Not having an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation

Risk: Not having an emergency mode operations plan to ensure the continuation of critical business processes that must occur to protect the availability and security of ePHI immediately after a crisis situation.

Not-having-an-emergency-mode-operations-plan

Explanation: The functioning of healthcare processes, including ePHI, is always a tug of war between the security safeguards and security threats. The security can be compromised anytime, both by extrinsic or intrinsic threats, which might compromise the functioning of your entire business operations.
Having an emergency mode helps you carry out critical operations and assists you practice operation and secure the integrity of your ePHI in the event of an emergency. Emergency operation allows you to access controls, backup the data, access logging and allows encryption while other things go down. If your practice is not having an effective emergency mode, you might not be able to provide services to the end users in the event of an emergency. In addition, you not being able to carry out important business processes may compromise the security of your process and ePHI even further.

Primary Mitigation: Primary mitigation of this risk may include:

  • Establish and implement the set of procedures that enable you to carry out important business processes, like the functioning and security of ePHI, when operating in an emergency mode.
  • Employ audited and automated override of access control mechanism and implement Role Based Access Control (RBAC) for an emergency.
  • Establish a plan that determines the activities and related requirements, for instance, process, roles and responsibilities for full system restoration.

Secondary Mitigation: Test the continuity of operations during an emergency mode, on regular intervals, so that the system can be promptly shifted to the emergency mode in case of need.

Success Criteria: Your ability to readily shift to the emergency mode in cases of system collapse, run critical operations and maintain ePHI security all mark the success of emergency mode establishment and implementation.

Source: www.gpo.gov