Disaster Recovery (BCDR) Archives - Third Rock

Picking up the pieces after Hurricane Harvey

Julie Rennecker, PhD, BSN — Thu, 31 Aug 2017 14:30:38 +0000

While some of our Texas friends and neighbors began trickling back to their water-logged homes and businesses this week, others who have weathered the storm are just starting their evacuation journey as the continued rain, Harvey’s second landfall, and flooding from overflowing reservoirs continue to wreak havoc. Our thoughts and prayers go out to each of you.

Online resources abound for everything from insurance filing to accessing your personal health records. Here are a few we thought would be most helpful to our readers:

DisasterAssistance.gov is a disaster information clearinghouse, includes everything from instructions for filing a National Flood Insurance Program claim to links to other government resources that offer aid with food, housing, legal issues, loans – and even career development for those suffering loss of livelihood.

TMA – Texas Medical Association provides resources specific to physician practices, such as news about the impact on MIPS reporting and state waivers of some health insurance rules, as well as public health precautions.

Small Business Association site includes information on Disaster Loans and links to other government sites with particular emphasis on the needs of businesses.

We wish you all the best on the long journey ahead and will continue to share any information we believe could be helpful to those reconstructing their lives and businesses.

The Third Rock Team

The post Picking up the pieces after Hurricane Harvey appeared first on Third Rock.

Flooding: Are You Prepared?

Robert Felps — Fri, 25 Aug 2017 12:03:08 +0000

Here in Texas, the Gulf Coast is about to take a direct hit from a hurricane that is expected to dump up to 30 inches of rain in some locations and up to 10 inches across large areas. That kind of rain will definitely cause serious flooding. It’s a little late for the Texas coastal bend area and the large inland areas that will be hit the hardest to take planning steps for disaster recovery. They’re in emergency evacuation mode already, protecting life and reducing property damage. What we can learn from these tremendous forces of nature is that disaster recovery needs to be part of all businesses’ Standard Operating Procedures – including our own. What does this mean?

Make sure the backups of your critical data are current – and can be restored.
Make sure your important equipment – servers, workstations, laptops, medical equipment, etc. needed to perform regular work – is protected or stored above flood level.
Have a plan for communicating with co-workers and employees, including a list of phone numbers or a text group set up on your phone in advance.
Have a plan and the phone numbers for communicating with authorities – e.g. 911, police, fire department, EMS.
Have a plan outlining how to recover the core equipment and personnel necessary to bring your business and services back online.

The preferred approach is to create a Disaster Recovery (DR) plan. These can easily be 50 page documents, so it will take a lot of time and knowledge to create the plan. I would not suggest buying a template – these are typically instructions for creating a plan, not an actual plan.

To help you get started, here’s an outline from our own Disaster Recovery Plan.

We include a DR plan with our HIPAA compliance package. It’s required by the Federal government, so we help our clients by providing a ready to use DR plan. You still have to fill in your business’ specific information, but it will reduce your initial creation time by about 70%.

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

The post Flooding: Are You Prepared? appeared first on Third Rock.

Best Defense Against Ransomware is a Good Backup

Clint Eschberger — Tue, 16 May 2017 07:00:00 +0000

By now, most have heard or been affected by the WannaCry ransomware that has spread to over 150 countries at last count.

The WannaCry ransomware started taking over users’ files on Friday, demanding $300 to restore access.

Hundreds of thousands of computers have been affected so far. Computer giant Microsoft said the attack should serve as a wake-up call.

The first line of defense in this is always having a properly maintained firewall both on your network and on each individual computer system. However, as we all know, your network can and will be breached at some point, whether or not it is due to WannaCry or some other ransomware or virus; it will happen.

What is the best defense against ransomware and other malware?

A good backup!

It sounds simple, but amazingly most either are not doing backups or not verifying that the backup works. I worked with an organization that had been backing up for several years, but had never tested restoring the files. Well, they got hit with a bad virus, and it was determined that restoring the previous day’s backup would be the best way to recover. Unfortunately, the backup was corrupted and would not work. We went back to previous days and weeks, and none of their backups were good.

Having a backup is not good for anything if you can’t actually recover the data when you need it.

To get started, investigate business level backup systems that will work in your environment. It truly is a case by case basis on which backup system is right for your organization; depending on size, speed, hours, etc.
Schedule restore tests on a regular basis to make sure that you have a valid backup that you can recover from in the case of an attack.
Maintain the backup system to ensure that it is considered “mission critical” as it is the last line of defense for your entire business.

Bottom line: Stay ahead of ransomware by maintaining complete, working backups!

For questions about how to evaluate and improve your own backup practices or for a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com.

The post Best Defense Against Ransomware is a Good Backup appeared first on Third Rock.

Healthcare under attack by new strain of ransomware

Robert Felps — Tue, 13 Sep 2016 14:00:12 +0000

FireEye Labs has identified massive email campaigns by cyber-criminals during Aug, 2016 containing the Locky ransomware embedded in DOCM attachments. DOCM is Open XML Macro-Enabled Document file used in Microsoft Word. Which means the file contains a macro which MS Word will execute when you open the file in MS Word. Healthcare is the leading industry targeted by the campaign.

The healthcare industry is now the “industry of choice” by cyber-criminals since Protected Health Information (PHI/ePHI) is worth hundreds of dollars per complete record and it’s vital to provide care to patients. Cyber-criminals once chased credit cards because stealing the credit card record was fairly easy and selling the stolen records on the dark web was simple and profitable. Then they moved on to PHI records because it was worth so much more on the dark web. But, cyber-criminals have been moving to ransomware because it garners immediate payment from the victims.

There have been a lot of blogs about ransomware hitting large hospitals or healthcare providers. That’s true, but cyber-criminals don’t care how big you are, they know all healthcare is a prime target that will pay. If you’re a single doctor’s office, a chiropractic, optometrist office, therapist, physician or surgeon your practice is a target. It’s important to take action now and protect your PHI.

Ronghwa Chong of FireEye Labs wraps up his report with “These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations.” If you’re not prepared to recover from ransomware, it can even cause severe cash flow interruption, loss of revenue and potentially impact healthcare services to your patients. Make sure you have a disaster recovery plan in place and your backups are secure and usable.

Plan of Action

Admit your healthcare business is a target of cyber-criminals.
Make sure your backups are current, working, secure and a full restore works. TEST THAT YOU CAN RESTORE FROM BACKUPS.
Understand that you (the owner, the doctor, compliance officer, and/or the office manager may be charged and jailed for HIPAA non-compliance.)
Understand that even with improved cyber-defenses you’re likely to experience a breach.
Improve your cyber defenses to prevent a breach.
Create a breach notification plan to guide you in the event of a breach – which is highly likely.
Work to become HIPAA compliant.
1. Perform a risk assessment (security risk analysis).
2. Work on the list of corrective actions identified in the risk assessment.
  1. This should include improving the cyber-security of your computers and network and training of staff.
3. Have the entire staff take HIPAA training that includes cyber-security.
4. Implement HIPAA policies and procedures for your business.

Take our Free risk assessment to find out what you need to do to protect your PHI and work towards HIPAA compliance.

Protect your patients, protect your practice, protect yourself.

Read the FireEye Labs report.

The post Healthcare under attack by new strain of ransomware appeared first on Third Rock.

HHS Releases New Guidance on Ransomware

Ed Jones, PMP, CHSP — Tue, 26 Jul 2016 14:00:03 +0000

One of the top news makers of 2016 has been ransomware. During the first half of this year, ransomware grew 300% to 4,000 daily attacks! But several high profile attacks of hospitals really put it in the spotlight. Although it has been around for several decades, in the past 4 years, Russian groups have further developed its capabilities and propagated its use worldwide. The dark web or darknet also significantly contributed to the increase in ransomware attacks due to its black market for such products.

It is typically delivered as a Trojan; that is it looks like a legitimate product or download, but in reality it is malware. It can be delivered encrypted so your antivirus software cannot detect it. Once on your network, it seeks your data and encrypts it so you cannot access it. Some recent versions encrypt your on-line backups first, then attack your active files to further increase the chance of you paying the ransom. Once your data is encrypted, a message will appear directing payment, usually in digital currency like Bitcoin. The FBI has established that specific versions of ransomware have netted their organizations at least $30 million, so if you are a victim, you can expect to see significant ransom demands. If their demands are met, the criminals say they will send you the key to decrypt your data. Numerous instances have been recorded where ransoms were paid and the key was not provided, and data is often stolen to further the culprit’s profits.

That is why Health and Human Services (HHS) has recently issued a new guidance on ransomware. The Guidance can be found at: http://www.hhs.gov/blog/2016/07/11/your-money-or-your-phi.html and the Fact Sheet: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

If you are the victim of ransomware, you will need to implement your contingency plan and rebuild your IT systems using your backups. Not nearly as trivial as the sentence implies! Do you have a contingency plan? If so, is it current? What about your backups? When is the last time they were tested, that means a full restore from the backup media? This is why practices are so vulnerable to ransomware and criminals can reap tens of millions of dollars. Take a hard look at your situation. Be realistic and get help if you are not prepared.

The post HHS Releases New Guidance on Ransomware appeared first on Third Rock.

Focus on Security: Backups – The Ultimate Cyber-Security Weapon

Robert Felps — Thu, 05 May 2016 14:00:46 +0000

Backups, we all believe and trust they are being performed regularly and will work if we ever need to restore our business after a natural disaster, malicious attack or cyber-attack, such as ransom-ware. The reality is backups are not historically reliable and they become out of sight, out of mind! You need to ensure they are being performed regularly and restoring from the backup media works. ePHI data is highly desirable by criminals because it is worth far more than credit card information on the black market. Because of its value, Covered Entities and Business Associates are now the targets of cyber criminals. With ransomware on a rampage and breaches highly likely, now is the time to take action.

Backups are the ultimate digital security or at least the first priority.

Backups protect you from data loss and potential business ruin.
- because of natural disasters
- because of human mistakes or malicious acts
- because of criminal acts such as ransomware or destructive malware.
They do NOT however, protect you from data theft.
- You still need to take steps to secure your data.
- Consider encryption at rest and in motion.
- Implement a security plan that includes anti-virus, firewalls, password management, education, HIPAA compliance testing, Vulnerability testing and File Integrity Monitoring.

Steps to a safer more secure data life.

Perform backups on a regular schedule; nightly, weekly, monthly and quarterly.
Ensure the backups are stored in a safe and secure location, whether it’s physical media or offsite or cloud based.
- Do NOT store physical media near heat, water, sunlight or magnetic fields.
- Do NOT store data offline or in the cloud without good encryption.
- Redundant cloud storage is the most reliable media.
Verify the correct data is being backed up.
Encrypt the backed up data with at least 128 bit encryption, but 256 bit would be better.Verify the backed up data can be restored and used.
Check your backup reports daily to make sure the backup worked.

Hope this helps ensure you protect your patients, your practice and yourself.

The post Focus on Security: Backups – The Ultimate Cyber-Security Weapon appeared first on Third Rock.

After the Risk Assessment, Then What? How Often Do I Need to Check?

Gordon Taylor — Tue, 16 Feb 2016 15:00:59 +0000

As we noted previously, there are numerous requirements for HIPAA compliance. A follow-up question often heard is “How often do I have to do these things?”

Risk assessments officially need to be performed on an annual basis but regularly reviewing your risk remediation plan throughout the year is a business “best practice” for any organization.

Policies and Procedures need to be reviewed and changed depending upon federal law changes and changes in your organization. New processes, new technologies, new locations may require revisions to your Policies and Procedures.

Monitoring of your networks and equipment needs to be done at least weekly for most organizations. Any aberrations or irregularities in system configurations or file integrity identified in your networks or equipment should be addressed immediately. Additionally, an inventory of your networks and equipment should be done at least annually with quarterly updates or after major IT procurements.

Privacy and security training should be done at least annually for all staff and with all new hires. Any changes to the organization should be accompanied by refresher classes. New employees need to be HIPAA trained within 30 Days.

Contingency plans should be reviewed annually, making sure plans and options for data back-up, disaster recovery, and emergency mode operation are all still viable strategies for the organization in the event of an interruption to the normal course of operations.

If you are interested in knowing where to start, try Third Rock’s HIPAA Quick-Check, This is a mini-risk assessment that will let you know very quickly your level of HIPAA compliance regarding the major areas of HIPAA(annual risk assessments, training, current policies and procedures, contingency plans, encryption of data, continuous monitoring of devices, etc.). Remember, this is not a full risk assessment; it is just a Quick-Check^™.

Articles in the series:

How to get Started: Risk Assessment
Breach Detection
Education
Data Protections
Planning for Emergency Events
How Often Do I Need to Check? (This Article)

Sign up for our newsletter on the right side of this page to learn more and stay informed about HIPAA and cyber security.

The post After the Risk Assessment, Then What? How Often Do I Need to Check? appeared first on Third Rock.

After the Risk Assessment, Then What? Planning for Emergency Events

Gordon Taylor — Fri, 12 Feb 2016 14:45:13 +0000

As we noted previously, there are numerous requirements for HIPAA compliance. Being prepared for future emergency events is often identified in the Risk Assessment as a HIPAA compliance requirement that needs to be addressed.

Preparing for future events is often overlooked by many healthcare entities. Just dealing with the issues of the day can take up the majority of your time. However, being prepared for future events, besides being a HIPAA requirement, also makes good business sense.

What HIPAA calls “Contingency Planning” is what most businesses call “business continuity/disaster recovery.” Continued daily operations – data back-up, disaster recovery, and emergency mode operation are all required by HIPAA. The testing of these contingency plans is highly recommended. All of these are elements of business continuity/disaster recovery.

Planning for unexpected, natural or man-made disasters, allows your business to be prepared for such potential events. Other things to consider include:

Emergency Plans vs. Disaster Recovery Plans
Remote collocations make life easier.
The cloud makes data storage easier.
Move to secure, encrypted local, remote (co-lo) and cloud backups.
Have a diagram of the top two tiers of applications, the servers, and networks to recover them.
Auto failover simplifies testing, just fail over quarterly to your backup location.

With high-speed networks, remote locations, co-location data centers, and cloud services – it is now far easier to plan for disaster recovery as you roll-out new hardware and services.

In addition to Contingency Planning, Breach Awareness/Notification Planning needs to be in place as well. In the event of a data breach involving unsecured PHI, there are requirements regarding

the notification of individuals whose PHI has been breached,
time frames for such notification,
manner of notification,
and content of information contained in the notification.
If the breach involved more than 500 individuals in one state, notices to the media are required.
In most cases, notification to the federal Department of Health and Human Services (HHS) is required.

Having a plan in place ahead of time to address all of these requirements is essential to a healthcare entity. Here’s an outline from our Disaster Recovery Plan to help you get started.

Articles in the series:

How to get Started: Risk Assessment
Breach Detection
Education
Data Protections
Planning for Emergency Events (This Article)

Sign up for our newsletter on the right side of this page to learn more and stay informed about HIPAA and cyber security.

The post After the Risk Assessment, Then What? Planning for Emergency Events appeared first on Third Rock.

Road Blocks to Creating Your Contingency Plan

Robert Felps — Tue, 25 Nov 2014 19:49:33 +0000

Why Everyone Needs Help Creating a BC/DR (Contingency) Plan

Creating a contingency plan is a huge undertaking. It’s a major project for any company, small or large. It’s a major project for any company, small or large; an integration effort which requires a large amount of time from experts across the company and often outside the company, including executives, managers, staff, vendors and consultants.

While creating a contingency plan for a large health care provider I realized part of the problem is psychological. The decision makers were struggling to start the project, even though they clearly understood the need to have a contingency plan. Just like understanding the 5 stages of grief helps us deal with a significant loss in our lives, I thought maybe a list of the road blocks would help “step” leaders and team members through their reluctance of creating a contingency plan. Maybe I should rename this “The Five Stages of Contingency Planning Procrastination”.

Based on my observations, here are the top road blocks to creating a contingency plan.

We are forced to face the reality of a crisis or disruptive action in our lives.
1. Pulling our heads out of the sand is scary.
2. It forces the issue of death; ours, people we care for and our business/livelihood.
3. Swift massive disruptions in our lives are frightening.
It is a large complex integration effort that requires substantial resources.
1. Which means it is difficult to organize.
2. The all-encompassing aspect makes it difficult to get our arms and head around it.
3. Therefore we are not confident of the amount of effort and time required.
4. We must admit we can’t do it alone.
5. We often have to seek and find expert advice and assistance.
It incites holistic confusion.
1. We don’t know where to start.
2. We don’t know what we don’t know.
Difficult to justify until there is a disruptive event.
1. By documenting policies and procedures, utilizing technology that simplifies operations and recovery, and prioritizing what’s important to keep the doors open, we actually improve daily operations.
2. We don’t recognize that the process of creating a contingency plan forces us to review and improve the company’s strategy and operations to improve overall company performance.
It is an insurance policy, and we all love to buy insurance!
1. Insurance as a “necessary evil” and we tend to procrastinate buying it because “I am reliable and careful”.
2. Why waste time on something we may never use.

If you don’t have a contingency plan for your business, you should start now. Here’s a simple outline to help you get started.

Plan Outline

Robert Felps has created business continuity and disaster recovery plans (contingency plans) for single doctor healthcare practices to multi-billion dollar healthcare companies. His latest effort has been a ready to use Contingency Plan for the healthcare industry. It is a plan that takes about 16 hours to update and be usable, as opposed to the standard 140+ hours to create a plan yourself starting with a template. For more details visit Third Rock’s BC/DR page or contact Third Rock at info@thirdrock.com.

The post Road Blocks to Creating Your Contingency Plan appeared first on Third Rock.

Outgrowing the “As Needed” Technology

Clint Eschberger — Fri, 11 Apr 2014 00:38:12 +0000

All organizations have been there, that start-up company that is more worried about making a profit than what its technology plan is for the next year, let alone three plus years. When you are a small company with a few employees or maybe even just yourself, it is easy to get in to the routine of simply grabbing a solution to fit the need you have at that moment.

Honestly, there is no reason to even try to change someone’s mind that is going about their technology purchases in an “as needed” basis. Sure it is nice to be able to plan something and get a budget ready to support the business, but that is not feasible because as anyone who has started a business knows, that “business plan” changes daily if not hourly early on, as does the tools that you need to support those changes.

Not to mention when you are starting a business, you are not always in the position to have a “budget” for long term technology plans.

Where Things Go Wrong

The issue is not starting out in the “as needed” mode it is getting into the “strategic” mode to where your technology matches your business needs, not to mention many other concerns.

When your organization went out and grabbed software, networking gear, hardware, etc. most likely there was little concern in…

Security
Scaling to fit growth
Compliance
Availability
Disaster Recovery
Right tool for the job
Team (access, sharing)
…and much more

The problem is not “just” that those areas may not have been the “right fit” it how do you move from the “as needed” platform to where you need to be? It is not always a simple rip and replace. Obviously, you want to avoid costing downtime for your team which costs your productivity and ultimately your bottom line.

There has to be a plan to not only find the right tools for your organization, but how to get there with the minimal impact on your business.

“IT” Technology is a Business Decision

A lot of organizations moving from that small business into medium sized organizations and even enterprises often make the mistake of thinking that technology decisions should be taken care of by the “IT” department and in some cases that department is an “IT Guy”. That generally will get you just a step beyond the “as needed” IT and into a “what did we get?” solutions.

Business technology has to be a business decision and planned as any other area of business would be planned.

Business Impacts

Budget – Technology can have a negative impact that can really grow if you get the wrong solutions.
Efficiency – The right solution can increase you productivity and actually contribute to your business growth. The wrong technology can stunt your business growth.
Compliance – Your CFO will thank you for making sure that all your data and technology is compliant to the standards. Nothing like shelling out 100’s of $1000 for not being compliant. This is becoming a huge focus through-out the industry after major breaches like, Target.
Business Continuity – How long can your business last if a key technology that your business relies on? Making sure that you can recover from a disaster before your business goes “out of business” is one of those things that is a bit critical.

Don’t Think “I can’t afford it, RIGHT NOW”

Many growing organizations feel they can’t afford a big change in their technology infrastructure right now. No one is saying that you have to do it all right now. That is not always feasible. However it is important to change how you do things.

Before going and getting that next “as needed” piece of technology, sit down with your executive team and either your in-house IT “guy” whether it be a CIO/CTO, Architect, etc. or a Solutions Architect Consultant.

Now you can put a plan in place to get on the right track, discuss what technology will best fit your business, stay within a budget (and what that budget is), and keep your business IN BUSINESS!

The post Outgrowing the “As Needed” Technology appeared first on Third Rock.