HSC Contingency Plan Policy

8/2/2019 HSC Contingency Plan Policy

1/7

TheUniversityofIllinoisatChicagoHealthScienceColleges

Policies,Procedures,Forms,Guides

POLICYNUMBER:3ContingencyPlanPolicy Version3.0 Page1of7

POLICYNUMBER:

3

INFORMATIONSYSTEMSSECURITYPOLICYNAME:CONTINGENCYPLANCONTROLSResponsibleOffice HSCITGroup EffectiveDate 10/31/2011ResponsibleOfficial WilliamChamberlin LastRevision 10/31/2011

PolicySections3.0Purpose...................................................................................................................................... 23.1PolicyDelegation....................................................................................................................... 33.2Policy......................................................................................................................................... 33.2.1DataBackupPlan................................................................................................................ 33.2.2DisasterRecoveryPlan....................................................................................................... 33.2.3EmergencyModeOperationPlan...................................................................................... 43.2.4TestingandRevisionProcedure......................................................................................... 53.2.5ApplicationsandDataCriticalityAnalysis.......................................................................... 5

3.3PoliciesorProceduresRequiredbyorReferencingthisPolicy................................................. 53.4FormsRequiredbyorReferencingthisPolicy........................................................................... 53.5GuidelinesRequiredbyorReferencingthisPolicy.................................................................... 53.6StandardsRequiredbyorReferencingthisPolicy.................................................................... 53.7Violations................................................................................................................................... 53.8PolicyAuthority......................................................................................................................... 53.9ResponsibilityforProcessandProcedure................................................................................. 63.10ComplianceMonitor................................................................................................................ 63.11SpecialSituations/Exceptions.................................................................................................. 63.12Contacts................................................................................................................................... 63.13RevisionHistory....................................................................................................................... 7


2/7




3.0PurposeThe Health Science Colleges have adopted this policy to provide a framework for

contingency planningwithin the Colleges. This Policy covers the contingency planning

policy, application and data criticality, preventive measures, recovery strategy, data

backup and disaster recovery planning, development and implementation of an

emergency mode operation plan, and developing and testing revision procedures.

This Policy is a statement of the minimum requirements, responsibilities, and accepted

behaviors required to establish and maintain a secure technology environment withinthe Health Sciences Colleges, as well as to achieve the stated security objectives. This

information security Policy emphasizes the Health Sciences Colleges commitment to

strong information security; any individuals who use the information technology

resources of the Health Sciences Colleges or the University resources that they depend

upon are required to adhere to this Policy.

The Universitys Combined Covered Entity1, including the Health Sciences Colleges, is

committed to securing and protecting High Risk data2 including electronic Protected

Health Information (ePHI),3 in accordance with widely accepted information systems

security best practices and standards including those established by the InternationalOrganization for Standardization and the International Electrotechnical Commission

(IEC); the ISO/IEC 27000 series of Information Systems Security standards; the

National Institute of Standards and Technology (NIST) Information Security Standards

and Guides; and the Standards for Security and Privacy of individually identifiable

health information established by the Department of Health and Human Services under

the Health Insurance Portability and Accountability Act of 1996 (HIPAA) subject to later

modification by the Health Information Technology for Economic and Clinical Health

(HITECH) Act of 2009 as part of the American Recovery and Reinvestment Act (ARRA)

of 2009.

1,2,3SeeCoveredEntity,HighRiskdata,andelectronicProtectedHealthInformation(ePHI)

definitionsinHSCPolicyDefinitions


3/7




3.1PolicyDelegationAn individual Health Science College may delegate the duties herein to departments or

other units within the individual Health Science College, or to other campus units or

external vendors. If a duty is delegated, then a Service Agreement defining what is

delegated, to whom it is delegated, and the duties still required of the individual Health

Science College will be identified.

3.2Policy3.2.1DataBackupPlan

a. The business units will establish and implement a Data Backup Plan that willdetail all backups to be performed, media used for the backups, location used to

store the backups, and that will allow for retrieval of copies of all data and files on

systems in the event of an emergency, significant interruption, and/or disaster.

b. The Data Backup Plan will require that a copy of all media used for the backupsbe stored in a physically secure location off-site.

c. All individuals with specific responsibilities in the Data Backup Plan must betrained in those responsibilities.

d. The Data Backup Plan will be documented and available to key personnel.3.2.2DisasterRecoveryPlan

a. The individual Health Science Colleges and their business units will create aDisaster Recovery Plan with procedures to recover the Colleges systems and

data in a timely manner from an emergency, significant outage, or disaster such

as fire, vandalism, terrorism, system failure, or natural disaster.

b. The Disaster Recovery Plan will include procedures to restore data from backups,and the necessary steps and procedures to restore, recover, and resume Critical


4/7




Levels4 1, 2, and 3 processes, functions, and technology infrastructure

components of the College.

c. The Disaster Recovery Plan will include a set of procedures, plans, and details tobe used for all identified contingencies, including emergency-mode operations

planning. The recovery site, recovery responsibilities, and service levels, along

with Recovery Point Objectives and Recovery Time Objectives, will be identified.

d. All individuals with specific responsibilities in the Disaster Recovery Plan mustbe trained in those responsibilities.

e. The Disaster Recovery Plan will be documented and available to key personnel. Acomplete copy of the current Disaster Recovery Plan, or copy of the portion

pertinent to personnel performing recovery efforts, will be retained off-site in a

reliably retrievable form by the relevant personnel as identified in the Plan.

3.2.3EmergencyModeOperationPlana. Each business unit will establish procedures to enable continuation of business

processes in Critical Levels5 1, 2, and 3 to ensure protection of the security of

ePHIwhile operating in an Emergency Mode.

b. Additionally, a business unit may establish a Emergency Operation Plan toaddress matters beside ePHI such as continuing critical business operations

requiring secure access to the more generic data class, High Risk Data.

c. All individuals with specific responsibilities in the Emergency Mode OperationPlan must be trained in those responsibilities.

d. The Emergency Mode Operation Plan will be documented and available to keypersonnel.

4 See Critical Level definition in HSC Policy Definitions

5 See Critical Level definition in HSC Policy Definitions


5/7




3.2.4TestingandRevisionProcedureThe Health Science College and the business units will establish a process to test theData Backup Plan, Disaster Recovery Plan, and Emergency Mode Operations Plan.

Testing should occur after all individuals with specific responsibilities have been trained

in their respective roles and duties.

3.2.5ApplicationsandDataCriticalityAnalysisThe individual Health Science Colleges and their business units will assess the relative

criticality of their specific applications and data in support of other Contingency Plan

components.

3.3PoliciesorProceduresRequiredbyorReferencingthisPolicyThis: References:

HSC Policy 4.2.4, Develop Data Backup and Storage Procedures 3.2.1

3.4FormsRequiredbyorReferencingthisPolicyNone

3.5GuidelinesRequiredbyorReferencingthisPolicyNone

3.6StandardsRequiredbyorReferencingthisPolicyNone

3.7ViolationsAny individual found to have violated this policy may be subject to disciplinary action, up

to and including termination of employment, regardless of tenure status.

3.8PolicyAuthorityHealth Science Colleges Information Technology Group


6/7




3.9ResponsibilityforProcessandProcedureThe Individual Health Science College Information Security Officer

3.10ComplianceMonitorThe Individual Health Science College Information Security Officer

3.11SpecialSituations/ExceptionsAny exceptions to this policy must be approved by the College Information Security

Officer or delegate.

3.12ContactsS u b j ec t Co n t a c t P h o n e

Interpretation of

Policy

Applied Health

Sciences

Mike Kirda

Dr. Annette Valenta

312-996-8236

312-996-1452

Dentistry Jay Dean 312-996-7495

Medicine Andre Pavkovic 312-413-1154

Nursing Ursula Brozek

Bala Ramaraju

312-996-8883

312-355-3651

Pharmacy Philip J. Reiter 312-996-4682

Public Health Faith Davis

Dr. Sylvia Furner

La Don Reed

312-996-5019

312-996-5013

312-996-3891


7/7




3.13RevisionHistory12/10/2007 Initial draft composed by College of Medicine: Ian Huggins,

Robert McAuley, Andre Pavkovic

3/25/2009 Reviewed and Approved by HSC IT Group

College of Medicine: Robert McAuley, Andre Pavkovic, Ian

Huggins.

College of Applied Health Sciences: Mike Kirda, Dr. Annette

Valenta.

College of Dentistry: Jay Dean.

College of Nursing: Bala Ramaraju.

College of Pharmacy: Philip Reiter.

School of Public Health: La Don Reed

(with input by Academic Computing and Communications Center

and University of Illinois Medical Center)

3/03/2010 Updated 1.12 Contacts, completed first annual review of HSC

Policies

7/07/2011 10/2010 through 6/2011 HSC IT Group Review of Policies -

Edited by Judith Grobe Sachs; Groups following consensus

revisions summarized by Ian Huggins

7/21/2011 Updated language by Mike Kirda, Judith Grobe Sachs, and Doug

McCarthy

8/19/2011 Updated language, added numbering and automatic table of

contents, added cross-references by Doug McCarthy.

10/31/2011 HSC IT Group approval of 10/2010 through 8/2011 Policy

revisions, this completes the second annual review of the Policies.

HSC Contingency Plan Policy

Documents

Transcript of HSC Contingency Plan Policy