What Security Lessons can we Learn from Superstorm Sandy?

Security Lessons from Superstorm Sandy

An important lesson in the aftermath of Superstorm Sandy is the need to beef up contingency plans, including making sure staff members are cross-trained. "Practices in New York and Jersey affected by the storm found that many staff members could not travel to work, but they couldn't work from home either because of the lack of power and Internet access," says Deborah Kobza, CEO of the National Health Information Sharing and Analysis Center.

"The lesson we can learn is that we need more backup plans," she says. "If one plan doesn't work, you need to have another plan ready to put into place. Make sure your workforce is cross-trained so that those on-site can back up those who can't get to work."

HIPAA Security requires that practices maintain and review the following:

Risk Analysis:

You must ensure the confidentiality, integrity, and availability of your information systems containing ePHI (received or created by you) by implementing appropriate and reasonable policies, procedures, and controls to prevent, detect, contain, and correct violations. All of your workforce members are responsible for appropriately protecting ePHI contained on your information systems from unauthorized access, modification, destruction, and disclosure.

You must regularly identify, define and prioritize risks to the confidentiality, integrity, and availability of your information systems containing ePHI.

You have identified and examined each information system in your office for threats and vulnerabilities that could cause harm to your equipment and data. You have prioritized the possible threats and vulnerabilities.

You must implement security measures that reduce the risks to your information systems containing ePHI to reasonable and appropriate levels.

You have selected and implemented security measures based on your risk analysis process in order to protect your information systems, equipment, and data from any natural or other types of threat.

Contingency and Disaster Recovery Plans:

Your disaster and emergency response process must reduce the disruption to our information systems to an acceptable level through a combination of preventive and recovery controls and processes. Such controls and processes must identify and reduce risks to your information systems, limit damage caused by disasters and emergencies and ensure the timely resumption of significant information systems and processes. Such controls and processes must be commensurate with the value of the information systems being protected or recovered.

Backup copies of all ePHI on your electronic media and information systems must be made regularly. This includes both ePHI received and created by you. You must have adequate backup systems that ensure that all ePHI can be recovered following a disaster or media failure. Backup of ePHI must be stored in a secure remote location at a sufficient distance from the facility to escape damage from a disaster at or near your facility. Restoration procedures must be regularly tested to ensure that they are effective and that they can be completed within the time allotted in your disaster recovery plan.

Your HIPAA Compliance Officer (or other designated official) is responsible for ensuring the weekly, monthly, and annual backup of your data. These backup copies must be stored at a secure remote location. Your HIPAA Compliance Officer must regularly test restoration procedures for your electronic media and information systems containing ePHI.

You must create and document a disaster recovery plan to recover your information systems if they are impacted by a disaster. The plan must be reviewed regularly and revised as necessary. Your workforce must receive regular training on your disaster recovery plan. Your workforce members must have a current copy of the plan and an appropriate number of current copies of your plan must be kept off-site.

Your Disaster Recovery Plan establishes procedures to restore any loss of ePHI. A copy of this plan must be readily accessible in your primary office location and another copy is kept off-site.

In the event of a disaster (natural or otherwise), you will need to implement these Plans.

Some ideas for your plans are:

1. If your machines are damaged, purchase or rent new ones as soon as possible.

2. Restore your ePHI and programs from your most recent backup (on or off-site).

3. If you have a network, contact your network administrator.

4. After you are up and running again, secure copies of all of your software licenses if missing.

5. Ensure that all damaged equipment is thoroughly purged of any ePHI and document that process.

If you have any questions, please contact us and we will be happy to help you.