Chapter 1: Business Continuity Planning and HIPAA
Business continuity planning is vital to healthcare organizations. A documented and tested business continuity plan allows these healthcare organizations to react to almost any situation in an efficient, timely manner, and recover critical business processes within established timeframes. Developing a business continuity management program is about addressing how not to have an interruption in a healthcare organization's ability to perform its critical processes.HIPAA's security standards require that all healthcare organizations have a contingency plan. The guidelines for the contingency plan can be found in the Act's administrative procedures to guard data integrity, confidentiality, and availability. These plans should identify the critical components that are required for each business function.From the "Federal Register / Vol. 63, No. 155 / Wednesday, August 12, 1998" the following proposed rules emerge (Bolded parts pertain to business continuity planning. Also, the entire security standard has been included to enable you to understand how business continuity planning / contingency planning falls within the context of HIPAA):§ 142.308 Security Standard.Each entity designated in § 142.302 must assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current, and must include, at a minimum, the following requirements and implementation features:Administrative procedures to guard data integrity, confidentiality, and availability documented, formal practices to manage the selection and execution of security measures to protect data, and to manage the conduct of personnel in relation to the protection of data. These procedures include the following requirements:
Certification. (The technical evaluation performed as part of, and in support of, the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements. This evaluation may be performed internally or by an external accrediting agency.)
A chain of trust partner agreement (a contract entered into by two business partners in which the partners agree to electronically exchange data and protect the integrity and confidentiality of the data exchanged).
A contingency plan, a routinely updated plan for responding to a system emergency that includes performing backups, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster. The plan must include all of the following implementation features:
An applications and data criticality analysis (an entity's formal assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores, and/or transmits).
Data backup plan (a documented and routinely updated plan to create and maintain, for a specific period of time, retrievable exact copies of information).
A disaster recovery plan (the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure).
Emergency mode operation plan (the part of an overall contingency plan that contains a process enabling an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure).
Testing and revision procedures (the documented process of periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary).
Formal mechanism for processing records (documented policies and procedures for the routine, and non-routine, receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information).
Information access control (formal, documented policies and procedures for granting different levels of access to health care information) that includes all of the following implementation features:
Access authorization (information use policies and procedures that establish the rules for granting access, (for example, to a terminal, transaction, program, process, or some other user.)
Access establishment (security policies and rules that determine an entity's initial right of access to a terminal, transaction, program, process or some other user).
Access modification (security policies and rules that determine the types of, and reasons for, modification to an entity's established right of access, to a terminal, transaction, program, process, or some other user.)
Internal audit (in-house review of the records of system activity (such as logins, file accesses, and security incidents) maintained by a healthcare organization).
Personnel security (all personnel who have access to any sensitive information have the required authorities as well as all appropriate clearances) that includes all of the following implementation features:
Assuring supervision of maintenance personnel by an authorized, knowledgeable person. These procedures are documented formal procedures and instructions for the oversight of maintenance personnel when the personnel are near health information pertaining to an individual.
Maintaining a record of access authorizations (ongoing documentation and review of the levels of access granted to a user, program, or procedure accessing health information).
Assuring that operating and maintenance personnel have proper access authorization (formal documented policies and procedures for determining the access level to be granted to individuals working on, or near, health information).
Establishing personnel clearance procedures (a protective measure applied to determine that an individual's access to sensitive unclassified automated Information is admissible).
Establishing and maintaining personnel security policies and procedures (formal, documentation of procedures to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances).
Assuring that system users, including maintenance personnel, receive security awareness training.
Security configuration management (measures, practices, and procedures for the security of information systems that must be coordinated and integrated with each other and other measures, practices, and procedures of the healthcare organization established in order to create a coherent system of security) that includes all of the following implementation features:
Documentation (written security plans, rules, procedures, and instructions concerning all components of an entity's security).
Hardware and software installation and maintenance review and testing for security features (formal, documented procedures for connecting and loading new equipment and programs, periodic review of the maintenance occurring on that equipment and programs, and periodic security testing of the security attributes of that hardware/software).
Inventory (the formal, documented identification of hardware and software assets).
Security testing (process used to determine that the security features of a system are implemented as designed and that they are adequate for a proposed applications environment; this process includes hands-on functional testing, penetration testing, and verification).
Virus checking. (The act of running a computer program that identifies and disables:
Another "virus" computer program, typically hidden, that attaches itself to other programs and has the ability to replicate.
A code fragment (not an independent program) that reproduces by attaching to another program.
A code embedded within a program that causes a copy of itself to be inserted in one or more other programs.)
Security incident procedures (formal documented instructions for reporting security breaches) that include all of the following implementation features:
Report procedures (documented formal mechanism employed to document security incidents).
Response procedures (documented formal rules or instructions for actions to be taken as a result of the receipt of a security incident report).
Security management process (creation, administration, and oversight of policies to ensure the prevention, detection, containment, and correction of security breaches involving risk analysis and risk management). It includes the establishment of accountability, management controls (policies and education), electronic controls, physical security, and penalties for the abuse and misuse of its assets (both physical and electronic) that includes all of the following implementation features:
Risk analysis, a process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.
Risk management (process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk).
Sanction policies and procedures (statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment, and contract penalties). They must include employee, agent, and contractor notice of civil or criminal penalties for misuse or misappropriation of health information and must make employees, agents, and contractors aware that violations may result in notification to law enforcement officials and regulatory, accreditation, and licensure healthcare organizations.
Security policy (statement(s) of information values, protection responsibilities, and healthcare organization commitment for a system). This is the framework within which an entity establishes needed levels of information security to achieve the desired confidentiality goals.
Termination procedures (formal documented instructions, which include appropriate security measures, for the ending of an employee's employment or an internal/external user's access) that include procedures for all of the following implementation features:
Changing locks (a documented procedure for changing combinations of locking mechanisms, both on a recurring basis and when personnel knowledgeable of combinations no longer have a need to know or require access to the protected facility or system).
Removal from access lists (physical eradication of an entity's access privileges).
Removal of user account(s) (termination or deletion of an individual's access privileges to the information, services, and resources for which they currently have clearance, authorization, and need-to-know when such clearance, authorization and need-to-know no longer exists).
Turning in of keys, tokens, or cards that allow access (formal, documented procedure to ensure all physical items that allow a terminated employee to access a property, building or equipment are retrieved from that employee, preferably before termination).
Training (education concerning the vulnerabilities of the health information in an entity's possession and ways to ensure the protection of that information) that includes all of the following implementation features:
Awareness training for all personnel, including management personnel (in security awareness, including, but not limited to, password maintenance, incident reporting, and viruses and other forms of malicious software).
Periodic security reminders (employees, agents, and contractors are made aware of security concerns on an ongoing basis).
User education concerning virus protection (training relative to user awareness of the potential harm that can be caused by a virus, how to prevent the introduction of a virus to a computer system, and what to do if a virus is detected).
User education in importance of monitoring log-in success or failure and how to report discrepancies (training in the user's responsibility to ensure the security of health care information).
User education in password management (type of user training in the rules to be followed in creating and changing passwords and the need to keep them confidential).
Physical safeguards to guard data integrity, confidentiality, and availability. Protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. It covers the use of locks, keys, and administrative measures used to control access to computer systems and facilities. Physical safeguards must include all of the following requirements and implementation features:
Assigned security responsibility (practices established by management to manage and supervise the execution and use of security measures to protect data and to manage and supervise the conduct of personnel in relation to the protection of data).
Media controls (formal, documented policies and procedures that govern the receipt and removal of hardware/software (such as diskettes and tapes) into and out of a facility) that include all of the following implementation features:
Access control.
Accountability (the property that ensures that the actions of an entity can be traced uniquely to that entity).
Data backup (a retrievable, exact copy of information).
Data storage (the retention of health care information pertaining to an individual in an electronic format).
Disposal (final disposition of electronic data, and/or the hardware on which electronic data is stored).
Physical access controls (limited access) (formal, documented policies and procedures to be followed to limit physical access to an entity while ensuring that properly authorized access is allowed) that include all of the following implementation features:
Disaster recovery (the process enabling an entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure).
An emergency mode operation (access controls in place that enable an entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure).
Equipment control (into and out of site) (documented security procedures for bringing hardware and software into and out of a facility and for maintaining a record of that equipment. This includes, but is not limited to, the marking, handling, and disposal of hardware and storage media.)
A facility security plan (a plan to safeguard the premises and building (exterior and interior) from unauthorized physical access and to safeguard the equipment therein from unauthorized physical access, tampering, and theft).
Procedures for verifying access authorizations before granting physical access (formal, documented policies and instructions for validating the access privileges of an entity before granting those privileges).
Maintenance records (documentation of repairs and modifications to the physical components of a facility, such as hardware, software, walls, doors, and locks).
Need-to-know procedures for personnel access (a security principle stating that a user should have access only to the data he or she needs to perform a particular function).
Procedures to sign in visitors and provide escorts, if appropriate (formal documented procedure governing the reception and hosting of visitors).
Testing and revision (the restriction of program testing and revision to formally authorized personnel).
Policy and guidelines on work station use (documented instructions/procedures delineating the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific computer terminal site or type of site, dependent upon the sensitivity of the information accessed from that site).
A secure work station location (physical safeguards to eliminate or minimize the possibility of unauthorized access to information; for example, locating a terminal used to access sensitive information in a locked room and restricting access to that room to authorized personnel, not placing a terminal used to access patient information in any area of a doctor's office where the screen contents can be viewed from the reception area).
Security awareness training (information security awareness training programs in which all employees, agents, and contractors must participate, including, based on job responsibilities, customized education programs that focus on issues regarding use of health information and responsibilities regarding confidentiality and security).
Technical security services to guard data integrity, confidentiality, and availability (the processes that are put in place to protect information and to control individual access to information). These services include the following requirements and implementation features:
The technical security services must include all of the following requirements and the specified implementation features:
Access control that includes:
A procedure for emergency access (documented instructions for obtaining necessary information during a crisis), and
At least one of the following implementation features:
Context-based access (an access control procedure based on the context of a transaction (as opposed to being based on attributes of the initiator or target)).
Role-based access.
User-based access.
The optional use of encryption.
Audit controls (mechanisms employed to record and examine system activity).
Authorization control (the mechanism for obtaining consent for the use and disclosure of health information) that includes at least one of the following implementation features:
Role-based access.
User-based access.
Data authentication. (The corroboration that data has not been altered or destroyed in an unauthorized manner. Examples of how data corroboration may be assured include the use of a check sum, double keying, a message authentication code, or digital signature.)
Entity authentication (the corroboration that an entity is the one claimed) that includes:
Automatic logoff (a security procedure that causes an electronic session to terminate after a predetermined time of inactivity, such as 15 minutes), and
Unique user identifier (a combination name/number assigned and maintained in security procedures for identifying and tracking individual user identity).
At least one of the following implementation features:
Biometric identification (an identification system that identifies a human from a measurement of a physical feature or repeatable action of the individual (for example, hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature).
Password.
Personal identification number (PIN) (a number or code assigned to an individual and used to provide verification of identity).
A telephone callback procedure (method of authenticating the identity of the receiver and sender of information through a series of "questions" and "answers" sent back and forth establishing the identity of each). For example, when the communicating systems exchange a series of identification codes as part of the initiation of a session to exchange information, or when a host computer disconnects the initial session before the authentication is complete, and the host calls the user back to establish a session at a predetermined telephone number.
Token.
Technical security mechanisms (processes that are put in place to guard against unauthorized access to data that is transmitted over a communications network).
If an entity uses communications or network controls, its security standards for technical security mechanisms must include the following:
The following implementation features:
Integrity controls (a security mechanism employed to ensure the validity of the information being electronically transmitted or stored).
Message authentication (ensuring, typically with a message authentication code that a message received (usually via a network) matches the message sent).
One of the following implementation features:
Access controls (protection of sensitive communications transmissions over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient).
Encryption.
If an entity uses network controls (to protect sensitive communication that is transmitted electronically over open networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient), its technical security mechanisms must include all of the following implementation features:
Alarm. (In communication systems, any device that can sense an abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality. The signal may be in any desired form ranging from a simple contact closure (or opening) to a time-based automatic shutdown and restart cycle.)
Audit trail (the data collected and potentially used to facilitate a security audit).
Entity authentication (a communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs, and processes)
Event reporting (a network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information).
In the above passage, the areas in bold are the parts of the proposed regulation that pertain directly to business continuity planning. While small in the amount of space taken up in the regulation, the implications for what needs to be done to come into compliance are large.The final ruling came out in January 13, 2003 as 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule. Under Section 164.306(a), Contingency planning is addressed:
Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Implementation specification:
Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
Healthcare organizations within the healthcare industry, from a business continuity perspective, have many similarities to healthcare organizations belonging to other industries. Among these is the potential for disaster. A conventional business can experience a fire, earthquake, flood, or other unforeseen disruption. With the healthcare organizations, there are billions of dollars at stake and a significant potential for disruption.The regulation specifically addresses the ability to recover and protect data owned and generated by a healthcare organization. In order to accomplish this directive, it is important to understand that the information technology (IT) component of a healthcare organization is dependent and interconnected to virtually all other functions within the healthcare organization. Therefore, in order to comply with the this regulation, a healthcare organization should focus on developing a complete business continuity plan so that the recovery of all the functions that feed and are dependent upon IT are addressed.The analogy to this is found in the banking industry. Initially, bankers were required to have disaster recovery plans, i.e., plans that would recover the IT components of a bank. Over time, through testing and actual exercising of these plans, it was realized that restoring the computer and communication systems was not enough to make the bank operational. Many other parts of the bank's infrastructure had to be restored in order to get the bank working again. The lessons learned in the banking industry are applicable to the healthcare industry. The thrust of this book will be business continuity planning for healthcare organizations. This will not only cover the exact requirements of the regulation, but the intent.In this book we are discussing business continuity planning development in five phases.There are five phases of Business Continuity Planning: Project Foundation, Business Assessment, Strategy Selection, Plan Development, and Testing and Maintenance. It can be argued that there are more or less than five phases (every consulting firm will have its own magic number) but the core components contained in the phases should not vary. It is the dissection and explanation of each of these components that will make up the majority of this book. A grasp of all of these components will enable the reader to develop a healthcare organizational recovery plan.
Project Foundation | Business Assesment | Strategy Selection | Plan Development | Testing and Maintenance |
PHASES |
Briefly, an explanation of the components listed above are:PROJECT FOUNDATION: Establishing the basis for a successful project. This includes establishing project expectations, obtaining appropriate commitments, selecting the appropriate participants, and establishing an efficient work plan.BUSINESS ASSESSMENT: Documenting business unit critical processes and components and identifying existing and potential disaster mitigating systems/procedures. This includes understanding the process flow of each business unit, determining the Recovery Time Objective, defining the business unit's critical resources, and identifying existing containment measures and exposures.STRATEGY SELECTION: Choosing an appropriate course of action or future undertaking to enhance the survivability of the critical components of the business. These include strategies to protect computer systems, communications, staff, facilities, equipment, office supplies, market share, and supplier continuity.PLAN DEVELOPMENT: Creating a document with the user that will reestablish the critical components of the business in the least possible time and at the least cost to the business. The plan must be developed by the ultimate user using familiar terms and with references to sources of resource repair or replacement services. The plan should be easy to navigate and understood by all participants of the recovery.TESTING AND MAINTENANCE: Evaluating the effectiveness of procedures and access to resources through disaster simulation and updating the plan to reflect current conditions. Each procedure and source must be evaluated to determine if it will be viable during a real disaster situation. The results of the evaluation will be used to update the plan. Periodically, the plan will need to be reviewed and amended to reflect changes in staff, equipment, and procedures.A business continuity planning program, whether it is being initiated because of HIPAA or just good business sense (or both) should follow the same development steps listed above. The chapters that follow cover business continuity planning and the accentuated components of BCP used to accommodate the requirements of HIPAA.
At the end of each chapter we will include a section such as this so that as you read this book, you can formulate a plan of attack and tools to use as you create your own unique business continuity plan.Based on what you have learned in this chapter, write down the and save the verbiage from the HIPAA regulation. This will be used as a check-off sheet to be used when you are going through the final edit of the plan.From the "Common Body of Knowledge" from the BCI and the DRII, create a first-draft work plan that incorporates the ten main categories. These categories should be rearranged and enhanced as you read the remainder of this book.