I recently sat in on a webinar that focused on Data Breach Violations and how HIPAA and HITECH Data Backup rulings are affecting how risks are managed more and more. The subject matter was particularly directed towards healthcare and insurance professionals, but the basic information certainly applies to payroll and HR professionals and their’ use of HRIS software systems. Any time there is an exchange or storage of information, there need to be safeguards in place to insure that the administration of the data, the physical safety of the data, and the technical handling of the data are all secure. The most recent HIPAA-HITECH rulings require that compliant entities report to the Department of Health and Human Services anytime there is a breach in security of ePHI (electronic protected health information). We should all operate as if our mistakes were going to end up published by a government agency policing our work!
While payroll and HR departments will not often be subjected to audits by Health and Human Services, we should certainly consider it best practices to follow their recommendations and establish a policy for disasters. First, do not think that data backup is optional—it is mandatory! Next, that backed up data must be encrypted and recoverable. If your data is compromised, render it useless to a thief by encrypting it. If you have a disaster, you need to be able to restore your backed up data. 70% of attempted restores from backup fail - the data was not successfully stored, or was stored in a manner that renders it unrecoverable.
How do you know if your data is recoverable? Test your procedures! Once you establish a plan for mandatory, regular, frequent backups, lay out an emergency mode operation plan in writing. Regularly take backups (which should be stored off site - and that does not mean on a thumb drive that you carry around in your purse!!!) to your recovery site and attempt to do a restore. Prove, on a regular basis, that your backups will be there if you need them.
If you actually do have a disaster and find that you need to operate in emergency mode, make sure you continue your safeguards even while you are limping along. Internal controls can’t take a break just because you have suffered a data loss event. Your recovery time should be under the same strict controls that you observed when operations were normal. Develop a plan, test it, and stick to it!
Susan Warren, CPP