called the “recovery time objective” (RTO). While this is an important measurement to understand, there is also another measurement that must be considered — the amount of data that is allowed to be lost, termed the “recovery point objective” (RPO). It is measured by taking the time of the disaster and subtracting the time of the last recoverable transaction, for example, the date of the last system backup. RPO and RTO are both major drivers involved in the development of the strategy selection.

By using some variation of the data collection forms above, you should be able to develop a good base of information to analyze and use in development of the recovery plans for each department or division.

The BIA information should yield answers to the following questions, which will contribute to realizing the objectives:




◆ Have procedures related to recovery from emergency or disastrous events been documented?

◆ Has a coordinator who manages, maintains, and updates the plan been designated?

◆ Has an emergency call list been distributed to all employees? Have recovery procedures been documented?

◆ Has a determination been made regarding when the plan needs to be activated (anticipated duration of outage, tolerances for outage or loss of capability, impact on service delivery, etc.)?

¶1533 The Plan Itself Figure 1533-1 sets out an outline of a typical plan, which has been developed by following the basic guidelines of the various professional associations. This will serve as a good starting point for the development of plans that will meet the current regulatory requirements of HIPAA, NCQA, and others.

The plan has seven sections:

Section 1: Initial Instructions

A. While at Work

B. While Away from Work

Section 2: Contact Information

A. Strike/Recovery Team List

B. Employee Contacts and Alternates

C. Alternate Communications

Section 3: Business Recovery Information

A. Critical Functions List

B. Critical Functions Procedures

C. Critical Function Documentation

D. Temporary Work Location Requirements

E. ‘Grab Box’ Contents

F. Employee Redeployment Information

G. Contacts, Contracts, and Resources

Section 4: Vital Records

A. Vital Records Inventory

B. Vital Records Restoration Procedures

Section 5: Assets Inventory and Special Instructions

Section 6: Plan Update Schedule and Record

Section 7: Plan Test Schedule and Record

At the end of the plan is a Disaster Recovery Business Continuity Skill Matrix and Telephone Log.




figure 1533–1 outline of ContingenCy Plan

XYZ HEALTH CARE CONTINGENCY PLAN

SECTION 1: INITIAL INSTRUCTIONS REVISED: XX/XX/XX

A. WHILE AT WORK

aACTION

RESPONSIBLE INDIVIDUAL(S)

1. When the alarm sounds, evacuate the building via the nearest exit, as instructed by the Floor Wardens.

Entire Department

2. Take the available Evacuation Kit and any cell phones, beepers, chargers and/or laptops, as time permits.

Entire Department

3. Go to designated (parking lot) safe refuge area and assemble staff. All Employees

4. Notify the Floor Warden of any injured or missing employees. All Employees

5. Receive personnel injury and missing reports from Floor Warden. Incident Commander

6. Instruct all employees to remain at assembly area until further instructions are given.Department

Manager

7. Refer to Section 3, Critical Functions, to determine which staff must remain to perform critical functions, if employees are released for the day.

DepartmentManager

8. If employees are released, maintain a record of all Department employees as they leave the assembly area. (For transportation assistance, see ________________.

DepartmentManager

9. If the Department has critical functions which must be performed within the first 24 hours following the event, assemble the Department Recovery Team.

DepartmentManager

10. Ensure that all critical functions are being performed by the Department Recovery Team. Schedule a progress meeting with the Department Recovery Team members.

DepartmentManager

11. If you are designated to report to the emergency operations center (EOC), proceed there once you are notified that it has been activated.Refer to _______ for directions and access instructions.

All Assigned Employees

B. WHILE AWAY FROM WORK

1. If you are injured or unable to perform your assigned functions, contact your alternate: Name____________________________________________________________ Home: _____________ Cellular:______________ Pager_____________

-OR-2. If you are able to perform your assigned functions, and it isduring work hours, contact your alternate to obtain status of situation — whether the EOC has or will be activated and

whether it is necessary for you to report.

• If the EOC has not been activated, see Section 3, Critical Functions.

If you are designated to report to the EOC and the EOC has or will be activated, seeEOC Critical Functions.

-OR- 3. If it is after work hours, use the Call-Out List to notify appropriate Department employees.

DepartmentManager




figure 1533–1 outline of ContingenCy Plan (Continued)

SECTION 2: CONTACT INFORMATION

REVISED: XX/XX/XXA. STRIKE TEAM/RECOVERY TEAM LIST

(DO NOT LEAVE MESSAGES ON ANSWERING MACHINES)

a

NAME AND ADDRESS TELEPHONE NUMBERS E-MAIL

CUR. MEDICAL CERTIFI- CATION COMMENTS

Work HomeCellPagerOther

Work HomeCellPagerOther

Add additional strike team/recovery team names and numbers.

REVISED: XX/XX/XXB. EMPLOYEE CONTACTS AND ALTERNATES

NAME AND ADDRESS TELEPHONE NUMBERS ALTERNATE

NameAddress

WorkHomePagerCell

NameAddress

WorkHomePagerCell

REVISED: XX/XX/XXC. ALTERNATE COMMUNICATIONS

EMERGENCY HOTLINE: T.B.D. __________________________________________________________This number will provide employee reporting information and other pertinent information at the time of an event.

If On-Site Phone System is Down: If Public Telephone Network is Congested:

PUBLIC PAY PHONES CELLULAR, PCS PHONES

Location Number Location Number

OTHER PHONES OTHER PHONES

Location Number Location Number





SECTION 3: BUSINESS RECOVERY INFORMATION

REVISED: XX/XX/XX

A. CRITICAL FUNCTIONS LIST

Action Responsible Individuals

DAY 1

1.

2.

3.

4.

5.

DAY 2

1.

2.

3.

4.

5.

DAY 3

1.

2.

3.

4.

5.

DAY X

1.

2.

3.

4.

5.





SECTION 3: BUSINESS RECOVERY INFORMATION (contInued)

REVISED: XX/XX/XX

B. CRITICAL FUNCTION PROCEDURES

CRITICAL FUNCTIONDay anD Action number below corresponD to the list of critical functions in a. above

a Day Action Action Platform & Application Person Responsible

Number

1 1.

1 2.

1 3.

1 4.

1 5.

2 1.

2 2.

Continue with critical functions

REVISED: XX/XX/XX

C. CRITICAL FUNCTION DOCUMENTATION

Day Action Describe, insert, or attach additional critical function documentation, such as work flow diagram, chart, tables

Number

1 1.

2.

Continue with critical functions documentation for each day/action.

REVISED: XX/XX/XX

D. TEMPORARY WORK LOCATION REQUIREMENTS

Time After

# Work Stations

Computer Equipment(# & type of PC, printers,

other hardware)

TelecommunicationsEquipment

(Phone, fax, modem)

1-3 Days

4-7 days

8-21 days

22+ days (temporary worksite)





SECTION 3: BUSINESS RECOVERY INFORMATION (contInued)

D. TEMPORARY WORK LOCATION REQUIREMENTS (continued) REVISED: XX/XX/XX

Unique System Requirements Unique Telecommunication Requirements

E. ‘GRAB BOX’ CONTENTS REVISED: XX/XX/XX

Time After Event Equipment Supplies

Forms, Documents, Instructions Other

1-3 days

4-7 days

8-21 days

22+ days (temporary worksite)

Temporary Work Location Preference

F. EMPLOYEE REDEPLOYMENT INFORMATION REVISED: XX/XX/XX

Time After Event Name (or Unit) Skills Contact Information

G. CONTACTS, CONTRACTS, AND RESOURCES REVISED: XX/XX/XX

Agency/Co. P.O. # Contact Name/ Number Address Comments





SECTION 4: VITAL RECORDS

REVISED: XX/XX/XX

A. VITAL RECORDS INVENTORY

Vital Record LocationDuplicated?

(Y/N) Off-Site Location

REVISED: XX/XX/XX

B. VITAL RECORDS RESTORATION PROCEDURES

Vital Record Restoration Procedures

SECTION 5: ASSETS

REVISED: XX/XX/XX

ASSETS INVENTORY AND SPECIAL INSTRUCTIONS

Asset Location Off-Site Location





SECTION 6: PLAN UPDATE SCHEDULE

UPDATE RECORD REVISED: XX/XX/XX

Form Last Date Revised By Next Scheduled Revision

INITIAL INSTRUCTIONS

While At Work

While Away From Work

STAFF CONTACT INFORMATION

Call-Out Lists

Staff Contacts and Alternates

Alternate Communications

CRITICAL FUNCTIONS

Critical Functions List

Critical Function Procedures

Critical Function Documentation

Workstation, Computer, and Telecommunication Requirements

Other Resource Requirements

Employee Redeployment Information

Contacts and Resources

VITAL RECORDS

Inventory

Restoration Procedures

ASSETS

Inventory and Special Instructions





SECTION 7: PLAN TEST SCHEDULE

TEST RECORDREVISED: XX/XX/XX

Form Last Date Tested By Next Scheduled Test

INITIAL INSTRUCTIONS

While At Work

While Away From Work

STAFF CONTACT INFORMATION

Call-Out Lists

Staff Contacts and Alternates

Alternate Communications

CRITICAL FUNCTIONS

Critical Functions List

Critical Function Procedures

Critical Function Documentation

Workstation, Computer, and Telecom-munication Requirements

Other Resource Requirements

Employee Redeployment Information

Contacts and Resources

VITAL RECORDS

Inventory

Restoration Procedures

ASSETS

Inventory and Special Instructions





Disaster Recovery/Business Continuity Skill Matrix

Primary Recovery Team Members

TEAM ROSTEROrG. Skills

Process Know- ledge

Criti- cal

Skills

Lives In

Local Area

Local to

EOCVPN

AccessCross

TrainedReplace Leader

Medical Training

Russ Arnett 10 10 10 Yes No Yes Yes Yes No

Scoring: Blank = No knowledge1 = Familiarity5 = Highest score for subject knowledge but lacking experience at this company10 = Complete mastery of subject and local processes

TELEPHONE LOG

Department: Caller:

Date Time Person CalledPhone

Number

Not Avail -able No Ans. Busy Comments

Comments: (1) Wrong Number (2) Not Available (3) Answer Machine (4) At alternate Location (5) On the way in (6) requires management call (7) New number given




TIP

There are several states during the annual audit and contract reviews that are demanding to see the actual plans, test results, and evidence of manual procedures for all critical departments. “Critical departments” — those departments that provide direct, critical support to membership and providers — is expanding to include those departments that effect the direct ‘financial viability” of the health plan, facility, or practice. Both Texas and Michigan require this information from the parent corporation as well if one exists.




¶1540 emergenCy oPerations

When a disaster occurs, you are going to need an action plan. In fact, the HIPAA security standard requires covered entities to develop an emergency mode operations plan.

Action plans vary greatly by industry, but all have some common areas, one of which is the basic positions, roles, and responsibilities. These are fairly standard.

The emergency operations and control structure is the “lifeline” for the strike teams (see ¶1522) and will be the communication channels that are used for maintaining the viability of a company under duress. Normally the primary contact would be the Planning/Intelligence Team Leader.

The sample below has been derived from the authors’ experience and the organizations to which they belong and participate.

figure 1540–1 samPle aCtion Plan

Emergency Operations and Control Positions, Roles and Responsibilities

Command: EOC Command conducts periodic strategy sessions with the EOC Director and Command Support, determines recipients and contents of all external notifications, and establishes a Long Term Recovery Team, if warranted, to consider and coordinate strategic plan objectives and long-term recovery efforts.

Command Support Team: Command Support offers advice and counsel on legal, medical, compliance, and public relations matters and performs a liaison role with the departments and other health plans.

EOC Director: The EOC Director determines when and where to activate the EOC; manages and coordinates all EOC activities; ensures that all required functions within the EOC are activated, staffed and operated effectively; conducts periodic planning meetings with the EOC Team; and briefs Command and Command Support at strategy sessions.

Operations Team Leader: The Operations Team Leader receives damage reports from the incident commanders. He/she oversees the nonstructural facilities functions, including damage assessment, support, and restoration activities; oversees EOC logistics functions, including emergency procurement and contract processes, vendor notification, and EOC support; and, provides periodic briefings to the EOC Director and EOC Team.

Systems Operations Team Leader: The Systems Operations Team Leader oversees all systems and telecommunications recovery activities and provides periodic briefings to the EOC Director and EOC Team.

continued




Planning/Intelligence Team Leader: The Planning and Intelligence Team Leader oversees all disaster-related personnel activities; ensures that all internal (employee) messages are consistent with external (media) messages; provides current and projected situation status reports; and provides periodic briefings to the EOC Director and EOC Team.

Finance/Administration Team Leader: The Finance/Administration Team Leader oversees all disaster related financial activities; develops short and long term financial strategies as appropriate; coordinates all insurance claims and claims record keeping, and provides periodic briefings to the EOC Director and EOC Team.

figure 1540–1 samPle aCtion Plan (Continued)




¶1550 testing

The HIPAA security rule lists testing and revisions procedures as an addressable standard; NIST lists, as its sixth step (see ¶1530), “Test the plan... .” The authors recommend three levels of testing, which should occur at different times during the year. All three types of testing require executive management support to assure that they occur and are budgeted. Basics of all tests must include the validation of contact information, directions to emergency gathering locations, and up-to-date information for outside agency contacts. Complete documentation including project plan(s) needed to enhance or correct issues discovered must be kept for later audit review by state or federal regulators. The authors believe that the pressure will be placed on the NCQA to assure compliance before certification of health plans in several states beginning in 2008.

¶1551 Table-TopThis method has a detailed and realistic review of each plan performed step-by-step by each department. The critical part of this test is to ensure that dependencies are clearly defined and understood. This should be a quarterly test, rotated continuously through the organization. Participants must be the recovery or back-ups. Omissions must be documented and corrected before the next test.

¶1552 Critical AreasThis is the method of testing each critical area by making recovery of files and processes mandatory. This should be semi-annual and include a variation of requiring manual processes to be used in place of automated ones.

¶1553 Complete and Corporate-WideIf you do not perform this test annually, how are you going to know it works? CAN, one of the major insurance companies that insure computer-dependent companies, requires this type of testing to maintain coverage at reasonable costs. Without these tests, the costs and deductibles raise exponentially.




¶1560 vendors and Partners

You cannot have a complete plan for enable your company to recover when a disaster occurs if you do not have critical vendors or partners who do not have a plan themselves. Figure 1560–1 is a sample of a questionnaire a covered entity may ask its vendors to complete.

The objective of the questionnaire is to learn about and understand the business continuity and IT disaster recovery plans of select vendors who are used by your company.

You should consider distributing this type of survey to select vendors and business partners used by groups within the firm and that are critical to your operational readiness. It is anticipated some vendors and business partners will opt not to complete this survey. In these instances, consider extending an invitation to those vendors to address key questions outlined in the survey. If they refuse to participate get a new vendor as soon as possible — they will not be able to help you when a disaster occurs.

figure 1560–1 general vendor/Business Partner resilienCy questionnaire

CRITICAL PARTNER DISASTER RECOVERY QUESTIONNAIRE

ABC Health is assessing their disaster recovery plan and has identified you as a critical partner in our operations. To help us strength-en our plan, we need to know what plans you have for business continuity in the event of a disaster. Please respond to the following questions. Circle Yes or No or other appropriate choice; for narrative questions, please write in space provided. Use extra sheets if necessary. Return the questionnaire toContact nameAddressor Email if to be delivered electronical

If you have any questions, please contact __________________________ at (telephone).

Returned by:Name _________________________________________________________

Date Completed:______________________

A BusIness contInuIty strAtegy

A1In the event of a disaster or significant disruption, does your organization have docu-mented plans for business continuity and IT disaster recovery? YES NO

A2 If you answered “Yes” to Question (A1), what type of failure scenarios or outages do you plan for?

1.

2.

3.

A3If you answered “Yes” to Question (A1), what duration of time is assumed for each type of failure scenario or outage you plan for? Please specify # and hours, days, weeks, months, etc. for each type.

Hrs. Days Wks. Mos.

1.

2.

3.




figure 1560–1 general vendor/Business Partner resilienCy questionnaire (Continued)

A BusIness contInuIty strAtegy (contInued)

A4If you answered “Yes” to Question (A1), does the plan establish critical business functions with recovery priorities? YES NO

A5

If you answered “Yes” to Question (A4), what is the expected recovery time for your critical business functions?

0 - 4 hours 4 - 8 hours Within one

day

__________

_____

1 - 2 days More than

2 days

_____

_____

N/A _____

Other (explain) _________________________________________________________________________________________________________________________________________

A6If you answered “Yes” to Question (A1), does the plan account for interdepen- dencies, both internal and external, to your organization? YES NO

A7If you answered “Yes” to Question (A1), does the plan cover some, most, or all locations from which you provide your services? Please circle.

Some Most All N/AOther (please specify)___________________________________________________________________________

A8If you answered “Yes” to Question (A1), what percentage of “business as usual” servicing capability is the plan designed to address? Please circle.

1 - 10% 11 - 20% 21 - 30% 31 - 50% 51 - 75% 76 - 99% 100%

A9Do you have a dedicated team of professionals focused on business continuity and/or IT disaster recovery? YES NO

If you answered “No” to Question (A9), do you use an external BCP/DR service provider to handle your planning needs? YES NO

A11Is your main IT facility or data center located in the same building or office complex occupied by your main business or operations staff? YES NO

A12Please provide an illustration or schematic of how your organization’s primary, secondary, and/or tertiary servicing centers are setup to provide redundant services to customers.

B. crIsIs communIcAtIon

B1 Do you have a documented crisis management process within your organization? YES NO

B2If you answered “Yes” to Question (B1), does this process cover internal and external communications during a crisis event? YES NO

B3 How would you notify ABC Health of an outage? YES NO

B4Do you provide ABC Health with detailed contact information in the event of an outage or emergency? YES NO

B5 Please describe how you notify your team of an incident and direct them through the recovery.

C. BAck up FAcIlItIes

C1 Does your organization have an alternate site location for data center recovery purposes? YES NO

C2If you answered “Yes” to Question (C1), what is the approx. distance between your production (primary) site and alternate (secondary) site for data center recovery purposes? Please specify # and kilometers, miles, city blocks, etc.

C3 Does your organization have an alternate site location for work area recovery purposes? YES NO





C. BAck up FAcIlItIes (contInued)

C4 If you answered “Yes” to Question (C1), what is the approx. distance between your production (primary) site and alternate (secondary) site for work area recovery purposes? Please specify # and kilometers, miles, city blocks, etc.

PrimarySecondary

____________________________

C5 Do you use an external BCP/DR service provider for your data center recovery needs? YES NO

C6 Do you use an external BP/DR service provider for your work area recovery needs? YES NO

C7 If you answered “Yes” to Question (C6), is your contract with your BCP/DR service provider honored on a first-come/first-served basis? YES NO

C8 What recovery strategy does your organization use for mainframe systems? Please circle.

Active/Active Active/Back-up Vendor-Supplied Other N/A

C9 What type of recovery strategy does your organization use for distributed systems?

Active/Active Active/Back-up Vendor-Supplied Other N/A

C10 Is the processing capacity of your back-up facility equal to that of your primary facility? YES NO

C11 If you answered “No” to Question (C10), what is the capacity ratio of your back up to your primary facility?

1 - 10% 11 - 20% 21 - 30% 31 - 50% 51 - 75% 76 - 99% 100%

C12 Is it feasible to run from your back-up facility for an extended period? (e.g. at least six weeks) YES NO

d testIng

D1 If you answered “Yes” to Question (A1), is the plan periodically tested? YES NO

D2 If you answered “Yes” to Question (D1), how frequently is the plan tested? Circle the appropriate response Annually Semi-annually Other (please specify)

D3 Do you have BCP test dates scheduled over the next 12-18 months? YES NO

D4 If you answered “Yes” to Question D3, please list those dates.

D5 If you answered “Yes” to Question (D1), do you involve IT staff, business unit or operations staff, or both in your internal BCP/DR tests? Circle the relevant answers.

IT staff onlyBusiness Unit or Operations Staff ONLY

BOTH IT and Business Unit or Operations Staff

D6 If you answered “Yes” to Question (D1), would you involve xxx in your external BCP/DR tests?

YES NO

D7 If you answered “Yes” to Question (D1), do internal or external auditors review your BCP/DR tests?

YES NO

D8 If you answered “Yes” to Question (D1) what components of your systems and infrastructure are tested? Circle all that apply.

ApplicationsMiddlewareDatabasesData networks (internal and external)

Voice networks (internal and external) DesktopFacilitiesVoice equipment





CRITICAL PARTNER DISASTER RECOVERY QUESTIONNAIRE (CONTINUED)

E dIsAster event

E1Did your organization invoke its business continuity or IT disaster recovery plan(s) as a result some disaster/crisis event?

YESNO

E2Has your organization enhanced its business continuity planning initiative, or is in the process of enhancing its plans in light of the above event?

YESNO

F Bcp support

F1Please provide primary and alternate contact information for communication during an emergency.




¶1570 frequently asked questions

What happens after we get the plan completed?

◆ Enjoy! You should celebrate the moment — you will have accomplished what the surveys show that only 48 percent of the mid-level companies have achieved

◆ Test, test, test — and if you do you will be in the glorified air of the 28 percent of compa-nies who have.

◆ Push the envelope! Perform a complete test — you will be in the 10 percent who have done so.

◆ As soon as it is completed, the plan is officially out of date. Establish a revision date — within six months, and follow-up to make sure the plan is revised.

What should we do to allocate the plans, and where should we keep them?

◆ Develop a disbursal log of who has copies and make the HR department responsible to track and retrieve.

◆ Keep a complete set offsite on a CD-ROM or thumb or jump drive.

◆ Each Strike Team member should have a current hard copy at home, in the car.

◆ The emergency response team should have a current hard copy at home and one in the car.

What about awareness – what can be done?

◆ Have HR have contingency planning awareness part of new hire orientation this is a great help — and you meet some new people.

◆ Publish a one page newsletter — there is a lot of information on the web and feel free to email us for ideas.

◆ Form committees — at least two — an executive one for the big guys and an operational one for those who do the work — the Strike Teams.

Date post:	06-Mar-2018
Category:	Documents
Upload:	nguyenkhue
View:	215 times
Download:	1 times