The University of Illinois at Chicago Health Science Colleges



Similar documents
The University of Illinois at Chicago Health Science Colleges

The University of Illinois at Chicago Health Science Colleges

The University of Illinois at Chicago. Health Science Colleges

The University of Illinois at Chicago. Health Science Colleges

Maintenance Connection Disaster Recovery Plan

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Compliance Guide

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Virginia Commonwealth University School of Medicine Information Security Standard

Datto Compliance 101 1

HIPAA Compliance Guide

This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

How To Write A Health Care Security Rule For A University

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Plan Development Getting from Principles to Paper

HIPAA BUSINESS ASSOCIATE AGREEMENT

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

CERT Resilience Management Model (CERT -RMM) V1.1: NIST Special Publication Crosswalk

Disaster Recovery and Business Continuity Plan

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA COMPLIANCE AND

Information Security Program

VMware vcloud Air HIPAA Matrix

1. Secure 128-Bit SSL Communication 2. Backups Are Securely Encrypted 3. We Don t Keep Your Encryption Key VERY IMPORTANT:

Healthcare Compliance Solutions

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Security Alert

CHIS, Inc. Privacy General Guidelines

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

FINRMFS9 Facilitate Business Continuity Planning and disaster recovery for a financial services organisation

HIPAA Security Checklist

ITS HIPAA Security Compliance Recommendations

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Security Series

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

BACKUP AND CONTIGENCY PLANS (DISASTER RECOVERY)

HIPAA Privacy & Security White Paper

HIPAA Security Matrix

Information Privacy and Security Program Title:

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

DRAFT BUSINESS ASSOCIATES AGREEMENT

Technology Recovery Plan Instructions

Policy Title: HIPAA Security Awareness and Training

Joe Dylewski President, ATMP Solutions

DOCUMENT NUMBER: IT-0514

The HIPAA Audit Program

Our Colorado region is offering a FREE Disaster Recovery Review promotional through June 30, 2009!

HIPAA Security Compliance Reviews

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

FACT SHEET: Ransomware and HIPAA

Healthcare Compliance Solutions

Business Unit CONTINGENCY PLAN

Business Continuity Information Gathering Template

University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010

HIPAA Compliance and the Protection of Patient Health Information

Disaster Recovery Planning for Health care Providers

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

ITSM Tools Operation Continuity Plan Example

Business Continuity Planning for Schools, Departments & Support Units

HIPAA: In Plain English

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Multi User Guide

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

University of Cincinnati Limited HIPAA Glossary

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

Security Is Everyone s Concern:

HIPAA Security Rule Compliance

HIPAA and Mental Health Privacy:

SECTION 15 INFORMATION TECHNOLOGY

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

HIPAA Compliance Audits: Your Newest Risk: Are You Prepared?

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

Security Manual for Protected Health Information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Security COMPLIANCE Checklist For Employers

Disaster Recovery Plan Overview for Customers. Sage ERP Online

My Docs Online HIPAA Compliance

HIPAA/HITECH: A Guide for IT Service Providers

Building and Maintaining a Business Continuity Program

A to Z Information Services stands out from the competition with CA Recovery Management solutions

Clinic Business Continuity Plan Guidelines

Office of Inspector General

HIPAA RISK ASSESSMENT

Security Architecture. Title Disaster Planning Procedures for Information Technology

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Documentation. Disclaimer

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Single - User Guide

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

The Basics of HIPAA Privacy and Security and HITECH

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Montclair State University. HIPAA Security Policy

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

INTERNAL AUDIT 2008/09 INFORMATION TECHNOLOGY (BUSINESS CONTINUITY)

Transcription:

POLICY NUMBER: 3 INFORMATION SYSTEMS SECURITY POLICY NAME: CONTINGENCY PLAN CONTROLS Responsible Office HSC IT Group Effective Date 10/31/2011 Responsible Official William Chamberlin Last Revision 10/31/2011 Policy Sections 3.0 Purpose... 2 3.1 Policy Delegation... 3 3.2 Policy... 3 3.2.1 Data Backup Plan... 3 3.2.2 Disaster Recovery Plan... 3 3.2.3 Emergency Mode Operation Plan... 4 3.2.4 Testing and Revision Procedure... 5 3.2.5 Applications and Data Criticality Analysis... 5 3.3 Policies or Procedures Required by or Referencing this Policy... 5 3.4 Forms Required by or Referencing this Policy... 5 3.5 Guidelines Required by or Referencing this Policy... 5 3.6 Standards Required by or Referencing this Policy... 5 3.7 Violations... 5 3.8 Policy Authority... 5 3.9 Responsibility for Process and Procedure... 6 3.10 Compliance Monitor... 6 3.11 Special Situations/Exceptions... 6 3.12 Contacts... 6 3.13 Revision History... 7 POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 1 of 7

3.0 Purpose The have adopted this policy to provide a framework for contingency planning within the Colleges. This Policy covers the contingency planning policy, application and data criticality, preventive measures, recovery strategy, data backup and disaster recovery planning, development and implementation of an emergency mode operation plan, and developing and testing revision procedures. This Policy is a statement of the minimum requirements, responsibilities, and accepted behaviors required to establish and maintain a secure technology environment within the Health Sciences Colleges, as well as to achieve the stated security objectives. This information security Policy emphasizes the Health Sciences Colleges commitment to strong information security; any individuals who use the information technology resources of the Health Sciences Colleges or the University resources that they depend upon are required to adhere to this Policy. The University s Combined Covered Entity 1, including the Health Sciences Colleges, is committed to securing and protecting High Risk data 2 including electronic Protected Health Information (ephi), 3 in accordance with widely accepted information systems security best practices and standards including those established by the International Organization for Standardization and the International Electrotechnical Commission (IEC); the ISO/IEC 27000 series of Information Systems Security standards; the National Institute of Standards and Technology (NIST) Information Security Standards and Guides; and the Standards for Security and Privacy of individually identifiable health information established by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) subject to later modification by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 as part of the American Recovery and Reinvestment Act (ARRA) of 2009. 1, 2, 3 See Covered Entity, High Risk data, and electronic Protected Health Information (ephi) definitions in HSC Policy Definitions POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 2 of 7

3.1 Policy Delegation An individual Health Science College may delegate the duties herein to departments or other units within the individual Health Science College, or to other campus units or external vendors. If a duty is delegated, then a Service Agreement defining what is delegated, to whom it is delegated, and the duties still required of the individual Health Science College will be identified. 3.2 Policy 3.2.1 Data Backup Plan a. The business units will establish and implement a Data Backup Plan that will detail all backups to be performed, media used for the backups, location used to store the backups, and that will allow for retrieval of copies of all data and files on systems in the event of an emergency, significant interruption, and/or disaster. b. The Data Backup Plan will require that a copy of all media used for the backups be stored in a physically secure location off-site. c. All individuals with specific responsibilities in the Data Backup Plan must be trained in those responsibilities. d. The Data Backup Plan will be documented and available to key personnel. 3.2.2 Disaster Recovery Plan a. The individual and their business units will create a Disaster Recovery Plan with procedures to recover the College s systems and data in a timely manner from an emergency, significant outage, or disaster such as fire, vandalism, terrorism, system failure, or natural disaster. b. The Disaster Recovery Plan will include procedures to restore data from backups, and the necessary steps and procedures to restore, recover, and resume Critical POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 3 of 7

Levels 4 1, 2, and 3 processes, functions, and technology infrastructure components of the College. c. The Disaster Recovery Plan will include a set of procedures, plans, and details to be used for all identified contingencies, including emergency-mode operations planning. The recovery site, recovery responsibilities, and service levels, along with Recovery Point Objectives and Recovery Time Objectives, will be identified. d. All individuals with specific responsibilities in the Disaster Recovery Plan must be trained in those responsibilities. e. The Disaster Recovery Plan will be documented and available to key personnel. A complete copy of the current Disaster Recovery Plan, or copy of the portion pertinent to personnel performing recovery efforts, will be retained off-site in a reliably retrievable form by the relevant personnel as identified in the Plan. 3.2.3 Emergency Mode Operation Plan a. Each business unit will establish procedures to enable continuation of business processes in Critical Levels 5 1, 2, and 3 to ensure protection of the security of ephi while operating in an Emergency Mode. b. Additionally, a business unit may establish a Emergency Operation Plan to address matters beside ephi such as continuing critical business operations requiring secure access to the more generic data class, High Risk Data. c. All individuals with specific responsibilities in the Emergency Mode Operation Plan must be trained in those responsibilities. d. The Emergency Mode Operation Plan will be documented and available to key personnel. 4 See Critical Level definition in HSC Policy Definitions 5 See Critical Level definition in HSC Policy Definitions POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 4 of 7

3.2.4 Testing and Revision Procedure The Health Science College and the business units will establish a process to test the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan. Testing should occur after all individuals with specific responsibilities have been trained in their respective roles and duties. 3.2.5 Applications and Data Criticality Analysis The individual and their business units will assess the relative criticality of their specific applications and data in support of other Contingency Plan components. 3.3 Policies or Procedures Required by or Referencing this Policy This: References: HSC Policy 4.2.4, Develop Data Backup and Storage Procedures 3.2.1 3.4 Forms Required by or Referencing this Policy None 3.5 Guidelines Required by or Referencing this Policy None 3.6 Standards Required by or Referencing this Policy None 3.7 Violations Any individual found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, regardless of tenure status. 3.8 Policy Authority Information Technology Group POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 5 of 7

3.9 Responsibility for Process and Procedure The Individual Health Science College Information Security Officer 3.10 Compliance Monitor The Individual Health Science College Information Security Officer 3.11 Special Situations/Exceptions Any exceptions to this policy must be approved by the College Information Security Officer or delegate. 3.12 Contacts Subject Contact Phone Applied Health Sciences Mike Kirda Dr. Annette Valenta 312-996-8236 312-996-1452 Dentistry Jay Dean 312-996-7495 Medicine Andre Pavkovic 312-413-1154 Interpretation of Policy Nursing Ursula Brozek Bala Ramaraju 312-996-8883 312-355-3651 Pharmacy Philip J. Reiter 312-996-4682 Public Health Faith Davis Dr. Sylvia Furner La Don Reed 312-996-5019 312-996-5013 312-996-3891 POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 6 of 7

3.13 Revision History 12/10/2007 Initial draft composed by College of Medicine: Ian Huggins, Robert McAuley, Andre Pavkovic 3/25/2009 Reviewed and Approved by HSC IT Group College of Medicine: Robert McAuley, Andre Pavkovic, Ian Huggins. College of Applied Health Sciences: Mike Kirda, Dr. Annette Valenta. College of Dentistry: Jay Dean. College of Nursing: Bala Ramaraju. College of Pharmacy: Philip Reiter. School of Public Health: La Don Reed (with input by Academic Computing and Communications Center and University of Illinois Medical Center) 3/03/2010 Updated 1.12 Contacts, completed first annual review of HSC Policies 7/07/2011 10/2010 through 6/2011 HSC IT Group Review of Policies - Edited by Judith Grobe Sachs; Group s following consensus revisions summarized by Ian Huggins 7/21/2011 Updated language by Mike Kirda, Judith Grobe Sachs, and Doug McCarthy 8/19/2011 Updated language, added numbering and automatic table of contents, added cross-references by Doug McCarthy. 10/31/2011 HSC IT Group approval of 10/2010 through 8/2011 Policy revisions, this completes the second annual review of the Policies. POLICY NUMBER: 3 Contingency Plan Policy Version 3.0 Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information