hipaa-policies

View the Project on GitHub uwcirg/hipaa-policies

13. Disaster Recovery Policy

The CIRG Contingency Plan establishes procedures to recover CIRG following a disruption resulting from a disaster. This Disaster Recovery Policy is maintained by the CIRG Security Officer and Privacy Officer.

The following objectives have been established for this plan:

  1. Maximize the effectiveness of contingency operations through an established plan that consists of the following phases:
    • Notification/Activation phase to detect and assess damage and to activate the plan;
    • Recovery phase to restore temporary IT operations and recover damage done to the original system;
    • Reconstitution phase to restore IT system processing capabilities to normal operations.
  2. Identify the activities, resources, and procedures needed to carry out CIRG processing requirements during prolonged interruptions to normal operations.
  3. Identify and define the impact of interruptions to CIRG systems.
  4. Assign responsibilities to designated personnel and provide guidance for recovering CIRG during prolonged periods of interruption to normal operations.
  5. Ensure coordination with other CIRG staff who will participate in the contingency planning strategies.
  6. Ensure coordination with external points of contact and vendors who will participate in the contingency planning strategies.

This CIRG Contingency Plan has been developed as required under the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, November 2000, and the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule, Section §164.308(a)(7), which requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information.

This CIRG Contingency Plan is created under the legislative requirements set forth in the Federal Information Security Management Act (FISMA) of 2002 and the guidelines established by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, titled “Contingency Planning Guide for Information Technology Systems” dated June 2002.

The CIRG Contingency Plan also complies with the following federal and departmental policies:

Example of the types of disasters that would initiate this plan are natural disaster, political disturbances, man made disaster, external human threats, internal malicious activities.

CIRG defined two categories of systems from a disaster recovery perspective.

  1. Critical Systems. These systems host application servers and database servers or are required for functioning of systems that host application servers and database servers. These systems, if unavailable, affect the integrity of data and must be restored, or have a process begun to restore them, immediately upon becoming unavailable.
  2. Non-critical Systems. These are all systems not considered critical by definition above. These systems, while they may affect the performance and overall security of critical systems, do not prevent Critical systems from functioning and being accessed appropriately. These systems are restored at a lower priority than critical systems.

13.1 Applicable Standards

13.1.1 Applicable Standards from the HITRUST Common Security Framework

13.1.2 Applicable Standards from the HIPAA Security Rule

13.2 Line of Succession

The following order of succession to ensure that decision-making authority for the CIRG Contingency Plan is uninterrupted. The Director is responsible for ensuring the safety of personnel and the execution of procedures documented within this CIRG Contingency Plan. If the Director is unable to function as the overall authority or chooses to delegate this responsibility to a successor, the Technical Program Manager or Lead Systems Administrator shall function as that authority. To provide contact initiation should the contingency plan need to be initiated, please use the contact list below.

13.3 Responsibilities

The following teams have been developed and trained to respond to a contingency event affecting the IT system.

  1. The Systems Administration Team (“Sysadmin”) is responsible for recovery of the CIRG hosted environment, network devices, and all servers. Members of the team include personnel who are also responsible for the daily operations and maintenance of CIRG. The team leader is the Lead Systems Administrator and directs the Sysadmin Team.
  2. The Web Services Team is responsible for assuring all application servers and web services. It is also responsible for testing redeployments and assessing damage to the environment. The team leader is the Technical Program Manager and directs the Web Services Team.

Members of the Sysadmin and Web Services teams must maintain local copies of the contact information from §13.2. Additionally, the Director must maintain a local copy of this policy in the event Internet access is not available during a disaster scenario.

13.4 Testing and Maintenance

The Director shall establish criteria for validation/testing of a Contingency Plan, an annual test schedule, and ensure implementation of the test. This process will also serve as training for personnel involved in the plan’s execution. At a minimum the Contingency Plan shall be tested annually (within 365 days). The types of validation/testing exercises include tabletop and technical testing. Contingency Plans for all application systems must be tested at a minimum using the tabletop testing process. However, if the application system Contingency Plan is included in the technical testing of their respective support systems that technical test will satisfy the annual requirement.

13.4.1 Tabletop Testing

Tabletop Testing is conducted in accordance with the the CMS Risk Management Handbook, Volume 2. The primary objective of the tabletop test is to ensure designated personnel are knowledgeable and capable of performing the notification/activation requirements and procedures as outlined in the CP, in a timely manner. The exercises include, but are not limited to:

13.4.2 Technical Testing

The primary objective of the technical test is to ensure the communication processes and data storage and recovery processes can function at an alternate site to perform the functions and capabilities of the system within the designated requirements. Technical testing shall include, but is not limited to:

13.5 Disaster Recovery Procedures

13.5.1 Notification and Activation Phase

This phase addresses the initial actions taken to detect and assess damage inflicted by a disruption to CIRG. Based on the assessment of the Event, sometimes according to the CIRG Incident Response Policy, the Contingency Plan may be activated by either the Director.

The notification sequence is listed below:

13.5.2 Recovery Phase

This section provides procedures for recovering the application at an alternate site, whereas other efforts are directed to repair damage to the original system and capabilities.

The following procedures are for recovering the CIRG infrastructure at the alternate site. Procedures are outlined per team required. Each procedure should be executed in the sequence it is presented to maintain efficient operations.

Recovery Goal: The goal is to rebuild CIRG infrastructure to a production state.

The tasks outlines below are not sequential and some can be run in parallel.

  1. Contact Partners and Clients affected - Web Services
  2. Assess damage to the environment - Web Services
  3. Begin replication of new environment using automated and tested scripts, currently Chef and Salt. At this point it is determined whether to recover in Rackspace, AWS, Azure, or SoftLayer. - Sysadmin team
  4. Test new environment using pre-written tests - Web Services
  5. Test logging, security, and alerting functionality - Sysadmin team
  6. Assure systems are appropriately patched and up to date. - Sysadmin team
  7. Deploy environment to production - Web Services
  8. Update DNS to new environment. - Sysadmin team

13.5.3 Reconstitution Phase

This section discusses activities necessary for restoring CIRG operations at the original or new site. The goal is to restore full operations within 24 hours of a disaster or outage. When the hosted data center at the original or new site has been restored, CIRG operations at the alternate site may be transitioned back. The goal is to provide a seamless transition of operations from the alternate site to the computer center.

  1. Original or New Site Restoration
    • Begin replication of new environment using automated and tested scripts, currently Chef and Salt. - Sysadmin team
    • Test new environment using pre-written tests. - Web Services
    • Test logging, security, and alerting functionality. - Sysadmin team
    • Deploy environment to production - Web Services
    • Assure systems are appropriately patched and up to date. - Sysadmin team
    • Update DNS to new environment. - Sysadmin team
  2. Plan Deactivation
    • If the CIRG environment is moved back to the original site from the alternative site, all hardware used at the alternate site should be handled and disposed of according to the CIRG Media Disposal Policy.