Why BMR and Healthcare go together in the USA

In the USA, Healthcare is one of the largest private-sector industries, making up 13% of the total U.S Workforce¹. Understandably healthcare professionals have high cybersecurity concerns and with the ever evolving IoT, bare machine recovery (BMR) can play an important part in mitigating risks.

Industry experts predict that throughout all global services, organizations from SME’s to large PLC’s will be targeted and this risk is far greater in the healthcare sector due to the valuable data and time sensitive material. Cybercriminals target these to sell their data to the black market for profit, or generate revenue through ransom directly with the company who has been compromised.

Governing bodies such as HHS, have put in place policies and procedures to bring awareness and fundamentally aid prevention methods of these types of occurrences from happening within the industry. Their aim is to get businesses thinking about the risks and ensure a disaster recovery plan is in place in case of an unprecedented attack.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was introduced by HHS and has set the national industry standard for good practice in regards to electronic healthcare and security.

“At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.²

Here we will look directly at the HIPPA Security Rule, February 2003, which is in regards to safeguarding electronic protected health information (e-PHI).

Healthcare compliance

“The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

Specifically, covered entities must:

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
• Identify and protect against reasonably anticipated threats to the security or integrity of the information;
• Protect against reasonably anticipated, impermissible uses or disclosures; and
• Ensure compliance by their workforce…

… a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

• Its size, complexity, and capabilities,
• Its technical, hardware, and software infrastructure,
• The costs of security measures, and
• The likelihood and possible impact of potential risks to e-PHI.
• Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.³

With growing threats in cybercrime, the latter has never been more imperative. The importance of this standard is to maintain data protection as well as patient wellbeing. With data being mission critical to patient care and diagnosis assessments, the IT systems need to be fully operational 24/7, 365 days of the year. As adoption of Electronic Health Records becomes the norm, patient assessment is system critical without a live system care for the patient becomes seriously impeded.

The Joint Commission

The Joint Commission certification is another accreditation healthcare organizations are adopting to show they are in line with safe and effective care of the highest standard. The rules and standards which need to be met are in line with HIPAA’s Security Rule and is another validation highlighting good practice from the organization.

What are the risks?

It is important that these standards are met, not only because HIPAA violations can result in substantial fines ranging from $100 to $1.5 million accessed to a practice.4 But Healthcare providers can also be at risk for sanctions or loss of license. Further to this, morally you would be providing inadequate patient care.

Another way to access risks is to approach it from the physical impact involved. Can you afford to have downtime? What consequences are involved from an operational perspective for loss of security and IT systems? These are the real questions you need to ask, much to the dismay of a Los Angeles hospital who was taken offline for more than a week due to a ransomware attack.

It turned out that the ransom figure was actually the least of the two evils, as the hospital paid the figure to restore their network and normal operations after a week of failed recovery. The hospital experienced loss of earnings during the security breach and had to transfer patients to other hospitals as they struggled to access patient data and operate core equipment.5

Although, like all cyberattacks this was brought on suddenly, if the hospital had a back-up in place or DR plan, there would be no need to pay the ransom and operations could have been restored with minimal downtime and with little disruption; depending on the RPOs (Recovery Point Objectives) and RTOs (Recovery Time Objects) set. That is why to be HIPAA compliant, you are required to have a DR plan in place, defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule.

HIPAA DR Plan

“A HIPAA disaster recovery plan is a document that specifies the resources, actions, personnel and data that are required to protect and reinstate healthcare information in the event of a fire, vandalism, natural disaster or system failure.6

HIPAA-compliant organizations need to define the steps they will take in such scenarios and be able to put in place the actions if necessary. It involves details of the use of any hardware and software infrastructure, personnel in charge of operations, how live sensitive data can be transferred without breaching any HIPAA privacy and security rules and how that data can then be restored in the case of failure.

There are no strict methods as to the way and how it should be done; but the guidelines do need to be met and with experts and useful guides readily available, a business continuity plan should be top priority. This is where Cristie and BMR steps in.

Back-up and DRaaS solutions

Having a back-up and DR plan in place has never been more imperative. We already understand the significance of having these for both prevention and recovery. As well as the direct need to be complaint in the Healthcare sector. So how easy is it to implement?

Simple recovery processes require minimal technical expertise. We appreciate how crucial it is to manage RPOs and RTOs to avoid diminished care or ultimately loss of life and that is why with our solutions you can simply set and forget, mitigating risks.

Bare machine recovery

As experts in BMR, our solutions give you a reliable, proven and fast response to ensuring your systems are all fully recovered after a disaster. Recoveries may be fully automated and typically take under 10 minutes to perform. Cristie Recover delivers fully integrated, and instant recoveries to physical, hypervisor, and cloud environments.

Recover systems, applications and data directly from backups carried out by leading software vendors, without having to create or manage any additional backups.

Recover from backups created by:

• IBM Spectrum Protect (TSM)
• EMC NetWorker
• EMC Avamar
• CommVault Simpana

Prove your system is recoverable in the event of failure with Recovery Simulator by automating vital disaster recovery testing. Schedule and perform recovery simulations to a different machine with a report to validate the reliability of the recovery; essential for HIPAA Compliance.

“By using Cristie, our institution saves a lot of money from a DR solution. Previously we were unable to restore Bare Metal Recovery; it was a very long and painfully process and most of the time it was unsuccessful. Sometimes it worked, but it was time consuming as you always had to manipulate the system in order to boot successfully.

“Now I am able to recover the server within 1 to 2 hours depending upon size. Normally, a 60 GIG restore of an operating system takes about 1 hour. About 99.8% of the time I am able to recover a server without any issue. I can convert from Physical to Virtual or vice versa without installing OS/Application, which is a big advantage. I can restore to any hardware too, which is another plus point.

“Also, Cristie has one of the best support teams I have ever seen in my entire IT career of over 30 years. I always have a very good experience with great support and very knowledgeable staff, with exceptional response time. I do not have to wait day or days to get this, so I don’t experience any inconvenience or further disruption to our business or customers.”

Parul Patel, Data Backup and Recovery Admin
Einstein Healthcare Network

Hot Standby

Replicate and regularly sync critical systems for disaster recovery and business continuity with CloneManager. This solution lets you create perfect copies of live workloads or systems and then schedule syncs, defined by your requirements, to keep them up-to-date for disaster recovery purposes. Systems are fully replicated – including operating system, applications, data, and even user configuration – and copied to the target physical, virtual or cloud environment; essential for HIPAA Compliance.

Simulate recovery processes to ensure HIPPA and The Joint Commission compliancy.

Next steps

To find out more about our BMR solutions visit our recover solutions, for server replication see Hot Standby and for server migration view Move.

Alternatively get in touch with Jim Canavan, Sales Manager (North America) and our IT Healthcare expert, email james.canavan@cristie.com.

Jim will be attending the following sector events, so why not arrange to meet him for a coffee to discuss your BMR needs; he is more than happy to help or provide guidance with your DR plan.

HiMSS 17, February 19 – 23, Orlando, FL

HIPAA Summit, March 29 – 31, Washington, DC

Also you can download our Healthcare, BMR introduction here for quick reference.

Download this Whitepaper ‘Why BMR and Healthcare go together’ in pdf.

Useful resources and further information

For useful information on HIPAA and the US Healthcare sector, see;

¹ https://www.bls.gov/emp/ep_table_201.htm

² https://www.hhs.gov/hipaa/for-professionals/index.html

³ https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

4 https://hipaapoliciesandprocedures.com/f-a-q/hipaa-fines-and-penalties

5 https://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html

6 https://searchhealthit.techtarget.com/definition/HIPAA-disaster-recovery-plan

• https://www.hhs.gov/hipaa/for-professionals/index.html
• https://www.jointcommission.org/
• https://searchhealthit.techtarget.com/tip/Meeting-HIPAA-disaster-recovery-requirements-tough-but-possible
• https://www.pwc.com/us/en/health-industries/top-health-industry-issues/assets/2016-us-hri-top-issues.pdf