• Continuity
  • Metadata
  • Ensure continuity of operational systems during adverse situations
  • Ensure continuity of employee operations during adverse situations
  • Activate Emergency Mode
  • Treat systems in order of criticality
  • Train, test and revise continuity plans
  • Enforcement
  • References

Continuity

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-05-15
  • reviewed: 2018-06-20

Ensure continuity of operational systems during adverse situations

• Use cloud providers for operational systems
  • They have world-leading protections for information security continuity.
  • Delegate responsibility for physical infrastructure to them.
  • Use geographic redundancy where appropriate to reduce the impact of the loss of a data centre.
• Maintain information security protection
  • Protect data during emergencies, even as it is protected during normal operations.
• Evaluate
  • the expected length of the emergency
  • the scale of the emergency
• Ensure customer access to information
  • Restore systems in order of criticality.
  • Re-create operational systems from backups and images as needed.
  • Use alternative data centres and geographic regions as appropriate and as permitted.
• Communicate with affected customers
  • Alert them to the expected length, scale, and actions that will be taken.
  • Update them immediately as systems are restored or re-created.
  • If systems still cannot be accessed for eight hours, update them.
  • Update them daily until the data is restored or is deemed to be permanently lost.
  • Update them if information is permanently lost.

Ensure continuity of employee operations during adverse situations

• Protect employees
  • Prioritize the safety of employees in adverse situations.
  • In a dangerous emergency, evacuating personnel has priority over preserving information assets.
  • Follow standard emergency procedures and notify authorities as necessary.
• Restore availability
  • Notify other employees of the situation and emergency protocols.
  • Travel and transport essential equipment to a location that is not affected.
  • Replace essential equipment as necessary.
  • Re-establish connections with the internet in order to resume technical activities.
• Continue business operations
  • Enable continuation of critical business processes for the protection of information.
  • Notify third parties, such as insurance carriers and damage restoration suppliers.
  • Acquire alternative facilities if necessary.
• Roles and responsibilities
  • CTO
    • Information and communications technology
    • Physical Security
    • Utilities
  • CEO
    • Mail and couriers
    • Contact with customers
    • Transportation
    • Business records
    • Legal issues
    • Supplier and partner relations
    • Media relations

Activate Emergency Mode

• during prolonged adverse conditions
  • after eight hours of
    • non-availability of employee facilities
    • non-availability of cloud infrastructure
  • due to
    • electrical power failure
    • earthquake, fire, flood, storm or other natural disaster
    • sabotage, terrorism, vandalism
    • any other adverse condition

Treat systems in order of criticality

• Restore in order of customer criticality
  • Follow documented criticality.
  • Reprioritize in case of customers who have communicated an emergency with immediate health consequences.
• Restore in order of system criticality
  • 1: customer access to backups
  • 2: production systems
  • 3: staging systems
  • 4: development systems

Train, test and revise continuity plans

• Train employees in disaster preparation and recovery, and knowledge of responsibilities in the event of a disaster.
• Periodically test, and revise as necessary, all emergency preparedness plans, including emergency and contingency plans.

  Code	Section	Title	Text
  ISO	A.17.1.3	Verify, review and evaluate information security continuity	The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.17.1	Information security continuity	Objective: Information security continuity shall be embedded in the organization's business continuity management systems.
ISO	A.17.1.1	Planning information security continuity	The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.
ISO	A.17.1.2	Implementing information security continuity	The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.
CHI	SR86	Testing Business Continuity Plans	Organizations hosting components of the EHRi must regularly test and maintain business continuity plans by regular reviews to ensure that they are up to date and effective.
HIPAA	164.308(a)(7)	Contingency plan	(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (ii) Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.
HIPAA	164.310(a)(2)(i)	Contingency operations	Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
HIPAA	164.312(a)(2)(ii)	Emergency access procedure	Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

November 13, 2019

Powered by