Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

1.0 Purpose

The purpose of the Contingency Plan Procedures is to support the restoration of operations, computing resources, and critical data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency. The HIPAA Security Rule that governs this procedure is: 164.308(a)(7)(i) Contingency Plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Procedures defined in this document include:

Application and Data Criticality Assessment (section 3.2) Data Backup Plan (section 3.3) Disaster Recovery Plan (section 3.4) Emergency Mode Operations Plan (section 3.5) Contingency Plan Testing and Revision (section 3.6)

2.0 Definitions

2.1 Contingency plan: Management policy and procedures designed to maintain and restore business operations, including computer operations, possibly at an alternate location, in the event of system failures, emergencies, or disaster. 2.2 Workforce: All faculty, staff, students, trainees, volunteers, and business associate who access restricted or confidential information during the course of their duties. 3.1 Contingency Operations Plan: Computer system managers, system owners, and unit and department managers must implement procedures for developing a plan to allow physical access to facilities in which restricted or confidential information is housed in the event of an emergency. Refer to the Facility Access Controls Procedures for further details. 3.2 Application and Data Criticality Assessment: System managers and owners must implement procedures for assessing the criticality of applications and data files. 3.2.1 Define Preliminary System Information: Define the organization name, system name and system manager point of contact. Provide a description of the system including purpose,

3.0 Procedures & Responsibilities

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 1

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

architecture and any supporting system diagrams. 3.2.2 Identify System Points of Contact: Identify and coordinate with internal and external points of contact associated with the system to characterize the ways that they depend on or support the IT system. When identifying the points of contact, it is important to include organizations that provide or receive data from the system as well as contacts supporting any interconnected systems. This coordination should enable you to characterize the full range of support provided by the system, including security, managerial, technical, and operational requirements. 3.2.3 Identify System Resources: Identify the applications, data files, and IT resources critical to the objectives listed in the emergency mode operations plan. 3.2.4 Identify critical roles: List the critical roles of the individuals identified in the Emergency Mode Operations Plan and the Disaster Recovery Plan. 3.2.5 Develop recovery priorities: Based on the results of the criticality assessment, categorize applications by order of criticality based on contingency resource allocations and expenditures, time, effort and costs. 3.3 Data Backup Plan: System managers and owners must implement procedures for developing a data backup plan to ensure the availability, integrity, and security of data. 3.3.1 Identify critical data files to backup: List critical files identified from the application and data criticality assessment. 3.3.2 Define backup frequency: Define the frequency of full and incremental backups respective to each application and operating system. 3.3.3 Define retention period: Define the retention period respective to each application, operating system, taking into consideration the frequency of full and incremental backups for each one. 3.3.4 Identify offsite storage: If offsite storage is required, identify a secured facility in which backups will be stored. 3.3.5 Define backup retrieval process: Identify the individuals who are authorized to request a retrieval of backup from the secured facility. Identify the method of transporting
If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 2

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

retrieved backups from the secured facility. 3.4 Disaster Recovery Plan: System managers and owners and unit and department managers must implement procedures for developing a disaster recovery plan. 3.4.1 Define Notification process. Include a list of the affected teams and decision-makers involved in the disaster recovery effort. 3.4.2 Identify Activation team: Identify the team members responsible for performing contingency plan activation. 3.4.3 Define Damage Assessment procedures: List procedures utilized to perform damage assessment. 3.4.4 Define procedures for Restoring Applications and Data using backup copies in sequence relative to the application criticality assessment. 3.4.5 Identify Deactivation team: Identify team to perform contingency plan deactivation. 3.5 Emergency Mode Operations Plan: System managers, system owners and unit and department managers must identify critical business processes, implement reasonable security procedures for critical business processes consistent with procedures employed during normal mode of operations, and ensure the protection of ePHI while operating in emergency mode. 3.6 Contingency Plan Testing and Revision: System managers, system owners and unit and department managers must implement procedures for testing and revising contingency plans: 3.6.1 Identify contingency plan elements to test: List the selected elements identified within the contingency plan that must be tested and periodically revised to ensure that all of the elements of the contingency plan remain current and are effective. 3.6.2 Define test objectives: List the specific objective for each test element and the overall test plan. 3.6.3 Identify test participants and roles: List each test participant and the specific roles they are to perform within the test. 3.6.4 Define test scenario: List the specific scenario that will be utilized for the test. In determining the scenarios consider both the worst-case incident and those incidents that are most
If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 3

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

likely to occur. Test scenarios should mimic reality as closely as possible. List the time frames associated with each test element and for each of the test participants. 3.6.5 Execute test and document results of test: Test results and lessons learned should be documented and reviewed with the test participants and other personnel as appropriate. 3.6.6 Revision of Contingency Plan: To be effective, the plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. Periodic reviews of the plan must be conducted in addition to reviews whenever there are changes affecting: 4.0 Initiation and Control Reporting 5.0 Records & Documentation Control 6.0 Related Documents A copy of the Contingency Plan must be stored offsite, remote from the systems for which contingencies have been developed. Operational requirements Security requirements Technical procedures Changes of hardware, software, and other equipment Changes with alternate facility requirements Changes with team members and team members contact information

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 4

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

Document Name HIPAA Security Rule: Contingency Plan

University of California Business and Finance Bulletin IS-3 Electronic Information Security

UCSF Information Security and Confidentiality Policy

UCSF Medical Center Administrative Policy - Information Security and Confidentiality Policy Special Publication: Contingency Planning Guide for Information Technology Systems - National Institute of Standards and Technology (NIST) Presentation at January 22, 2004 CSC Workshop #3 on Contingency Planning System Management Procedures

Procedure No. 164.308(a)(7) http://www.ucsf.edu/hipaa/d ept_compliance/ BFB IS-3 http://www.ucsf.edu/hipaa/d ept_compliance/ or http://www.ucop.edu/ucoph ome/policies/bfb/is3.pdf 650-XX http://www.ucsf.edu/hipaa/d ept_compliance/ 5.01.04 http://www.ucsf.edu/hipaa/d ept_compliance/ SP 800-34 http://www.ucsf.edu/hipaa/d ept_compliance/ http://www.ucsf.edu/hipaa/d ept_compliance/ 60-001 http://www.ucsf.edu/hipaa/d ept_compliance/

REVISION RECORD
Rev. A Date 12/17/04 Originated by: Mark Monaghan and Jim Grubb Description of Change Initial Release, modified to match SOM template.

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 5

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

Appendix A: Application and Data Criticality

Organization Name System Name System Manager System Description

Step 3.2.1 Define System Information

Preliminary System Information

System Points of Contact

Step 3.2.2 Identify System POC

Points of contact for system

Applications Data Fields Other IT resources

Step 3.2.3 Identify System Resources

System Resources

Point of contacts Critical System Resources

Step 3.2.4 Identify Critical Roles

Critical Roles

Applications & Data Backup Copies Application Criticality Assessment

Step 3.2.5 Develop Recovery Priorities

Recovery Priorities

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 6

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

Appendix B: Data Backup

Critical files requiring backup Paths to critical files All applications requiring data backup by operating system Full and incremental backup requirements All applications requiring data backup by operating system Full backup requirements Incremental backup requirements

3.3.1 Identify Critical Files to Backup

Critical Backup Master List

3.3.2 Define Backup Frequency

Backup Schedule by Application, Operating System

3.3.3 Define Retention Period

Data Retention Schedule by Application, Operating System

Offsite storage location(s) address, phone number, contacts

3.3.4 Identify Offsite Storage L i

Offsite Storage Location Contact List

Individuals authorized to retrieve backups Transport method for delivering

3.3.5 Define Backup Retrieval Process

Backup Retrieval Procedures

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 7

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

Appendix C: Disaster Recovery Plan

Contingency Plan Coordinator Alternate CPC Network, Database, Telecommunications and Server Recovery Team

Step 3.4.1 Define Notification Process Plan Notification Sequence

Team members responsible for performing contingency plan activation.

Step 3.4.2 Identify Activation Team

Activation Team List

Sequence and process identified in Contingency Plan

Step 3.4.3 Define Damage Assessment Procedures

Damage Assessment Procedures

Process identified in Contingency Plan

Step 3.4.4 Define Procedures for Restoring Applications and Data

Procedures for Restoring Applications and Data

Deactivation Team

Step 3.4.5 Identify Deactivation Team

Deactivation Team List

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 8

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

Appendix E: Emergency Mode Operations

Recovery Objectives as determined by Application and Data Criticality Plan Procedures employed during normal mode of operations

Step 3.5 Define Emergency Mode Operations Plan

Emergency Mode Operations Plan Objectives

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 9

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

Appendix F: Contingency Plan Testing and Revision

Input

Contingency Plan Testing and Revision Activities 3.6.1 Identify Contingency Plan Elements to Test

Output

Selected elements that require testing

Contingency Plan Test Elements

Test Elements Test Objective Criteria, including: Effectiveness of system recovery on an alternate platform from backup media Effectiveness of coordination among recovery teams System functionality using alternate equipment System performance using alternate equipment Effectiveness of procedures for restoring to normal operations Effectiveness of notification procedures

3.6.2 Define Test Objectives

Contingency Plan Test Objectives

Test participants and roles they will perform in completing the test

3.6.3 Identify Test Participants and Roles

Contingency Plan Test Team and Roles

Specific scenario for each test

3.6.4 Define Test Scenarios

Contingency Plan Test Scenarios

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 10

of 11

Department of Family & Community Medicine School of Medicine University of California, San Francisco

Contingency Plan Procedures

Revision: A Issue Date: 4/1/05 Last Revision:

Input

Contingency Plan Testing and Revision Activities

Output

Contingency plan test plan Contingency plan test results

3.6.5 Execute Test & Document Test Results

Documented Test Results

Changes in: Operations Security requirements Technical procedures Technical infrastructure Alternate facility requirements

3.6.7 Revise Contingency Plan

Revised Contingency Plan

If this is a paper copy, it is uncontrolled, and you must verify the on-line revision level before using. Contains Proprietary Information and is for the use of UCSF only.
Page 11

of 11