It has been a turbulent week on the East Coast.  We have had a rare 5.9 earthquake and have been hit by a Category 1 hurricane that have left millions without power and has caused major flooding. So naturally I have been thinking about Disaster Recovery.  It really takes extreme cases like the past week to get people thinking about disasters and Disaster Recovery.  But the truth is that disasters happen every day.  There are fires and floods and explosions that impact businesses every day.

But being that large powerful eye opening events really get people thinking about disasters, I will seize the moment and use it to help get people start thinking about Disaster Recovery planning.  Disaster Recovery planning is not easy. The exercise is trying to plan for something you don’t know exists and can’t anticipate environmental, physical and human actions. But before you get discouraged, you can start planning for things that you think might happen even if you don’t know the exact chain of events.

Categories of disasters

When I look at Disaster Recovery planning I like to split the disaster into 1 of 2 categories.  The first category is a temporary disruption in a business’ ability to access their server/network infrastructure.  This could be the result of an extended power outage that shuts the servers down. Or may be the result of a flood that makes travel to the office for employees impossible but also disrupts the network communication and remote access such as a failed T1, DSL or cable modem.  Both of these scenarios leave a business and employees temporarily without access to the network, data and applications.  The second category is more serious and involves destruction of a business’ server/network infrastructure.  This could be the result of a fire, flood, explosion, earthquake, etc.  The business’ servers and network are permanently destroyed.

You will notice that splitting the disasters into 2 categories allow for planning of multiple scenarios but without having to know the exact cause of the disaster.  It makes the Disaster Recovery planning much easier.

Data replication

One of the key parts of ensuring that you have a Disaster Recovery plan is to figure out how you are going to access critical data in the event that your servers/network are either temporarily or permanently inaccessible.  In this post I go into detail on Disaster Recovery planning which includes data replication and utilizing alternate locations to run duplicate infrastructure. The details of the post will give you good insight into some of the alternatives.

Communications

But another key part of Disaster Recovery planning is much less high tech.  In fact it is probably very low tech and almost as important.  In a disaster one of the worst outcomes is that a business’ employees may not have the ability to communicate with each other.  For example if there is a widespread power outage and your business primarily relies on email to communicate, your email server may be down and this will not be an option.  Secondly as more and more people move away from landline phones (Verizon, AT&T, etc.) to voice over IP (VoIP) such as Vonage and phone service through Cable companies, FIOS, etc, power outages cause people to lose their home phone access. When the power is out, Internet and phone are also out.  The third point is that as we rely on cell phones more and more for communications we are very susceptible to a disruption in cell service.  After the recent earthquake, millions rushed to their cell phones to makes calls only to find that calls would not go through. Unfortunately the reality is our cell phone infrastructure has major problems with extremely high volumes of calls and in disasters that is exactly the amount of volume to expect.  So a business might face the scenarios where email is down and employees can’t be reached via home and cell phones. The issue is critical if you cannot communicate with employees.

Let’s take a low tech approach to communications and see if some basic planning can help.  Prior to the recent hurricane, Entegration did some basic planning to ensure that all employees could communicate in the event of a disaster.  Here are some of the steps we took:

1. Ensure that we had an up to date contact list with all home phone numbers, cell phone numbers and home addresses (yes driving to a person’s house is a viable option if there is no other way to communicate with them).
2. Every employee setup an alternate email address (via Gmail, Hotmail, Yahoo mail, etc.).  We set up the address as First Name Last Name Company Name .  For example ArtGEntegration@hotmail.com.  In the event our primary email server went down and we could not communicate via Exchange/Outlook or our smartphones, we could still communicate via alternate email providers.  These email services are free and very easy to setup. And with smartphones, tablets and wireless network ability, access to these services are very straightforward and easy even in the event of a power outage.  We ensured that our contact list as mentioned in bullet 1 had both the primary and secondary email address for each employee.

Social Networks

Other alternatives are to utilize social networks such as Facebook, Twitter, LinkedIn and Google+ to communicate.  Adding social networks to the above options increase your chances of being able to communicate.

Summary

So hopefully this will get you thinking about Disaster Recovery planning.  In summary:

1. Break disasters into categories (temporary and permanent disruptions of service).
2. Focus on communication strategies that will enable all employees to communicate in the event of a disaster.
3. Plan data replication and alternate locations to run critical business functions.

Image via Flickr posted by www.gisuser.com

I woke up this morning to see that while I was sleeping I somehow managed to send out about 100 Twitter direct messages with a message saying:

“You look different in this photo. http://t.co/NglQQu1″

Needless to say, I didn’t actually send the direct messages and was a victim of a phishing scam.  I received the same message yesterday from a friend on Twitter and read it while I was on the phone. I clicked on the link and realized I wasn’t logged into Twitter (I use HootSuite).  So when prompted for my email and password I entered both.  The page looked identical to the real Twitter login page.  I was then greeted with a weird page.  I realized something was wrong but continued on my phone conversation.

When I woke up and saw all the Twitter messages on my phone I realized that my account was hacked and when I logged into Twitter yesterday it must have been a phishing attack that captured my email and password. I immediately changed my Twitter password.

If you received a message from me I want to apologize.

Yes I wrote about how to avoid being a victim of a phishing attack and I then become a victim myself. Ironic? Yes! Embarrassing? Yes!

I am just glad the damage was minimal and the phishing attack didn’t lead to something more serious.

Be safe out there. Phishing is real and anyone can be a victim. An with implicit trust that comes with social networks it is even easier to be a victim.

Health Info Security has published the transcript from an interview with Susan McAndrew of the Department of Health and Human Services’ Office for Civil Rights. The article is very good and should be read in its entirety. Below are some of the key points.

When asked if business associates as well as covered entities will be part of the 150 audits, McAndrew responded:

Eventually. I’m not sure whether business associates will be part of the initial selection process because they are a little more difficult to obtain information about. We don’t have a list or a registry yet of who is a business associate. We’re still strategizing as to how to collect information about business associates to make a meaningful selection, but we certainly are looking to KPMG to have protocols developed to give us the capability of auditing business associates.

It’s unclear at this point whether or not we will be able to conduct and test the business associate protocols. We are hopeful of being able to do so. The primary focus is going to be on the protocols for the covered entities and proving the audit results with regard to covered

If should be interesting to see how they collect the list of business associates. Will they require each covered entity to identify their own business associates?

When asked if the audits will be looking for general compliance or more specific issues of compliance McAndrew replied:

However, at least initially, because we’re very interested in assuring that the protocols are complete and provide comprehensive feedback to us on the degree of compliance, we will be focusing primarily on more comprehensive aspects of compliance

That can be read into as they will be looking to see how closely an organization is compliant with the HIPAA regulations. High level may include policies and procedure, when the last risk assessment was conducted, employee training, incident response procedures, etc.

When asked about onsite audits and if results will be publicly published, she responded:

The model that we’re testing is your typical onsite audit. … There will definitely be advanced notice to the entity. There will usually be advanced request for documentation and survey material from the covered entity so that the auditor can best use their time onsite to focus in on what they need to do and the people they need to talk to onsite. And then, as is typical following the onsite visit, the auditors, if they need to, will collect more information. They will complete their draft report. Typically the draft report is shared with the covered entity before it’s final, and the covered entity’s responses to the findings of the auditor would be incorporated as part of the final audit report.

We haven’t decided that (publishing results publicly) yet. Part of this whole endeavor is to have an evaluation component where we can be assured that the information that we are getting through this audit process is accurate and meaningful.

That said, whether we do it in summary form or publish the individual report similar to the way that the inspector general does with their audit materials still needs to be worked out. I think that we will be looking at that very closely as part of our evaluation criteria.

So audits will be onsite and the organization will have advanced notice. Draft reports will be prepared prior to publication. It is not clear if the results will be published for each audit or just a summary will be published. Will this turn into another wall of shame?

And finally, McAndrew gives insight to organizations of how to prepare for the coming audits:

But this is certainly an opportunity for the covered entities to review their policies and procedures to make sure that they are complete and up-to-date. Also, the way that they are managing the information, whether it’s in computerized files or good old-fashioned paper records, make sure that they are fully documenting what’s being done with the information and how it’s being managed and safeguarded. The [HIPAA] security rule has its own requirements for risk analysis and risk management programs. …

Through the experience that we’ve been having with covered entities on breaches and incident response plans, [those plans] need to be up-to-date and flexible, as well as emergency backup systems. I think this is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment. We think that this will help them down the road in terms of building their own capacity for a robust compliance program, training of individuals and making sure that there is awareness throughout the entity of their security and privacy rules and responsibilities.

So she recommends:

• Creating or reviewing the appropriate policies and procedures
• Preforming a risk assessment and well as a risk management program (implementing the results of the risk assessment)
• Creating incident response plans
• Training employees and implementing an employee awareness program

Good advice for every organization!