Having a documented disaster recovery plan is incredibly important for healthcare practices to implement in preparation for a data breach, cyber-attack, or a public health emergency like COVID-19. A disaster can be defined as any event that compromises an organization’s operations, data, and network – and due to the current increase in cyber attacks during COVID-19, ensuring your practice is well-prepared for any disaster with a proper contingency plan is all the more important. 

You know what they say: always plan for the worst, and hope for the best. We’d like to hope your practice never has to put your disaster recovery plan into action, but it’s better to be safe than sorry especially since it’s required by HIPAA law. The HIPAA security rule states that all healthcare practices must have a contingency plan in place to define the responsibilities of all staff members and overall practice procedures to restore IT systems that contain PHI in case of any disruptive event. The requirements within a disaster recovery plan can seem a little daunting, which is part of the reason why it’s essential to have your procedures in place before a disaster happens. Now let’s break down what exactly you need for your contingency plan: 

1. Start with a documented risk assessment that reviews the threats and vulnerabilities of your practice. (If you’re already on top of your HIPAA compliance program, you should have a head start on this step.)  
2. Have a data backup plan in place to recover ePHI that could be lost – take inventory of what ePHI needs to be backed up and the method you will use to do so. Some questions to ask yourself during this step are: 
   • How quickly do you need to recover the data, and do you need it right away to keep your practice running? 
   • What equipment is needed for the backup, and do you have the hardware required to do it yourself? 
   • Is your data backup located somewhere it would also be compromised by a disastrous event, or is it located in a secure off-site location?
3. Document the procedures needed to ensure that ePHI can be restored in the event of a loss – this addresses the order data that needs to be restored in and should account for any type of emergency scenario whether it be a natural disaster or cyber attack.
4. Have a plan for ‘emergency-mode’ operations so that you can continue to protect the security of ePHI and other necessary business processes until normal system functions return.
   • This includes having a designated point of contact for communicating with authorities, patients, vendors, and staff.
5. Have procedures in place for periodic testing and revision of the contingency plan as you feel necessary. This may vary in frequency depending on the complexity of your practice.   
6. Finally, conduct the Business Impact Analysis (BIA) to determine the operational, financial, and reputational effects a disaster would have on your practice. This basically means: 
   • Identify the resources required to keep you running business as ‘usual’ 
   • Establish the order of priority for the restoration of business functions. A good tip is to use a tiered system ranking everything as either critical, important, or just everything else.

When it comes to your practice’s disaster recovery plan, having everything properly documented and planned ahead of time will make all the difference in your ability to restore data and respond to an emergency correctly. 

If your practice hasn’t created the right disaster recovery plan prior to a threat or event occurring, it’s always a good idea to immediately document and identify how your practice will respond as quickly as possible. Even if you already had a documented disaster recovery plan, when an event does occur it is a great opportunity to revisit your existing plan and adjust any needed areas to be as accurate as possible.

Felling a bit overwhelmed? We have some good news for you. Abyde’s comprehensive solution will take the guesswork out of knowing if your practice is prepared. From documenting your risk assessment to generating policies and procedures specific to your practice, to a support team ready to assist you in the event of a disaster, if using Abyde, implementing your practice’s recovery plan won’t be stressful or time-consuming!