Contingency Planning, Disaster Recovery, and Testing Standard

Overview

Owners of Information Systems containing Electronic Protected Health Information (ePHI) must have a formal process enabling them to preparing for and effectively responding to emergencies and disasters that could have a negative impact on the confidentiality, integrity or availability of their Information Systems.

Purpose

Contingency planning supports thorough plans, procedures, and technical measures that can enable a system to be recovered quickly and effectively following a service disruption or disaster.

Scope

This standard applies to Owners of Information Systems.

Description

The following are the critical components to an effective Disaster Recovery (DR) Plan:

  1. Regular analysis of the criticality of Information Systems containing EPHI.
  2. Development and documentation of a disaster and emergency recovery strategy that is consistent with the Medical Center’s business objectives and priorities.
  3. The disaster and emergency response process must reduce the disruption to Information Systems to an acceptable level through a combination of preventive and recovery controls and processes. Such controls and processes must identify and reduce risks to Information Systems, limit damage caused by disasters and emergencies, and ensure the timely resumption of significant Information Systems and processes. Such controls and processes must be commensurate with the value of the Information Systems being protected or recovered.

Testing of DR Plan

  1. Elements of the DR Plan will be tested to verify that that ePHI can be restored to a usable state.
  2. The previous DR Plan tests will be reviewed to determine those elements or functions that have not been tested or that required attention or correction.
  3. All steps necessary to set up and perform the DR test will be documented and retained for future reference.

Document Supporting Resources