Docstoc

Incident Response and Reporting Procedures

Document Sample
Incident Response and Reporting Procedures Powered By Docstoc
					Department of Medicine                    Page 1                                  7/1/2012


                            WASHINGTON UNIVERSITY
                             HIPAA Security Policy #7

                                Department of Medicine


          Data Backups and Disaster Recovery Planning # 7

             Department of Medicine HIPAA Compliance Procedure
      HIPAA Security Policy #7 – Data Backups and Disaster Recovery Planning


Data Backup and Contingency Planning Procedures for The Department of
Medicine.
   1. Established and documented procedures to perform an annual application and data
      criticality analysis.
   2. Created formal documentation listing the applications and data that are critical to
      the operation of the Department of Medicine.
   3. Established and documented a comprehensive Data Backup Plan.
   4. Disaster Recovery Planning
   5. Emergency Mode Operation Planning

1. Established and documented procedures to perform an annual application and
data criticality analysis.
Annually send DA’s listing of all server based applications and data repositories in the
environment and require them to rank them as one of the following 4.
1 = Highly critical to their work flow (ie work stoppage if not available).
2 = Critical to their workflow. (Work can continue for a time if unavailable)
3 = Helpful but not critical to their workflow (very low impact on work)
4 = Not Directly related to workflow (archived data, personal data, etc)



2. Created formal documentation listing the applications and data that are critical
to the operation of the Department of Medicine.
Annually send DA’s listing of all server based applications and data repositories in the
environment and require them to rank them as one of the following 4.
1 = Highly critical to their work flow (ie work stoppage if not available).
2 = Critical to their workflow. (Work can continue for a time if unavailable)
3 = Helpful but not critical to their workflow (very low impact on work)
4 = Not Directly related to workflow (archived data, personal data, etc)

Those items ranked as #1 or #2 to be incorporated into the disaster recovery and
availability plan. The disaster recovery and availability plan is to be copied with one
copy kept in the server room, one copy to be kept in the LAN-Admin office and one copy
kept on file at the HIPAA security managers disposal.
Department of Medicine                    Page 2                                 7/1/2012




3. Established and documented a comprehensive Data Backup Plan.
The Data Backup Plan includes procedures to create and maintain retrievable exact
copies of all EPHI determined to be medium and high risk.

Department of Medicine utilizes a modified Grandfather/Father/Son tape rotation as
outlined below for data backup and retention life cycle. This modified tape rotation
schedule allows:
    1. full recovery for any day within the past month,
    2. restore of any file at a point in time cooresponding to the week end close of
       business backup for any week within the past 2 months.
    3. restore of any file at a point in time cooresponding to the month end close of
       business backup for any month within the past 2 years.
    4. restore of any file at a point in time cooresponding to the year end close of
       business backup for an indefinite time period.

Daily backups Monday - Thursday
       Differential backups performed every evening
       Tape(s) kept for 1 month then overwritten

Weekly backups Friday
      Full backup performed every Friday evening
      Tape(s) kept for 2 months then overwritten

       Monthly backup copy
       First weekend backup each month is rotated off-site
              (this is after close of business for the previous month)
       Monthly tape(s) kept for 2 years then overwritten

       Yearly backup copy
       First weekend backup in August is rotated off-site
              (this is after close of business for previous year)
       Yearly tape(s) kept indefinitely



The Data Backup Plan includes all medium and high risk files, records, images, voice or
video files that may contain EPHI.
    1. Our current Data Backup Plan maintains exact copies of all EPHI data for a 1
        month cycle. We currently perform differential backups Monday through
        Thursday and after one month the information will be discarded and the media
        will be erased and reused for future EPHI data backups.
    2. We keep an exact copy of all EPHI data as it exists on the production system at a
        point in time cooresponding to our week end backup job for a 2 month cycle. We
Department of Medicine                    Page 3                                  7/1/2012


      currently perform full backups of every system beginning Friday evening and
      after 2 months the information will be discarded and the media will be erased and
      reused for future EPHI data backups.
   3. We keep an exact copy of all EPHI data as it exists on the production system at a
      point in time cooresponding to our month end backup job for a 2 year cycle.
      after 2 years the information will be discarded and the media will be erased and
      reused for future EPHI data backups.
   4. We keep an exact copy of all EPHI data as it exists on the production system at a
      point in time cooresponding to our year end backup job. The tapes designated as
      year end backup tapes are removed from the tape rotation and stored indefinetly.



All EPHI data will be stored and accessed from a centrally located facility. The Data
Backups will retain all EPHI data whether it is Low, Medium or High risk.
On the second Monday of each month the tape set designated as the previous months
month-end backup is transported off-site to a data warehouse facility in Maryland
Heights. They are kept off site for one month and returned when the next months tapes
are picked up. The returned tapes are then stored with our daily and normal weekly tapes
in a locked storage room that is located in a secure environment in a building separated
from the production storage systems by three city blocks. After hours a secure access
card is required to enter the building. A key is required to gain entry to the storage room
where the EPHI media is stored.

This remote onsight and offsite rotation is designed to ensure:
   1. We have a complete data set in case of disaster
   2. We have working data on site for periodic recovery for users



Indicate the type of storage utilized for EPHI-based systems and backups:
An off-site storage facility is being used to store backups.

Name of Storage Provider ______ Recall Corporation _______

               BAA exists for Storage Provider

The Data Backup Plan includes periodic testing of backup procedures and media.
The Data Backup plan involves a periodic test to restore data that could be potentially
lost due to system failure, user error or disaster beyond control. These tests are in
addition to customary weekly validation processes associated with standard operational
procedures.
Department of Medicine                   Page 4               7/1/2012




4. Disaster Recovery Planning
    Attachment A

5. Emergency Mode Operation Planning
    Covered in Attachment A – Details still being finalized
Department of Medicine                             Page 5                                             7/1/2012




                                           Attachment A
                               Data Backup and Disaster Recovery Survey

Department ____IMCSS________________ Name __Larry Poertner_____________________

Your answers to the following questions will assist us in determining the electronic applications critical to
the business operations of your department for purposes of developing a Data Backup and Disaster
Recovery Plan.

Please respond to the questions based on the following scenarios:
    1. Tier 1 - Local disasters: Computer room flood, fire, power failure, or hardware failure which
         might render specific segments of the network inoperable or certain resources unavailable.
    2. Tier 2 - Campus Wide Disasters: In the event a large subset or the entire WUSM network was
         inoperable or unavailable.
    3. Tier 3 - Regional disasters: In the event of a natural disaster or terrorist acts that would impact the
         world beyond WUSM.

*In all cases, disaster recovery operations will focus initially on systems critical to managing patient care.
It is also assumed that the physical network will need to be restored to an operational state prior to the
restoration of any electronic resources.



Tier 1 - Local Disasters:

    1.   Please rate in the order of importance (1 being most critical), the CRITICAL electronic resources
         your department would need to continue business operations in the event of a local or computer
         room disaster.

Criticality Rating                            Electronic Resource Name
_________                   Active Directory services (Authentication: DNS)
_________                   Exchange E-Mail
_________                   SQL applications/Databases (other than e-mail) – please list
_________                   (DB4, OCDB, Transcription, Dennemeyer, Cyberren, Medical Manager,
                            AscendIP)
_________                   __Data Flow Management servers (imservices, Docushare)____
_________                   Active Directory services (H: drive access)
_________                   Other Databases or Applications - please list
_________                   ___( Budget Modeling Pace-Art, Paces, StudyManager)__
_________                   ______________________________________________________
_________                   Citrix MSAM or Citrix Farm Services (Specify:)__
                                     (Renal Dedicated Citrix servers for Cyberren and Medical manager
                            applications) (Can quickly offer department applications to core staff)
                            _______________
Department of Medicine                              Page 6                                       7/1/2012

_________                  ______________________________________________________
_________                  ______________________________________________________
_________                  ______________________________________________________
_________                  Other Services or Resources– please list
_________                  ______________________________________________________
_________                  ______________________________________________________
    2.   Please list any specific network segments or areas that are critical to patient care:
         Building Location                              Subnet
         _Dialysis Center (Wohl)__________              ________________________________
         _Dialysis Center (Forest Parkway)_             ________________________________
         _CAM________________________                   ________________________________
         _Rolla________________________                 __3rd Party Provider________________
         _969, West County______________                ________________________________
         _Storz              ______________             ________________________________


    3.   How long can you sustain business operations without your most critical electronic resources?

                  3 days     to      1 week             2 weeks 1 month


    4.   Please list ALL other (non-critical) electronic resources your department uses which would need
         to be restored in the event of a local, computer room disaster, which are not included on the
         critical list above.

___Web Servers (Information points), Anti-Spam systems, Test Lab, Secondary Domain controllers, Email
Connector Gateways, Audit collection server, BES services, IR Synch Services, Mcleod,
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
______________________________________________________________________________________
_____________________________



    5.   How long can you sustain business operations without these non-critical resources?

                  3 days             1 week             2 weeks to 1 month




Tier 2 - Extensive Disasters:
Department of Medicine                             Page 7                                            7/1/2012

    1.   Please rate in the order of importance (1 being the most critical), the CRITICAL electronic
         resources your department would need to continue business operations in the event of a wide
         spread disaster.

Criticality Rating                            Electronic Resource Name
_________                  Active Directory services (Authentication: DNS)
_________                  Exchange E-Mail
_________                  SQL applications/Databases (other than e-mail) – please list
_________                  (DB4, OCDB, Transcription, Dennemeyer, Cyberren, Medical Manager,
                           AscendIP)
_________                  __Data Flow Management servers (imservices, Docushare)____
_________                  Active Directory services (H: drive access)
_________                  Other Databases or Applications - please list
_________                  ___( Budget Modeling Pace-Art, Paces, StudyManager)__
_________                  ______________________________________________________
_________                  Citrix MSAM or Citrix Farm Services (Specify:)__
                                     (Renal Dedicated Citrix servers for Cyberren and Medical manager
                           applications) (Can quickly offer department applications to core staff)
                           _______________
_________
_________                    Access to BJC Applications - please list
_________                  ___ClinDesk___________________________________________
_________                  Other Services or Resources– please list
_________                  ______________________________________________________
_________                  ______________________________________________________




    2.   Please list any specific network segments or areas that are critical to patient care:


         Building Location                             Subnet
         _Dialysis Center (Wohl)__________             ________________________________
         _Dialysis Center (Forest Parkway)_            ________________________________
         _CAM________________________                  ________________________________
         _Rolla________________________                __3rd Party Provider________________
         _969, West County______________               ________________________________
         _Storz              ______________            ________________________________


    3.   How long can you sustain business operations without your most critical electronic resources?
Department of Medicine                          Page 8                                        7/1/2012

                3 days    To      1 week            2 weeks 1 month


   4.   Please list ALL other electronic resources your department uses which would need to be restored
        in the event of a wide spread disaster, which are not included on the critical list above.

   __________________________________________________________________________________
   __________________________________________________________________________________
   __________________________________________________________________________________
   __________________________________________________________________________________
   __________________________________________________________________________________
   __________________________________


   5.   How long can you sustain business operations without your most critical resources?

                3 days            1 week            2 weeks   To      1 month
Department of Medicine                               Page 9                                        7/1/2012

CR/DR Site Information:

In case of a Tier-2 Disaster, Networking Services plans to focus its efforts on data centers and DR sites
with concentrated amounts of critical systems.

    1.   Please list your current and planned data center and disaster recovery sites.

C or P             CR or DR                   Site
_____              _________                  Business Continuity Center – Rosedale Site
_____              _________                  FPE - 4480 Clayton
_____              _________                  Health Key Bldg




    2.   What is the amount of spare server capacity you plan on having at the DR site? (How
         many servers are planned or currently in your DR site?)
_____AD, DNS, Email, File/Print, SQL,_____________________________________________
____________________________________________________________________________


    3.   How many network ports (and what speed) would be required to bring you operation back
         online?
________10__(Preferrably minimum of 100 MB) _____________________________________
____________________________________________________________________________
____________________________________________________________________________


    4. After declaring a disaster and moving to the site, what is your reasonable expectation of
         time for having applications back on the network?
Preliminary plans include using the business continuity site for a “dark” site where we would have
system and data redundancy on a reduced or limited capacity. I would expect the center to be
accessible and operational within a few hours for those of our users who have network
connectivity. If both the FPE building and the business continuity site are damaged/destroyed in
a disaster then I would look for some level of service within our 3 days to 1 week critical needs as
listed. ______________________________________________________________________
____________________________________________________________________________


    5. Do you plan to locate a storage array or other SAN/NAS equipment at your DR site? If
         yes, describe the equipment and the network connectivity requirements.
_______Yes, EMC 4700 SAN with SQL/File/print/email servers connected to it, Network
connectivity would be the same as listed above for network ports and speed.
_____________________________________________________________________
____________________________________________________________________________
Department of Medicine             Page 10                            7/1/2012

____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:7/1/2012
language:
pages:10