Disaster recovery planning for information technology functions. (Feature Article).Most nursing homes typically don't have sufficient staff and/or budget for comprehensive disaster planning. The approach that we recommend involves recognizing that disaster planning is an ongoing activity, one that evolves with the facility. The key is to have a systematic framework within which the evolving pieces of the plan can be filled in over time. By now, one would hope, organizations have taken some of the more basic steps toward enhancing resident and staff security from the effects of a disaster--physical safety, continuity of vital services, counseling arrangements, and the like. HIPAA regulations apply specifically to information system security. They require advance planning for the recovery of the organization's computer and business functions following a disaster. What does this involve? The Disaster Recovery Yellow Pages[TM] recommends the following systematic approach: * develop a formal method of documenting the dimensions of the disaster as they impact the organization; * understand where the organization's functions fit into planned stages of recovery; * identify unique vulnerabilities and serious risks; and * follow the procedural steps of disaster planning, including concepts for testing the plan. Documenting the Dimensions of the Disaster Even though disasters come in an infinite variety, their effects on the organization's IT can be analyzed as three "dimensions of loss": * loss of information * loss of access (to information, facilities, etc.) * loss of personnel Loss of information could be caused by events ranging from the "low-tech" destruction of paper files in a fire or storm to the inadvertent "high-tech" destruction of network files during an upgrade to a new software release. Loss of access might be to buildings housing IT, support services, parts and supplies, information, etc., resulting from destruction of property by fire or explosion, flooding, loss of electric power, work stoppages as a result of union picket lines, etc. Loss of personnel, when evaluated as a risk factor to the organization, depends on the organization. Some might be vulnerable to the loss of an entire class of workers, such as in a union work action; others might be vulnerable to the loss of a few key employees. Fitting Into the Stages of Recovery To help avoid wasting scarce resources on prematurely restoring high-profile functions sooner than they can actually be supported, the Table offers a timetable delineating four distinct stages of recovery from most disasters. Identifying Unique Vulnerabilities and Serious Risks To do this properly requires a "brainstorming" process involving employees themselves during departmental or group meetings. Reviewing the potential impacts of possible disasters begins to build their awareness of disaster planning and will likely uncover areas of potential risk that management might not recognize. Proceeding With Disaster Planning Once the organization's unique vulnerabilities and other serious risks have been identified, you need to begin the planning process: * Obtain top management's guidelines to prioritize the protection or restoration of operations. Senior management should "rank" the various IT functions, based on how long the organization can survive without each one. Once senior management determines how long each function can be suspended, then lower-level management can decide on the best technical means to meet those recovery goals. * Determine how to restore each operation to meet the management guidelines, and assign a disaster-recovery team (including a "second in command") for each operation. * Take a complete inventory of everything that cannot be replaced generically (e.g., specific forms, files, equipment, etc.). * Write the plan down, including specific personnel assignments, recovery procedures for each function, updated inventory of equipment (both generic and specialized), and phone numbers of all employees, IT vendors, and board members. There should also be listed contact numbers for residents' families and after-hours contacts for vendors, insurance agents, etc. * Review the plan with all employees as it pertains specifically to them. This is a means of verifying that the plan is actually workable and that any needed additional cross-training has been accomplished. * Test the plan, review results, and modify the plan, as appropriate. Testing might involve some level of "reality checking." This would include what we call the "blink test," the independent expert (employee) assessment/structured walk-through, component tests, and "pull the plug" evaluation. The "blink test" occurs when, upon hearing some detail of the plan, an employee blinks and says, "I can't do that," or "I don't have access to that information." Obviously, some adjustment is required. This can be helped by reviewing the plan with each employee, based on his/her expertise and familiarity with the daily ebb and flow of specific operations--the expert (employee) assessment and structured walk-through mentioned above. Because components of the plan have been specified and prioritized, each can be tested independently by employees with specific interest and expertise in those areas, e.g., recovery of computer backup files, transfer of data to the computer backup site, and operation of the backup site itself. With respect to "pull the plug" exercises, while typically these are too disruptive to conduct routinely, we have found that it is possible to use normal day-to-day "mini- disasters," such as system crashes, as "real-life" tests of disaster response, and recovery. These activities are analyzed and documented just as if they were part of a planned test. To conclude, disaster-planning activities can be viewed as "advance decision making." In addition to helping to meet HIPAA's regulatory requirements, they yield the immediate benefits of highlighting vulnerable points in the organization's operations and the resources available for addressing them. It is then up to management to prioritize the responses, assign disaster response teams, and keep employees fully informed of the disaster plan as it evolves. Table. Possible Activities During Typical Time Periods Immediate Impact: 0 to 8 hours * Locate missing personnel, alert sources of assistance and key employees, service providers, and partners. * Ensure that automatic responses activate (e.g., electric generators, telephone circuit switching, etc.). * Alert computer backup site to potential relocation. * Establish security at disaster site. * Begin dissemination of public information. Immediate: 0 to 3 days * Set up command center at predesignated location. * Move activities that cannot be delayed to prearranged areas. * Transfer main telephone/fax lines to prearranged numbers. * Arrange limited short-term space. Short Term: 4 to 14 days * Set up core computer functions in temporary space or at backup site. * Set up remaining mission-critical operations. * Arrange for long-term temporary space. Long Term: up to 6 months * Set up all computer functions. * Restore remaining operational functions. * Refurbish permanent site. * Move functions to permanent site. Steven Lewis, PhD, CISA (Certified Information Systems Auditor), is editor-in-chief of The Disaster Recovery Yellow Pages at The Systems Audit Group, Inc., Newton, Massachusetts. He can be reached at DRYP@disasterhelp.com or at (617) 332-3496. To comment on this article, please send e-mail to lewis0203@nursinghomesmagazine.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion