1.What is the difference?
To start this discussion, I feel it is important to draw the distinction between these two often interchanged words.
Disaster Recovery is what happens after a disaster occurs to restore functionality.
Business Continuity is the process that can keep a business operational and available to clients while the Disaster Recovery takes place.
As an example, take an office recently hit with a flood. The Disaster Recovery effort deals with removing the excess water and replacing anything that is too damaged to save. Business Continuity is the plan that the office will use so that it can still see clients, likely in an alternate temporary site, while the recovery effort is going on.
2.What does HIPAA say about this?
HIPAA calls out the need for both plans, though they call it by a different name.
§164.308 (a)(7)(ii)(B) States the requirement to have a Disaster Recovery plan. “Establish (and implement as needed) procedures to restore any loss of data.”
§164.308 (a)(7)(ii)(C) States the requirement to have an Emergency Mode Operations plan. This is the same as a Business Continuity plan. “Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.”
Being required specifications, every HIPAA covered entity needs to have both documents.
3.What does the PCI-DSS (Payment Card Industry-Data Security Standards) say about this?
Being focused on the security of credit card information, the requirement is to have plans in place to recover primarily from security incidents. The wording is much more brief.
12.10.1 “Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: Business recovery and continuity procedures”
4.How does a company create such documents?
Identify Critical Business Functions: The first step is to create a list of the critical business functions. This is a list of the bare bones essentials needed to run the business.
Identify Sustainable Disasters: Next is to create a list of disasters that the company will be able to sustain. This is a great task for a group brainstorming session. Consider any event that could threaten the functionality of the business. Easy items to consider are natural disasters, like tornados, floods, fire, hail, etc. Also consider the sudden loss of power, loss of the internet, loss of an employee that performs a critical function, or loss of access to client information.
Once this list is created, the company can now start to consider how and which items will be addressed. Some are simple, in the case of a tornado, close the office and get to a designated shelter. Other items, such as losing Internet access, can be a simple process if the company can resort to paper until the Internet comes back online. More complex items, like a hurricane Sandy or a system-wide security breach, will require much more extensive planning.
Two separate documents will use this list as their starting points.
The Disaster Recovery plan will address each item and how business will be affected and what will need to happen to recover from each disaster. In the case of a tornado, maybe special insurance is purchased to help with the costs of rebuilding.
The Business Continuity plan will address if and how the business can proceed in the event of each disaster. Again in the case of a tornado, perhaps the business creates a shelter that will keep people safe but allow business to continue.
So we created these documents, now what?
Both HIPAA and PCI recommend testing and revising these documents annually. HIPAA has this as an Addressable specifications, which more accurately means, “Do it or document a good reason that it is not done.” While they both recommend it, how it is tested, due to the possible variety, is left to each individual company. Whether the company goes through a complete test or a test in parts, is a decision that should be documented and justified
5.How can Netgain help?
Being well versed in technology and compliance standards, Netgain can help both on the creation and implementation of these documents. Additionally, with our regional datacenters, we can provide an ability to keep your systems online even if one of our local datacenters goes offline.
If you have any questions, please contact our Security Officer, Charles Killmer via email questions to Charles.Killmer@netgainhosting.com.