Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] - نسخه متنی

Jim Barnes

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







ASSESSING THE BUSINESS

The purpose of the business assessment is to determine relative importance of each component of the healthcare organization. Determining when a specific activity must be available is a key product of the business assessment.

Insuring the availability of a given activity has a cost. The more immediate the requirement to recover an activity, the higher the price. Thus, it is important to tailor solutions to a healthcare organization's needs. Most healthcare organizations prioritize their business processes and recovery timeframes to ramp-up operations following a complete disruption to a facility, or campus. The ability to stage a recovery is derived from the information obtained in the business assessment phase of planning.

There are two components to a Business Assessment:



Risk Assessment, and



Business Impact Analysis (BIA)



The Risk Assessment is designed to evaluate existing exposures from the health healthcare organization's environment, and the Business Impact Analysis assesses potential business loss which could result from any event that interrupts major operational processes.


Risk assessment


A critical step in designing a comprehensive, viable, and valid disaster recovery plan is to conduct a risk assessment. The purpose is to identify threats and vulnerabilities, and to determine if existing precautions and countermeasures are adequate to protect the healthcare organization's mission critical data and assets as well as protected health information (PHI). The Risk Assessment is an evaluation of the exposures present in a healthcare organization's external and internal environment.

Traditionally, the focus of a Risk Assessment has been physical threats, such as susceptibility to floods, hurricanes, tornadoes, power failure, etc. The risk assessment documents what mitigating steps have been taken to address these threats. Particularly in the healthcare environment, the issues are likely to be logical or information-driven as well as physical, including the threats of viruses, denial of service attacks and simple program bugs. This is not to minimize the importance of physical issues but to expand the scope of the analysis to include current and prevalent threats.

The assessment must consider the current physical and technological security environment in order to determine areas of risk that threaten the ability to operate. Data and information exchange internally and externally among the healthcare organization's employees and business associates can present considerable privacy and data security issues.

HIPAA compliance requirements underscore the need to identify and mitigate areas of vulnerability that have been either assumed or overlooked by management in the past.

Risk mitigation strategies must be implemented to ensure the probability of vulnerabilities is reduced. A properly completed risk analysis should provide a complete overview of the healthcare organization's current security posture.

For each threat that is relevant, there should be an identification of the preventive measures that are in place. The issue then is to determine whether all foreseeable, realistic risks have been adequately addressed. Determining the degree to which risks are foreseeable is often a subjective decision. Fires are rare, but happen often enough that they must be considered foreseeable in all circumstances. Logical threats caused by hackers, misuse and error are so omnipresent, that they must be considered no matter how strong the preventive measures.

The following matrix can be used to step the analyst through potential exposures and the mitigating measures that could reduce the risk associated with the threat. While this matrix is the result of fifteen years of my noting what various companies employ to mitigate risk, it should be used as a starting point to develop a matrix for the reader's organization.




































































RISK ASSESSMENT WORKSHEET


Threats


Mitigation Measures Used by Other Healthcare Organizations


Severe Storms/Hurricanes




The building is constructed to meet lo cal and state building codes.



Plastic bags are available to protect documents, medical equipment, and magnetic media.



Vital records and all data processing facilities are located above the first floor that protects them from flooding.



Cross training is an on-going process. Cross training mitigates the risks caused by the loss of staff.



There is a multitude of motels in the area to provide temporary housing in case staff members have to remain close to work.



Windows can be easily covered with hurricane shutters.



Doors are fortified to prevent wind intrusion.



Roofs are securely fastened to the structure with hurricane straps.



There are "safe rooms" within the facility to provide protection for staff and patients.



Critical equipment is protected from building collapse and flying debris.



Storm preparation procedures have been established.




Fire/Explosion




Fire/smoke detection and alarm systems are in place and are monitored on a continual basis.



Air ducts are equipped with power dampers to prevent / minimize smoke migration.



The computer room and/or medical equipment rooms are configured to minimize the extent of fire damage (kill switches are on sprinklers so that power to the equipment goes off before water sprays).



Fire suppression systems in the form of fire extinguishers and sprinkler systems are found throughout the building on every floor.



Fire extinguishers are found near the exits of the computer/medical equipment rooms.



Employees are trained in fire-fighting equipment.



Employees are trained in emergency shut down procedures.



Employees are trained in reporting emergencies.



Employees are trained in patient and staff evacuation procedures.



Exit routes are posted and exit route signs are found throughout the building.



Smoking is restricted to safe designated areas.



Diesel fire pump and reliable water source available for fighting fires.



Fire separations are provided where needed for vertical and horizontal cutoffs.



Preventive maintenance is performed on potentially hazardous equipment.



Blank paper stock is not permitted in the computer room or in medical equipment rooms except for the current day's requirement.



Flammable/combustible liquids and gases/fuels are stored and handled in an approved manner.



Firewalls have been installed to restrict the spread and impact of a fire.



Printed materials and garbage are removed from the computer room and medical equipment rooms on a regular basis.



Combustible materials are stored in areas suited for that function.



All pressure vessels are maintained and have been safety inspected.



Emergency alarms are transmitted to a place of constant attendance.



Dry vegetation that could contribute to a fire is kept cut.



There are procedures for fire department notification.



The fire department has toured and has a diagram of the facility.



The area under the raise floor is cleaned regularly.



The building is constructed to reduce the potential for fire.



The building is located away from potential hazards that could restrict access of the fire department.



A FM200 fire suppression system is installed in the computer room and in medical equipment rooms.



There are no housekeeping related hazards.



There are crash bars on emergency exit doors.



Emergency exits/routes/lighting/alarms are checked and tested regularly.



Locks in the computer room and medical equipment rooms release when the fire alarm sounds.



Closets and unused areas are equipped with fire/smoke detection and alarm systems.



Tile lifters are available in raised floor environments to investigate alarm conditions and fire suppression.



Backup copies of vital paper records are securely stored off-site or maintained in a fireproof environment.






Macros are available for the rapid shutdown of systems.



Backup tapes and the System Administrator's Manual can be assembled and carried off site in a very rapid manner.



Backup copies of vital magnetic media are securely stored off-site






Emergency lights have been installed.



In the event of a loss of commercial electricity, electric power can be maintained through emergency generators located at the facility.



The power from the emergency generator can maintain the healthcare organization's vital functions.



Circuits are protected by circuit breakers.



Cords/wiring are kept in good shape.



Uninterrupted power source equipment is used throughout the building.



UPS system is monitored around the clock.



Exit lights are clearly visible.



Procedures are in place to recover from a power failure.



Preventive maintenance of emergency power equipment is routinely conducted.



Power distribution systems are protected from hazards such as fire, water, accident, and sabotage.



Hazards of over current have assessed using single line diagrams, equipment data and utility system data.



Site files contain equipment specification data for all major electrical power system equipment.



Electrical equipment rooms are clean and organized.




Commercial Power Loss




On-site backup power is available.



The fuel supply for the emergency generator is sufficient for recovery of electrical power requirements.



The emergency generator fuel supply is changed regularly.



UPS and emergency generators are tested on a regular basis.



The facility has power-regulating equipment which smoothes power fluctuations.



Critical equipment is connected to an uninterrupted power source (UPS) system.



Power for the facility can be obtained from more than one utility substation.



Emergency lighting is available.



Arrangements have been made with local emergency management officials to move the healthcare organization higher in the recovery queue in the event of an area-wide power loss.




Floods




The location and construction of the facility are such that they minimize the risk of damage from seepage from the floor or roof.



Paper documents are located in a waterproof environment.



The computer facility and medical equipment rooms are located above the first floor.



Data and software are backed up and stored off site at a location that is not susceptible to a flood that would damage the primary facility.



Plastic bags are available for paper records.



Flood levels are projected for strategy purposes.




HVAC Failure




The facility uses redundant HVAC units. This spreads the cooling load among several systems.



Critical spare parts are kept on hand.



Adequate measures have been taken to combat static electricity.



Regular preventive maintenance is conduced with special attention to filters and the cleaning of ducting.



HVAC equipment is protected from other exposures such as fire, water, and sabotage.




Internal Plumbing Failure




Preventive maintenance is routinely conducted on the facilities water distribution system.



A system for rapid shutdown of the sprinkler system is in place in the event of an accidental activation of the system.



Tarps are available in areas exposed to sprinklers/pipes.



Dry charge sprinkler systems are used.



Water protection and alarm systems are in place under raised floors. These systems are monitored around the clock.



The computer room has drains and/or pumps available to remove water.



Vital records are located in a waterproof environment.




Earthquake




Earthquake construction guidelines have been adhered to so that damage can be minimized.



Equipment tie-downs are used on critical computer and medical equipment.



Emergency power is available on site.



Seismic risk evaluations are done for all facilities in high-risk areas.




Water




An emergency water supply has been contracted for in the event of an emergency.



Alarms to alert personnel of water shutdown have been installed.



Non-water fire suppression systems are available.



Effluent discharge control equipment capable of meeting the legal requirements for discharge has been installed.



A spill protection system has been installed to prevent and mitigate uncontrolled discharge to surface water, an effluent system, soil, air, or ground water.




Communications Carriers




Alternate facilities that feed through a different telephone-switching center have been identified for use in the event of communications loss.



Alternate routing in the form of dial backup for leased lines has been installed.



Fiber optics rather than copper wire is used in order to avoid electromagnetic tapping and interference.



The facility is serviced by more than one telephone central office.




Transportation




There is a multitude of Motels in the area to provide temporary housing in case staff members have to remain close to work.



Alternate means of moving mail have been identified.



Alternate facilities have been identified for use in the event this facility is inaccessible.



Alternate transportation vendors have been identified and contacted for use in an emergency situation.




Staff Productivity Risks




The work areas and process designs are such that they maximize efficiency and comfort, and minimize fatigue and boredom.



Files are backed up and procedures are documented.



An active asset management program is in place.



Bags are checked and authorization for equipment removal is required upon departing the facility.



There are procedures for equipment/software return upon termination of employment.



Proper training and necessary cross training is given.



Potential employees and contractors are screened for substance abuse and for problems with previous employers.



Alternate sources of trained staff have been identified.



Equipment has been designed to control chemical/physical agent exposures below Occupational Exposure Guidelines.



Stairs, platforms and/or railings are provided where frequent access, or carrying equipment is required in a fall hazard area.



Equipment is guarded from moving equipment, extreme temperatures, and high velocity or high-pressure materials.



Storage racks are designed to support the load, to protect the structure from collision, and to protect pallets from falling through the racks.



Air monitoring is performed, and respiratory protection is used where needed.



A behavior observation and feedback system has been implemented.



Enzyme levels are monitored and controlled through air sample analysis.



First Aid supplies are available.



Safety showers and eye wash fountains are available.



Noise levels are monitored and controlled.



Biocontaminants are stored and disposed of in a safe manner.




People-Related Risks (External)




Both human and electronic security are present in the building and in the critical equipment areas.



Shredders are available for the destruction of sensitive materials.



Entry is monitored for "official business" visitors.



Photo ID badges are required.



Key cards or other methods of selective entry are required for admission to sensitive areas.



All external entry points to the building are monitored and have intrusion alarms.



Sensitive areas are locked at all times.



The operation has adequate insurance protection.



Physical security fences, gates, exterior lights, parking lots, etc. are maintained to prevent intrusion.



Computer anti-virus/anti-vandal software is kept current.



Computer anti-virus/anti-vandal software is applied against all external data attempting to enter internal systems.



Several generations of backed up data are securely maintained off site.



Firewalls have been installed and are regularly maintained and updated.



Intrusion detections systems are installed.



Web site blocking has been implemented.



Public chat rooms are blocked at the fire-wall.



Intellectual property transfer is restricted.



There is enforcement of strong password use.



User accounts are deleted upon employee termination.




Equipment Risk




Design and construction standards have been adhered to in equipment installation.



Environmental control equipment is capable of meeting regulatory requirements.



Qualified assessors conduct combustion safety studies.



Gas cylinders have a storage facility and handling equipment.




Neighborhood Hazards




There is a nightly backup of data processing electronic record and that backup is stored off site.



The off-site backup facility that is a sufficient distance away from this facility.



An alternate site has been identified for use in the event that this facility is unusable.




Data Processing Risk




Vendors have been identified who will deliver replacement equipment in the event of an emergency.



Preventive maintenance on all medical equipment and computer components is performed.



On-call field engineering support is available.



Provisions to switch (electrically) to backup/redundant equipment in the event of failure have been made (e.g. off-site mirrored hard drives).



Computer and medical equipment rooms are not adjacent to highly flammable materials.



External air/heat ducts, which enter rooms where business critical equipment/documents/magnetic media reside, are lined with non-combustible material.



Off-site backup of critical hardware, software, data files, documentation, forms and supplies, etc. are available. Backups are tested and/or reviewed regularly.



All magnetic media is tested for viruses.



There is adherence to the manufacturers' requirements and recommendations regarding the provision of power, environmental conditions, layout specifications, and other related information.



Special storage vaults on-site are used for critical tape and disk files.



Good housekeeping practices are used in the computer and medical equipment rooms.



Off-site storage provides adequate security, fire protection, and environmental considerations.



Access to files is controlled.



Records of removal and return of stored files are maintained.



Computer-dependent departments have established manual procedures.




People-related Risks (Internal)




Healthcare managers permits employees to air grievances uses open door policies.



Employees are given regular performance appraisals and encouraged to discuss their feelings.



Background checks are made on employees prior to hire.



Immediately upon dismissal, an employee is removed from a sensitive area, access to secure areas is removed, and computer access passwords/sign-on for terminated staff is removed.



There is control of access to programs, manual and/or automated files, and reports to those that must use or have access to them in performance of their work.



Access to the operations area is controlled.



Visitors are escorted when they are in operations areas. A control form from the operations area is used, which specifies reports sent and number of pages for each.



Abnormal employee behavior is monitored.




High Availability" respectively.


Information Protection


Increasingly, healthcare organizations rely on their networks and systems. Viral outbreaks pose a threat to the business continuity of these healthcare organizations. Many of these healthcare organizations' firewalls are probed for vulnerabilities on a daily basis which makes it possible that they will be victimized by a serious security incident at some time.

To mitigate these risks, healthcare organizations need a comprehensive strategy comprised of the following four components:



Protection in the form of focused IT security teams that are armed with the appropriate tools, rules of project (e.g., firewall policies), and management support.



Detection capabilities such as intrusion detection (IDS), tripwires, viral scanning, and net-mapping, which can be inserted into the infrastructure to detect malicious or unusual events.



Assessment capabilities that allow the IT security team to correlate incident information and assess whether or not they are significant incidents.



Response capabilities that limit the damage that can be caused by significant incidents.




Protection


Protection comes from knowing the vulnerabilities of the healthcare organization; knowing the applicable countermeasures to these threats and implementing the appropriate controls.The members of the IT security team should be aware of the changing security environment. The IT security team must carry out environmental scanning of new threats and vulnerabilities. The team must remain aware of available countermeasure products, tools or software patches by reviewing paper media, internet news feeds, and peer networking.

Continuous vulnerability analysis should be conducted on the healthcare organization's critical resources in order to maintain an effective security posture. The vulnerability analysis is designed to identify network vulnerabilities that result from the configuration of the operating system and network protocols.


Detection


Unusual or questionable events that are detected on the healthcare organization's networks, computers or information must be investigated. Many times it is difficult to determine if the questionable event is symptomatic of an incident because the evidence of security incidents can also be the evidence of a problem with system configuration, untested application program, hardware failure, or user errors. Some of the indications of security incidents are as follows:



Unexplained new files or unfamiliar file names.



Unexplained modification or deletion of data.



Alarms set off by an intrusion detection tool.



Accounting discrepancies.



A large number of unsuccessful login attempts.



Attempts to gain unauthorized access to a system or its data.



Unexplained new user accounts.



Suspicious entries in system or network accounting.



Modifications to file lengths / dates.



Unexplained attempts to write to systems files or changes in system files.



Unusual time of usage.



The unauthorized use of a system for the processing or storage of data.



Denial of service or inability of one or more users to login to their account.



System crashes.



Programs being compiled under a user's account that does not have any programming responsibility.



Poor system performance.



Unauthorized operation of a program or sniffer device to monitor network traffic.



Detection of the use of attack scanners.



Remote requests for information about systems and/or users.



Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.




Response


Procedures need to be developed that respond to incidents as they occur. The procedure may involve working with the affected business unit to determine the cause of the incident and help them to become secure again, or it may involve finding a solution to a vulnerability that is actively being exploited. Reactive response involves three stages; containment, eradication and recovery, followed by a post-incident analysis.

There are a number of strategies that can be employed to limit the effects of unwanted intrusions:



In order to detect intrusions, Intrusion Detection Systems (IDS) can be deployed at strategic points throughout the healthcare organization's IT architecture. The IDS looks for known patterns of misuse or suspected attacks then automatically notifies the designated staff member(s) via email, pager or cell phone.



Decoys or "honey pots" can be deployed to distract any potential attackers until their activities can be detected and dealt with. Such a decoy should lure attackers away from more sensitive hosts. These are heavily instrumented hosts so they provide many alarms and logs of activities that touch them.



File integrity can be established by applying calculations to file contents and deriving coded values that are stored separately. If it is suspected that someone has altered critical system files hese stored check values can be compared to newly calculated values for the files.



Viral scanning software is essential for any IT system. Possible variations of viral attacks make it a challenge to minimize the window of exposure between the release of a new variant and the installation of the latest detective database.



The task of assessing incidents is made less difficult when there is a current map of the networks and their peripheral devices. Without this it is hard to determine from where an attack may have ome and what systems may be impacted.



Desktop technologies have been developed to deal with the downloading of active, malicious code. Trojan code imbedded within an application can access and pass information about you or your system back to some collection site. These technologies or "sandboxes" try to impose restrictive controls on suspect code by sensing and stopping improper activities.




Containment


The IT security team needs to limit the scope and magnitude of an incident. They must first decide what to do with critical information and/or computer resources. They must then decide whether to shut down the system entirely, disconnect from the network, or allow the system to continue to run so that additional suspect activity can be monitored.


Eradication


Eradicating the cause of the incident is accomplished using established procedures and the appropriate tools. For a viral infection, eradication is accomplished by using virus-scanning software that will remove the virus from the information storage media. Vulnerable ports of entry should be closed, indications of changed system files, hidden files or new ID files need to be recorded, and backups of log files prior to removal of malicious modifications or reloads to the operating system need to be made.


Recovery


Recovery involves restoring the system to its normal operational status. The length of the recovery process may be short, as in the case of a virus, or lengthy as in the case of an intruder that may have modified data or software files.


Post Incident


After the incident is over, there needs to be a follow-up process to determine how the virus entered the enterprise or the entry point used by an intruder to gain unauthorized access. A follow-up report should be used to update policies and procedures used by the healthcare organization.

/ 90