Businesses of all sizes are always vulnerable to any number of natural or man-made disasters such as data breaches or cyberattacks. A disaster recovery plan is therefore essential to ensure not only business continuity in the event of a disaster, but long-term survival in the months and years that follow.
For HIPAA-covered entities such as dental practices, having a disaster recovery plan in place is not an option, but a legal requirement. What’s more, this disaster recovery plan must be regularly updated to ensure all protected health information (PHI) is safe and recoverable should a disaster strike.
Threats from All Angles
Business continuity is constantly under threat. Whether it’s severe weather (tornadoes, hurricanes, ice storms), natural disasters (earthquakes, flooding, fires), software and hardware failures, or human-borne threats (theft, manual errors, cyberattacks) – the effects of a disaster event can be ruinous, particularly for small businesses.
Research has shown that more than 40% of small businesses are forced to throw down their shutters permanently following a disaster – and of those that manage to reopen, 25% fail within a year.
Amongst the biggest and most costly threats to small businesses in the healthcare sector are hacking and IT incidents. Health records are a key target for cybercriminals – and more and more are being compromised each year. According to the Healthcare Breach Report 2021, 599 healthcare breaches occurred in 2020, representing a 55.1% year-over-year increase and impacting some 26 million people in the US.
Hacking was the chief cause of breaches, representing more than two-thirds (67.3%) of incidents and exposing 91.2% of all breached records in 2020.
As the report puts it: “These results demonstrate the heightened impact of cybersecurity breaches, the shifting strategies of malicious actors, as well as how healthcare organizations are grappling with cybersecurity in today’s dynamic, cloud-first world. The remaining categories, although small in percentage, still exposed about 2.3 million people, rendering them susceptible to identity theft, phishing and other forms of cyberattacks.”
The average cost per breached record also rose from $429 in 2019 to $499 in 2020, with healthcare organizations taking about 96 days to identify a breach and 236 days to recover.
The Importance of a Disaster Recovery Plan
No matter the size of your practice, you can be sure it’s a target for cybercriminals – and natural disasters, of course, are completely non-discriminatory. While you cannot prevent hurricanes, earthquakes, or hackers attempting to breach your PHI data, there are measures you can take to protect your business from any fallout that may potentially follow.
This is the ultimate purpose of a disaster recovery plan – to provide your practice with a robust set of tools, policies and procedures to ensure your operations, data and reputation are quickly recoverable and to avoid fines from regulatory authorities for violating HIPAA. Indeed, for HIPAA covered entities, disaster recovery planning is a HIPAA requirement.
The HIPAA Security Rule stipulates that all organizations covered by the legislation must implement administrative, technical and physical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) at all times. This includes the following contingency plans that establish policies and procedures for responding to emergencies or disaster situations that threaten systems containing ePHI:
- Disaster recovery plan (Required): Establish (and implement as needed) procedures to restore any loss of data.
- Data backup plan (Required): Establish and implement procedures to create and maintain retrievable exact copies of ePHI.
- Emergency mode operation plan (Required): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode.
Building a strategy for disaster recovery can seem like a daunting task. Where do you start?
One of the simplest and most effective steps you can take to ensure you have a workable plan in place that covers all bases is to draw up a disaster recovery planning checklist. There are four essential steps your checklist should cover to ensure you are prepared for a disaster recovery situation. These are:
- Assign responsibility for overseeing primary data storage onsite as well as remote data storage (from where your data will be recovered in the event of a disaster).
- Enlist the services of a HIPAA compliant data backup and disaster recover solution provider. Data backup is not optional under HIPAA. As such, backing up your practice’s data with a HIPAA compliant cloud storage provider is critical to effective disaster recovery planning.
- Document key contacts and information of all critical vendors, suppliers, partners, patients, clients and employees and determine alternative communication channels for remaining in contact with them should your primary channels be affected. In addition, document your hardware, software and equipment needs to continue operations in the event of a disaster.
- Create a recovery procedure which is ready to execute at a moment’s notice. The procedure should outline all steps, roles and responsibilities so everyone knows precisely what to do to retrieve any lost data and get the business back up and running.
For a more detailed walkthrough of these four steps, download your free Disaster Recovery Planning Checklist.
How and When to Update Your Disaster Recovery Plan and Checklist
Just like your patients need to have periodic checkups to ensure their continued dental health, so too does your disaster recovery plan to make sure your business will always remain functional in the teeth of any disaster that may loom on the horizon.
The fact is that the threat landscape is not static. New risks and dangers emerge constantly – particularly in the realms of cybersecurity. Your business is not static either. You may, for example, have recently relocated your office – what are the potential environmental threats (floods, hurricanes, etc.) in your new location?
You may have had staff changes over the past year (have they received full HIPAA training?), invested in new technology (is it HIPAA compliant?), or have regional regulatory standards to keep up to date with.
Without regularly reviewing your disaster recovery plan, you leave your business exposed to many risks. As such, at least once every twelve months, you must update your plan, accounting for any hardware, software, staffing or location changes that have occurred. You must also schedule regular dates to test the effectiveness of your disaster recovery plan so you can be sure it is fully functional on-demand. All staff must also be fully trained in disaster recovery, so they understand their roles and responsibilities in any break glass situation.
Talk to us here at Central Data Storage. We exist to help HIPAA-covered entities remain HIPAA compliant and survive all data disasters. We offer fully supported cloud backup and recovery solutions for dental practitioners, designed to get your business back up and running in two hours of any disaster, with a full data restore complete within 24 hours.
We also work hand in hand with our clients to ensure they always have a fully functional disaster recovery plan at the ready. Call 1-888-907-1227 or email firstname.lastname@example.org today.