To remain HIPAA-compliant and ensure your business can recover in the event of a data disaster, it is essential you have a business recovery plan in place.
In today’s business world, cyberattacks and data breaches are a fact of life.
And don’t think that cybercriminals are only after the big fish – according to the Verizon 2019 Data Breach Investigations Report, nearly half of all cyberattacks (43%) target small businesses like yours.
The most worrying thing?
Well over one-third (39%) of small and medium-sized businesses (SMBs) don’t have a data recovery plan in place for responding to data breaches and cyberattacks.
This is in spite of the fact that 60% of the same study participants had experienced loss or theft of sensitive data in the previous twelve months – and 60% of SMBs going out of business within six months of a data disaster.
Disaster & Data Recovery Planning is a HIPAA Requirement
For HIPAA-compliant businesses, not having an adequate business recovery plan is simply not an option.
The HIPAA Security Rule requires HIPAA covered entities (healthcare providers, plans and clearinghouses) to implement administrative, technical and physical safeguards to ensure the confidentiality, integrity and availability of electronic protected health information (ePHI) at all times.
This includes the implementation of a contingency plan to establish policies and procedures for responding to an emergency or other occurrence (such as fire, theft, vandalism, system failure, natural disaster, or data breach) that damages or poses a threat to systems containing ePHI.
Specifically, the legislation states that the following three plans must be implemented under the Security Rule:
- Data backup plan (Required): Establish and implement procedures to create and maintain retrievable exact copies of ePHI.
- Disaster recovery plan (Required): Establish (and implement as needed) procedures to restore any loss of data.
- Emergency mode operation plan (Required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
Components for Your Data Recovery Plan Checklist
he simple fact of the matter is that be it a cyberattack, natural disaster, or human error, all businesses will face some sort of data loss at some point.
In order to remain HIPAA-compliant and to ensure that you are not forced to throw down the shutters for good in the event of a data disaster, it is essential that you have a business recovery plan in place that can be actioned at a moment’s notice.
Utilizing a business recovery checklist that includes all the steps that need to be taken to rapidly resume business following a disaster will help you ensure that you are always ready no matter what happens.
There are four essential steps to complete in the disaster recovery planning process. Let’s consider them one at a time
Step 1: Assign Responsibility
Assigning specific roles and responsibilities is crucial if you want your business recovery plan to work.
Should a disaster strike and nobody knows what to do or who to turn to, chaos will prevail, eroding the likelihood of a full recovery.
As such, the first step is to decide who will be responsible for overseeing both primary data storage and backup and assign them specific roles and sets of responsibilities.
Document the actions that are expected of them now (such as identifying the biggest data threats to the business) and during a disaster.
Step 2: Seek a HIPAA-Compliant Data Backup and Recovery Provider
As stipulated in the Security Rule, data backup is not optional.
The best way to do this is by using the “3-2-1” backup method.
This means having at least three (3) copies of your data, two (2) of which are located on different devices or storage media, with one (1) of them located offsite with a HIPAA-compliant cloud-based data backup and recovery provider.
Offsite backup means that you can easily retrieve any information lost from your primary data storage from the cloud – instantly.
As such, establishing a relationship with a HIPAA-compliant data backup and recovery provider is one of the most important steps of the business recovery planning process.
Step 3: Document Key Contacts and Information
In the event of a disaster, you will need to keep communication pathways open and will be responsible for letting all stakeholders affected know about the event.
To prepare, you must create a contact list of all critical vendors, suppliers, partners, key clients and employees and be able to access this list immediately should a disaster strike.
Additionally, you will need to determine alternative communication channels in the event that your primary ones are affected.
Furthermore, you must document your hardware, software and equipment needs.
With this information in hand, you will know how much equipment you will require to continue executing business-critical workloads and how much to restore your business to its original state.
Step 4: Create a Recovery Procedure with Steps to Remedy Data Interruption
Whereas steps one to three are about ensuring the groundwork of your business recovery plan is well-prepared, this final step ensures copies of your data are continuously backed up so they are retrievable and testing your plan to ensure it is executable.
Key points for your business recovery checklist in this step include:
- Back up all data to a secure, HIPAA-compliant data center
- Create a plan to restore your essential data in a timeframe that meets your recovery time objective
- Set regular backup times that meet your response point objective
- Test your backup regularly and make sure it is restoring data accurately and in a timely manner
Full Data Disaster Business Recovery with UnisonBDR
Responsible business owners understand that business recovery planning is essential. And for HIPAA-compliant businesses, it is mandatory.
Nonetheless, disaster recovery planning is a complex process, which is precisely why using a disaster recovery checklist, which outlines all the steps you need to take to successfully deal with a crisis, is a best practice – as is working with a reputed and reliable data backup and recovery solution provider.
Central Data Storage offers UnisonBDR, a fully supported, encrypted, cloud-based and HIPAA-compliant data backup and recovery solution specifically designed for HIPAA covered entities.
Our 448-bit end-to-end encryption exceeds military grade standards to ensure your ePHI is continuously protected from all threats, both en route to and at rest in our secure private cloud.
Backups are performed frequently and are automated, so you never have to worry about forgetting to carry them out.
In addition, with unlimited storage capacity, dual authentication and ransomware recovery, our solution ensures that your data is always safe, fully protected and 100% recoverable no matter what.
With Central Data Storage, our solution will get you back up and running with today’s data in just 2 hours and in less than 24 hours we can recover all your data.
Central Data Storage exists to help businesses remain HIPAA-compliant and survive all data disasters. If you want to learn more about UnisonBDR or get started on the path toward comprehensive backup and recovery, call 1-888-907-1227 or email info@centraldatastorage.com.