The purpose of this document is to identify personnel and procedures to ensure continuity of NCSA business operations related to the Advanced Computational Health Enclave in case of an emergency or operational failure (e.g., building fire).
This plan will identify alternate work locations for key recovery staff, as well as procedures for operation of the organization with limited staffing for short periods of time. Specific HIPAA requirements addressed are: (1) procedures for maintaining backups of critical software or data; (2) critical business processes that must be continued in an emergency mode of operations; (3) how PHI is protected during an emergency mode of operations; and (4) how these plans are updated and maintained.
This document covers the Advanced Computational Health Enclave (ACHE) facilities and services only. Specific agreements with customers may require additional procedures and controls beyond those specified here. Currently these facilities are located in 2105 NCSA,1205 W. Clark St, Urbana, IL.
Key Personnel and Personnel Operations
This section of the document contains the primary business functions of NCSA and primary and backup personnel for each area of operations
Area of Operations
Primary Contact and Phone
Secondary Contact and Phone
Management and Approvals
*XX is also the HIPAA Liaison.
The primary alternate is the meeting room and office facility in NCSA room 2100. This assumes that whatever problem has occurred still allows face-to-face meetings in the main NCSA building. Access to the main NCSA building is available 24/7 by keycard.
If the main NCSA building is affected or personnel cannot meet face to face, all primary and secondary contacts have full home networking support. Technical support personnel will have access to securely managed laptops in order to provide remote technical assistance.
Should the main NCSA building be unavailable and face-to-face meetings required, the NPCF general conference room offers a suitable alternative. NPCF is staffed and accessible on a 24/7/365 basis, and NPCF features high-speed connectivity to the main NCSA building.
Key Equipment and Data
By default, all NCSA business data for systems within ACHE resides in a single building. NCSA is not the primary holder or originator of such data, and hence its loss does not affect critical health care operations. If customers have more stringent requirements, we can support individually encrypted data backups in our local CrashPlan instance, also within the same building. NCSA currently cannot support customers requiring an offsite, hot backup for complete disaster recovery.
The NCSA wiki contains the primary set of collaboration and emergency plans for operating systems in the ACHE. This system is backed up into multiple locations, and a day-old copy is kept on the laptops of two IT Services staff. Today those people are Matt Elliott and Douglas Fein. Note the documentation does not itself contain PHI (Protected Health Information).
All laptops used by primary and secondary key personnel must be taken home and kept available in case of emergency. All data from those laptops will be backed up with encryption into both data centers in an effort to make information available in case of loss of personnel or equipment during the crisis.
All other IT recovery and operational needs can be found in the Disaster Recovery Plan: https://wiki.ncsa.illinois.edu/display/ITS/IT+Services+Disaster+Recovery+Plans
First 24 hours
Staff will be notified of issues and procedures based on the state of the emergency. This information will go to the email@example.com mailing list if the scope of the event is NCSA-wide. If the scope only affects the HIPAA datacenter, then information may instead be sent to firstname.lastname@example.org, which includes all of the key personnel identified above.
Primary concern is the recovery of customer data and related cyberinfrastructure within the HIPAA datacenter deemed to be ePHI and/or critical to maintaining production operations in clinical healthcare settings. Any such critical data, if it exists, will be identified in this plan.
Facilities and the HR office will assess the state of the building and the need of personnel to get back to work as quickly as possible. This may generate tasks in case of certain emergencies. All information will be communicated via email@example.com and/or firstname.lastname@example.org. It will be rebuilt in case of the closure of campus mail to support secondary email addresses gained at the time of the issue (email addresses will be gathered by phone). NCSA Industry representatives will contact affected Business Associates directly.
Finance will make funds available and ready to handle issues and problems. $25,000 p-cards held by Deanna Spivey and Jean Soliday will be available for emergency purchases and repair work as needed.
Remote access to systems in the ACHE will not be restored until all security controls are restored and verified by the NCSA Security Office. If physical controls fail and it is safe to return to the facility, the building manager will either have person(s) from the covered entity watching the systems or move the systems to a secure facility with restricted access.
Second 24 hours
Operations will begin with generating an action plan and timeline for recovery from whatever has occurred; the action team will include all primary and secondary contacts available during the crisis.
Within this plan, concrete timelines for recovery of the ACHE operations space will begin. At this time the assumption is that all needed NCSA staff, including system operators and managers, will have home network and computer access. If this is not the case for any person, alternate accommodations will be provided for those workers, based on the type of emergency.
Implementation of the recovery plan with timelines provided to users and customers, campus personnel and NCSA staff will need to begin. Any building or space loss lasting more than two weeks will require alternate university accommodations to allow NCSA to rebuild any lost work or activities.
Updates and Testing
This plan should be updated and reviewed yearly with all changes documented, and PDF versions provided to all primary and secondary contacts in the plan. Those documents should be kept on their laptops available at any point a problem might occur. In addition, a version of the plan will be kept on the NCSA wiki, and in a shared box.com folder for all participants to have access when required.
It is the responsibility of the NCSA HIPAA Liaison to maintain this plan and perform drills and/or testing.