BCDR and the Medical Industry – Am I Prepared?
“The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” Bill Gates
What a profound quote from the leader in technology movement, one that paved the way to the movement of accessing data anywhere, anytime and anyway, also identifies that if the technology fails or is not utilized properly can magnify any inefficiencies in a company. As remote technology and virtual server technology became prevalent, Infrastructure required less power and space, allowing companies to be more agile to enable resiliency and ease recovery. While tape backup is still in place, the reality is having a remote data center with ease of failover to a location far enough allows recoverability to be resilient , or have an option of basing recovery off of the time it needs to be recovered in and the amount of data loss the company and customer is willing to accept.
The Healthcare industry dealing in treatment and prevention of illnesses is a major industry that needs to ensure its technologies are available anywhere and at any time. It not only includes doctors’ offices, hospitals, but the linking between the two, pharmaceuticals, biotechnology, ambulance services/911, nursing homes, and other home healthcare and providers of healthcare plans. In a disaster, these domains are hypersensitive to the ability to recovery in a disaster for both the technology and resources to not only support but sustain life. In addition, it is important to have a plan to ensure not only that normal business activity can be sustained, but most importantly in a secure manner.
When we think of a disaster at its onset, we immediately think of hospitals and patients being able to recover at an alternate medical facility. Expanding this you can further look at the sustainment of medications from pharmacies, which can also be life threatening, In addition it’s important to note that business continuity and disaster recovery in the healthcare are different activities. Please note that Healthcare Business Continuity and Healthcare Disaster Recovery are slightly different responsibilities. One is to recovery day to day normal business activities (business continuity), and in disaster recovery it is to ensure the preparation of all technology infrastructure vital to the organization to ensure limited issues during a disruptive event.
With the recent onset of Hurricane Sandy; what was the cost of impact to both the healthcare industry? To answer this question, review the impact of Hurricane Katrina in the article located here “Environmental Public Health Impacts of Disasters”: Hurricane Katrina, Workshop Summary (2007) by the Board on Population Health (BPH)
“Civilization advances by extending the number of important operations which we can perform without thinking of them. “ Alfred North Whitehead
In my last blogs we talked about virtualization and the every growing maturity of technology, and how to select a data center. While technology has stabilized, performance and resiliency is needed more than ever. Cloud Computing is agile, however still needs to have redundancy for failover to another facility. Many forget that Cloud allows you to expand your business quickly in peak seasons, and reduce costs and infrastructure needed during off seasons.
Cloud is the next wave of technology and most companies are now ensuring that their applications are able to run in the cloud. Cloud also enables the ability to outsource IT across the enterprise, likely leading to cost savings. With the intent of growing your business towards resiliency please ensure to pick a provider and use the following guidelines when selecting your provider: http://www.drj.com/data-center-selection-what-do-i-do.html.
- Are you using cloud technology?
- Does your provider have a failover facility?
- Does your provider have the ability to grow your business?
- Please let me know your thoughts on cloud technology and disaster recovery. How can you be ready?
“I’m a great believer that any tool that enhances communication has profound effects in terms of how people can learn from each other, and how they can achieve the kind of freedoms that they’re interested in. “Bill Gates
What a profound quote from a visionary in the technology movement, one that paved the way to the movement of accessing data anywhere, anytime and any way. I’m dating myself a bit when we go back to the days of selecting a data center just because it was nearest to where we could do hands-on support; and where we had just enough power to manage the data plus a few years of growth. As remote technology and virtual server technology became prevalent, Infrastructure required less power and space. Data access allowed companies to be more agile and move their thoughts on data center selection to enable resiliency and ease recovery. While tape backup is still in place, the reality is having a remote data center with ease of failover to a location geographically distant allows recoverability to be resilient , or have the option of basing recovery on the time it needs to be recovered and the amount of data loss the company and customers are willing to accept.
So what do I look for in a data center?
- Access Control – Physical Security; locks, rack/cabinet locks, cameras, monitoring, etc.
- Power, cooling, and fire protection
- Growth enablement
- If insourced Hot Points away from an alternate data center (hot points = distance)
- If outsourced, a plan for an alternate failover location
- Ability to staff
- Federal and regulatory compliance (as noted in my previous blog located here: http://www.drj.com/user-blogs/drj-blogs/business-continuity-and-legislative-requirements.html) – this includes political stability
- Requirements based on recoverability needs through performing a business impact assessment (as noted in my previous blog located here: http://www.drj.com/kelly-hudson/34252-what-happens-after-the-bia.html)
- Financial stability: whether you co-locate or own the datacenter, will the datacenter be able to stay in business? Is the market stable in the data center location?
- Location stability; is this an area with frequent earthquakes or flooding, and having the data center or a team that understands this type of algorithm on the impact of the location
- Cost of service
There are numerous other dimensions in data center selection; especially with the growth in Cloud technology. I have a few questions and would love to hear from you!
- What does your checklist look like for data center selection?
- Are you moving to outsourcing your data center, moving to container technology and/or reducing your cost?
- Do you know what you need for your business, and your customers?
- Have you taken into consideration brand image impact on the location?
Business Continuity and Legislative requirements
“There are risks and costs to a program of action, but they are far less than the long-range risks and costs of comfortable inaction” John F. Kennedy
In today’s business climate, business continuity is all about ensuring your resources can work anywhere, anytime. Technologies that include cloud services, wide ranging mobile devices, desktop virtualization and online collaboration tools (e.g., Office 365) enable this 24/7, global connectivity. This trend towards increasing never-ending access to information and resources makes legal and regulatory compliance even more important in order to protect a company’s assets and customers.
|There are legislative requirements for business continuity and disaster recovery planning, but how can you be sure they are reviewed by legal counsel and signed off post implementation? Many companies perform internal audits to ensure compliance; however when you are providing a service to your customer, you need to ensure legal guidance is provided by reviewing and ensuring all business continuity management plans are within the guidelines of local, federal, and sometimes international requirements. Incidentally, while companies have a board of directors or auditing teams, I have found they are not delving deep enough into the plans and relying on the management team to ensure the plans and control points are precise and validated. Having an attorney that is an expert on compliance review and ensure these control points are met and legally signed off on will also ensure your consumer and company are protected.
New technology doesn’t mean you’re compliant. Review the legislative requirements and ensure your company has legal representation.
|Below are examples of legal requirements and BCDR:|
|Medical / Hospitals||HIPAA Security Rule 164.308(a)(7)(i)||Regulations covering electronic security and transmission of patient records. A documented, tested disaster recovery plan is required.|
|Financial Services & Banking||FFIEC FIL-67-97||Board of Directors is responsible for ensuring that a comprehensive business resumption and contingency plan has been implemented, to encompass distributed computing and external service bureaus.|
|Comptroller of Currency BC-177 (1983, 1987) superceded by FFIEC and Federal Home Loan Bank Bulletin R-67 (1986) superceded by FFIEC||Requires banking institutions to develop and maintain Business Recovery Plans.|
|Inter-Agency Policy from Federal Financial Institutions Examination Council (FFIEC – 1989, revised and made stronger 1997)||Requires business wide resumption planning and extends regulation to require contingency plans from any service bureaus or outsourcing companies which service such banks.|
|Public Companies||SEC Regulations||Reasonable safeguards for information;“ Board of Directors and senior management will be accountable.|
|Foreign Corrupt Practices Act (1977)||Requires that publicly-held corporations provide “reasonable protection for information systems” and holds management accountable.|
|Sarbanes Oxley Act||SOX clearly state a harsh set of fines and other punishments for failure to comply with the law; however, it doesn’t offer any leeway when it comes to being unable to meet your requirements due to a disaster or other data-loss event. You must be able to file your reports and have the data to back them up, no matter what else may be going on in the organization or its data center.|
|All Companies||IRS Procedure 86-19||Legal backup and recovery requirements for computer records containing tax data.|
|eCommerce Transactions||Consumer Credit Protection Act (CCPA) section 2001 Title IX (1992)||Due Diligence for availability of data in Electronic Funds Transfers including Point of Sale.|
|Federal Government||Computer Security Act||Requires security plans for all federal computer systems to assure data integrity, availability, and confidentiality.|
|FEMA FRPG 01-94||All department and agency heads must formally plan for continuity of essential operations.|
|State Governments||Various State Departments of Administrative Services Policies, e.g., Texas, (1 TAC 210.13(b)), Oregon’s Dept. of Information Resources (ORS 291.038)||Policies assigning responsibility for contingency planning within state agencies.|
Global Government Safe Harbor Act/ European Union Further information can be Data Protect Directive found on the link below: http://www.businessrecords.com/doc.asp?page=8&subpage=76
Cyber Safety – How can you be ready?
“Life is inherently risky. There is only one big risk you should avoid at all costs, and that is the risk of doing nothing”. Denis Waitley
In my last blog on BCDR and “Spoofing” I received a moderate amount of emails with regards to the lack of understanding of cell phone and internet connectivity and the leaking and selling of personal information. Many people were unaware that downloading applications on their cell or mobile phone can also migrate corporate data you may store on your phone. Just to remind you of what “spoofing “is; “1Spoofing is defined as gaining access to a computer user’s sensitive information such as bank account, credit card, and Social Security numbers.”. However, spoofing is also spying. Spying occurs at many levels within the Internet; first it captures information on your computer via cookies. Cookies reside within your internet settings and can be deleted or blocked, or by your firewall at your company. It’s also a known fact that all computers, including your home PC, should have anti-virus and spyware. Many companies allow their employees to access work functions from their home PCs, and a click on a web site can allow hacking into your personal and corporate data.
An additional concern to add to last week’s blog on the selling of personal information from I other sites or companies is internal leaks. There are countless examples of corporations who inadvertently share customer information internally, if not externally. How are you going to ensure your company protects personal data and other types of high business impact data being leaked on the Internet through twitter, LinkedIn, Facebook, etc. It is imperative for a company to adopt strict policies controlling the acquisition, storage, disclosure and destruction of personal information, along with HR policies noted within the Business Continuity Plans.
- Do you use corporate or personal credit card information over the Internet to obtain services?
- Has your corporate phone been connected to any other device outside of your company computer?
- Have you accessed your corporation’s internet on a public computer? Do you have a plan in place to ensure this information does not sustain on this PC?
- Is your LinkedIn and Facebook information locked down?
Be vigilant! There are 600,000 attempted hacks per day on Facebook alone. 2
1Online Cyber Safety Glossary. (2012).
Retrieved from: http://www.bsacybersafety.com/threat/spoofing.cfm
2Sentry SP, (October 29, 2011). Retrieved from http://www.sentrysp.com/600000-hacking-attempts-per-day/
How can I be prepared?
How mature is your business continuity and disaster recovery program? Are you meeting all of your regulatory requirements as it relates to business continuity or disaster recovery? Did you know that “Spoofing” should be considered in your plans? Spoofing is defined as gaining access to a computer user’s sensitive information such as bank account, credit card, and Social Security numbers. 1 Spoofing scams “generally arrive via email, appear to be authentic and urge immediate action to update personal information” as cited by the online Cyber Safety Glossary. However, spoofing does not just occur via email these days; it also includes cell phone, home phone, work phones and internet sites. In some cases, the email or phone attendant can appear highly professional and authentic, causing you to provide voluntarily personal or corporation information you would never imagine providing to a stranger. It is difficult to track the source of email and internet spoofing information due to firewalls or proxy servers. Also, internet sites receive high payment from other internet sites and companies to obtain you or your company’s personal data.
- Why is it important to train staff on spoofing and ensuring your data is kept safe?
- What anti-virus or spyware are you running on your machine at home?
- Do you use your credit card over the internet to obtain services?
- Have you downloaded applications onto your cell phone (iPhone, Android, and others) that you may be unaware is tracking your location, credit card and other private information?
- How are you going to ensure the safety of you and your company’s private information?
1Online Cyber Safety Glossary. (2012).
Retrieved from: http://www.bsacybersafety.com/threat/spoofing.cfm
2Email spoofing (30, May, 2012). Retrieved from:
During my next post, I’ll discuss the results of this survey. In the interim, be watchful and don’t get spoofed!