Skip to end of metadata
Go to start of metadata

Document Name: NCSA Business Continuity Plan for the Advanced Computational Health Enclave
Version: 1.0
Accountable: Adam Slagell
Authors: Adam Slagell
Approved:   

Purpose

The purpose of this document is to identify personnel and procedures to ensure continuity of NCSA business operations related to the Advanced Computational Health Enclave in case of an emergency or operational failure (e.g., building fire).


This plan will identify alternate work locations for key recovery staff, as well as procedures for operation of the organization with limited staffing for short periods of time. Specific HIPAA requirements addressed are:  (1) procedures for maintaining backups of critical software or data; (2) critical business processes that must be continued in an emergency mode of operations; (3) how PHI is protected during an emergency mode of operations; and (4) how these plans are updated and maintained.

Scope

This document covers the Advanced Computational Health Enclave (ACHE) facilities and services only. Specific agreements with customers may require additional procedures and controls beyond those specified here. Currently these facilities are located in 2105 NCSA,1205 W. Clark St, Urbana, IL.

Key Personnel and Personnel Operations

This section of the document contains the primary business functions of NCSA and primary and backup personnel for each area of operations

Area of Operations

Primary Contact and Phone

Secondary Contact and Phone

Management and Approvals

Randy Butler*
217-898-9347

Dan Lapine
217-244-9294

Facilities

Tedra Tuttle
217-722-1830

Mo Rantissi
217-300-6326

Security

Jim Eyrich
217-265-6867

Alex Withers

631-745-4097

NCSA Industry

Neil Andrews

Office: 217-300-2097

Mobile: 815-919-1284

Brendan McGinty

Office: 217-244-6020

Mobile: 217-722-3430

Human Resources

Emily Scherbring
618-889-3398

 


*XX is also the HIPAA Liaison.

Operational Locations


The primary alternate is the meeting room and office facility in NCSA room 2100. This assumes that whatever problem has occurred still allows face-to-face meetings in the main NCSA building. Access to the main NCSA building is available 24/7 by keycard.


If the main NCSA building is affected or personnel cannot meet face to face, all primary and secondary contacts have full home networking support. Technical support personnel will have access to securely managed laptops in order to provide remote technical assistance.


Should the main NCSA building be unavailable and face-to-face meetings required, the NPCF general conference room offers a suitable alternative. NPCF is staffed and accessible on a 24/7/365 basis, and NPCF features high-speed connectivity to the main NCSA building.

Key Equipment and Data


By default, all NCSA business data for systems within ACHE resides in a single building. NCSA is not the primary holder or originator of such data, and hence its loss does not affect critical health care operations. If customers have more stringent requirements, we can support individually encrypted data backups in our local CrashPlan instance, also within the same building. NCSA currently cannot support customers requiring an offsite, hot backup for complete disaster recovery.


The NCSA wiki contains the primary set of collaboration and emergency plans for operating systems in the ACHE. This system is backed up into multiple locations, and a day-old copy is kept on the laptops of two IT Services staff. Today those people are Matt Elliott and Douglas Fein. Note the documentation does not itself contain PHI (Protected Health Information).


All laptops used by primary and secondary key personnel must be taken home and kept available in case of emergency. All data from those laptops will be backed up with encryption into both data centers in an effort to make information available in case of loss of personnel or equipment during the crisis.

All other IT recovery and operational needs can be found in the Disaster Recovery Plan: https://wiki.ncsa.illinois.edu/display/ITS/IT+Services+Disaster+Recovery+Plans

Operation Plan

First 24 hours

Staff will be notified of issues and procedures based on the state of the emergency. This information will go to the all-ncsa@ncsa.illinois.edu mailing list if the scope of the event is NCSA-wide. If the scope only affects the HIPAA datacenter, then information may instead be sent to hipaa-bcp@ncsa.illinois.edu, which includes all of the key personnel identified above.


Primary concern is the recovery of customer data and related cyberinfrastructure within the HIPAA datacenter deemed to be ePHI and/or critical to maintaining production operations in clinical healthcare settings. Any such critical data, if it exists, will be identified in this plan.


Facilities and the HR office will assess the state of the building and the need of personnel to get back to work as quickly as possible. This may generate tasks in case of certain emergencies. All information will be communicated via hipaa-bcp@ncsa.illinois.edu and/or ncsa-bcp@ncsa.illinois.edu. It will be rebuilt in case of the closure of campus mail to support secondary email addresses gained at the time of the issue (email addresses will be gathered by phone). NCSA Industry representatives will contact affected Business Associates directly.


Finance will make funds available and ready to handle issues and problems. $25,000 p-cards held by Deanna Spivey and Jean Soliday will be available for emergency purchases and repair work as needed.


Remote access to systems in the ACHE will not be restored until all security controls are restored and verified by the NCSA Security Office. If physical controls fail and it is safe to return to the facility, the building manager will either have person(s) from the covered entity watching the systems or move the systems to a secure facility with restricted access.

Second 24 hours

Operations will begin with generating an action plan and timeline for recovery from whatever has occurred; the action team will include all primary and secondary contacts available during the crisis.


Within this plan, concrete timelines for recovery of the ACHE operations space will begin. At this time the assumption is that all needed NCSA staff, including system operators and managers, will have home network and computer access. If this is not the case for any person, alternate accommodations will be provided for those workers, based on the type of emergency.

First week

Implementation of the recovery plan with timelines provided to users and customers, campus personnel and NCSA staff will need to begin. Any building or space loss lasting more than two weeks will require alternate university accommodations to allow NCSA to rebuild any lost work or activities.

Updates and Testing

This plan should be updated and reviewed yearly with all changes documented, and PDF versions provided to all primary and secondary contacts in the plan. Those documents should be kept on their laptops available at any point a problem might occur. In addition, a version of the plan will be kept on the NCSA wiki, and in a shared box.com folder for all participants to have access when required.


It is the responsibility of the NCSA HIPAA Liaison to maintain this plan and perform drills and/or testing.

  • No labels