Disaster Recovery Plan prepared for an organization

Introduction

The term “disaster” is referred either to a natural disaster such as fire or flood or a man-made disaster such as equipment failures or cyber-attacks. The Disaster Recovery Plan is a document that outlines ways in which an organization can deal with sudden critical situations. Issues related to computer and network systems might arise because, in the digital age, rapid intrusions to computer systems are being witnessed. Sudden disasters are likely to obstruct the daily operations of a firm. Therefore, companies build data centers so that business operations can be conducted or transferred in times of crisis. The D.R. plan ensures business continuity, and it is necessary to assess the practical needs before designing or implementing the plan. Functions within the firm might be mission-critical, and the D.R. plan ensures the continuity process. In this paper, one such plan shall be created for CVS Health, one of the leading healthcare firms based in the USA. The prepared plan shall be presented to the executive board of the company.

Company background

US-based CVS Health is a healthcare company and operates in the healthcare and retail industry (Cvshealth.com, 2020). It was founded in 1996 in Woonsocket, the U.S. It mainly serves regions of the United States and Peurto Rico. At present, the number of operating locations of the company is 9,967. As of 2019, the company has generated revenue of US$256.776 billion. Few of the subsidiaries of the firm are CVS Pharmacy, CVS Caremark, Longs Drugs, Omnicare, CVS Specialty, and others. The company has been expanding since its inception, and it offers a line o healthcare products. It is listed at number eighth in the Fortune 500 list of companies of 2019. As per recent data, the company consists of 300,000 employees. It has been regarded as the innovator of healthcare services, and the purpose is to enhance the health outcomes of its customers. The cost and quality of services are never compromised, and therefore it has managed to create an impact on the customer’s lives. Under the Medicare Quality Standards and the HIPAA Security Rule, the healthcare providers are supposed to ensure the safety of its stakeholders, and it is obligated to create a recovery plan to mitigate the critical issues that might arise in the firm.

Outlining the need for the Disaster Recovery Plan

The healthcare provider deals with a lot of patient or customer-related information. Computer systems are used for storing drug data, files, and records, along with business details. Issues might occur in case patients’ data, or drug-related information gets deleted. Since the organization operates under the retail sector as well, it is necessary to use computers for data storage, data retrieval, clinical trial management, computational modeling, and record of money-related transactions, profit estimation, and financial analysis. Loss of vital data might cost a big corporation like CVS Health more than $700,000.  The organization might also experience significant downtime, mainly because of hardware errors or power outages. As per the DRP Council, 35% of issues occur due to human error, and 34% occur due to malware or virus attack.  As per the National Institute of Standards and Technology or NIST, a D.R. plan plays a vital role in safeguarding the daily operations of a firm. It also provides a guideline regarding the sequence of disaster recovery. After the completion of the plan, it is vital to test the plan and verify the information accuracy.

The D.R. plan would re-establish the business, and it would be easier to provide comprehensive services to the service users. Even after the existence of a D.R. plan, the company is supposed to update the plan after conducting a risk assessment. Vulnerabilities within the I.T. infrastructure of the firm are likely to create issues within the critical functions of the business, and communication with stakeholders will be affected. The necessity of creating an incident response team also arises because the team will assess the situation and recover the systems and will also conduct a follow-up session. Again, as per the Department of Human and Health Services, U.S., it has been reported that data breaches are rising at a tremendous rate. It costs around $6.5 billion on a yearly basis. It creates the rising or critical need for a comprehensive plan. The rising regulatory, along with technological factors, cannot be ignored. Data needs change with time, and a flexible option must be present.

The Disaster Recovery Plan

The Contingency Plan, alternatively known as the D.R. Plan, is going to ensure a proper response to any kind of man-made disaster, and it will minimize the harmful effects of a sudden disruption. After preparing the information, it is necessary to choose a safe place for storing the document. The disaster recovery team at CVS Health is supposed to get store the plan in an off-site accessible location. It would be effective to consider two options while preparing the D.R. plan. It can be either cloud-based services or recovery services. The former would be easy to deploy and would not cost much. The plan has been outlined below –

• Identification of major goals of the plan- The goals of the D.R. plan is to minimize the number of daily interruptions, reviewing normal operations, limiting damage and disruption, and, most importantly to re-establish alternative operations. The company should also train its personnel regarding emergency procedures, and it should be one of the critical goals of CVS Health because training ensures smooth operations. Services should be restored as fast as possible after witnessing any significant disruption.
• Recording the identities of the personnel- It would be feasible to create a table that will consist of a record of the company’s data processing personnel. Three tables can be created, and each must outline the name, position, address, and contact information of the personnel. The company can keep a copy of its organization chart along with the plan so that the roles and responsibilities of key personnel can be identified.
• Application profile- It is one of the key considerations of the D.R. Plan, and it will mainly consist of the application name, the criticality of the application, presence or absence of the fixed asset, manufacturer information, and any other additional comments. It would be feasible to utilize the DSPSFWRSC or Display Software Resources to complete the requirements of the application profile.
• Inventory profile- Another vital component of the plan is the inventory profile, as it can be utilized to report and track the progress of items. As in this case, healthcare services related items can be stored because the company engages in delivering healthcare products. Again, the inventory profile would be effective in accounting the inventory quantities as well. It would be feasible to use the WRKHDWPRD or Work with Hardware Products commands so that the table of inventory profile can be completed.
• Backup procedures- It is a kind of backup and one of the easiest ways of backup that mainly involves the transfer of log files and database to a remote offline area for storage after copying it. It will be useful during times of crisis. Data deletion or data corruption might occur at any instance, and backup procedures would ensure data retrieval. It mainly involves archiving and copying of the computer data.
• R. procedures- Three vital elements can be incorporated or addressed in case of the D.R. plan. The procedures mainly involve emergency response, backup operations, and recovery actions. In case of emergencies such as natural disasters or a sudden cyber-attack, it is vital to document the situation so that lives can be protected. Similarly, in the case of backup operations, the necessity of ensuring the normal state of operations immediately following a disruption also arises. Again, after the sudden disruption, there is a need to facilitate the restoration of the systems of data processing. Under the recovery action procedures, a checklist can be prepared to understand the primary actions after the disaster.
• Recovery in case of the mobile site- In the case of a mobile site, the company should focus on notifying the nature of the incident along with the necessity of choosing a mobile site plan. Within 48 hours, telephone notifications must be confirmed. Moreover, there is a need to confirm the availability of backup media so that the backup machine can be loaded. Communication needs must be clarified beforehand, and power must be set up on the mobile site. Necessary checks must be conducted by plugging into communications every time. The company might have to bear considerable costs to recover the lost information, and therefore, it is necessary to begin normal operations on time. Normal operations mainly involve daily jobs, daily saves, along with weekly saves. The experts are supposed to plan a schedule so that they can backup the system. The mobile site must be secured, and it is crucial to maintain a maintenance log in the mobile equipment.
• Recovery in case of the hot site- Within the D.R. plan, a hot site plan can be an alternative way of system backup. The hot site will be used on a temporary basis only. This will be done during the re-establishment of the main site or home site. Again, the same rule applies in case of hot site. The need of notifying the kind of disaster and keeping the communication channels open arises again. One vital task would be reviewing the checklist prior to departing the materials. The D.R. team must be equipped enough to have the necessary information. Communication procedures at the hot site should be well established, and the normal operations, including daily jobs and daily saves, should be restored as fast as possible.
• System restoration- In most cases, the entire computer system might get hacked, and the recovery process requires the knowledge of system restoration. Before starting the system restoration process, the incident response team should find the vital save media, equipment along with information related to on-site tape vault. Here, save media mainly refers to recently saved configuration, journal receivers, PTF list, day-to-day saved operation, history logs from the recently saved operation, weekly saved operation, and day-to-day saved operation.
• The rebuilding process- In this case, it is the responsibility of the management team to begin the assessment process and reconstruct the data center as efficiently as possible. The rebuilding process should primarily include the need assessment and an outline of available resources. For instance, the requirement of the number of computer equipment should be outlined. Moreover, the effectiveness of upgrading the systems must be questioned during the rebuilding process. Identification of any alternative site is vital as well. Lastly, the rebuilding process requires an estimated time in order to construct or repair the entire data site. Therefore, the estimated time should be identified, as well.
• Testing the D.R. plan- It is not enough to develop the D.R. process and directly implement it. The need for testing the prepared plan also arises. The success of the contingency plan depends on the results of evaluation. The volatile nature of the data processing operations will create issues during documentation. Nevertheless, the plan should be regarded as a fluctuating plan, and the team should be open to changes in the last moment. In order to conduct a recovery test, a few questions must be answered. It involves the purpose of the test, objectives, support, and availability of the management, end results, and, most importantly, evaluation of the results.
• Rebuilding the site- The site where the operations will be resumed is the disaster site, and while rebuilding the disaster site, it is vital to use information related to the data center floor plan, recent hardware requirements along with security and power requirements. Vendors and floor-related information must be specified objectively, and a copy of the floor plan must be kept aside. The power, security, and square footage requirements of different data centers are not the same. Therefore, these needs must be detected early before beginning the process of site rebuilding.
• Recording of changes- Lastly, the plan should be current, and records of recently made changes should be kept in the system configuration, applications, as well as backup schedules or procedures.

Possible outcomes of the D.R. plan

After implementing the D.R. plan, four benefits can be assured. Firstly, the plan would ensure cost efficiency and secondly, it would increase the productivity levels of the team members. Customers can be retained in large numbers and the firm would understand the scalability of the plan. Corrective measures will help the organization restore its data and handle the aftermath of the crisis. The team can analyze the upcoming threats and ensure the maintenance of I.T. systems. Success of the plan depends on the degree of focus of the entire team. Innovative solutions to issues are necessary. Data centers might remain down for several days after the occurrence of the disaster. Therefore, a big healthcare service provider like CVS Health will be severely affected if its operations does not resume within 24 hours after the incident. If the plan is solid, the likelihood of restoring the functionality of the firm is possible. Various advantages exist when D.R. is used as a service. The company can co-locate its D.R. infrastructure inside the data center. Compliance with the HIPAA regulations is vital for the firm.

Further, testing the D.R. plan on a regular basis will also ensure the success of the plan at the right time. The company should not consider the well-tested D.R. plan as another option. Rather it should be regarded as a necessity because it is operating within the data-driven environment. D.R., as a service, will be highly accessible as well as affordable to all kinds of firms irrespective of its size. CVS Health operates in the healthcare industry, and a sudden hit from ransomware could cost thousands of dollars. Security should be a top priority in the digital age. The modern security techniques might be effective; however, without creating a culture of compliance, it is impossible to keep going. Mitigation of disasters might be challenging; however, preparation is crucial to deal with worst-case scenarios. The prepared plan can help address the security needs of the healthcare organization by availing the right resources.

Conclusion

It can be concluded that the D.R. plan would resolve many computer system related issues of CVS Health only if the incident response team collaborates effectively. The digital era is witnessing a rapid number of incidents related to network systems, and the D.R. plan is comprehensive enough to resolve the issues. The only requirement is that team members are supposed to identify the loopholes faster. The experts should be open to suggestions and changes within the plan. It would be feasible to regard the plan as temporary. The need for developing the plan has been identified as well. At CVS Health, the priority should be in compliance with the NIST and following its guidelines while implementing the plan. Ideally, the plan has been developed to stay prepared for any worst-case scenario. The best practices can be adopted as early as possible to reduce further damage.

 

References

1.       Homepage | CVS Health. (2020). Cvshealth.com. Retrieved 18 February 2020, from https://cvshealth.com/

2. Wold, G. H. (2006). Disaster recovery planning process. Disaster Recovery Journal, 5(1), 10-15.
3. Olshansky, R. B., Hopkins, L. D., & Johnson, L. A. (2012). Disaster and recovery: Processes compressed in time. Natural Hazards Review, 13(3), 173-178.
4. Hawkins, S. M., Yen, D. C., & Chou, D. C. (2000). Disaster recovery planning: a strategy for data security. Information management & computer security.
5. Fallara, P. (2004). Disaster recovery planning. IEEE potentials, 23(5), 42-44.
6. Iyer, R. K., & Bandyopadhyay, K. (2000). Managing technology risks in the healthcare sector: disaster recovery and business continuity planning. Disaster Prevention and Management: An International Journal.
7. Noakes-Fry, K., & Diamond, T. (2001). Business Continuity and Disaster Recovery Planning and Management: Perspective. Gartner Research, DPRO-100862, 1-15.
8. Chow, W. S., & Ha, W. O. (2009). Determinants of the critical success factor of disaster recovery planning for information systems. Information Management & Computer Security.
9. Chow, W. S., & Ha, W. O. (2009). Determinants of the critical success factor of disaster recovery planning for information systems. Information Management & Computer Security.

10.    Fuhrman, M. (2020). Council Post: 10 Things To Consider When It Comes To Disaster Recovery. Forbes. Retrieved 18 February 2020, from https://www.forbes.com/sites/forbestechcouncil/2018/05/03/10-things-to-consider-when-it-comes-to-disaster-recovery/#455536c56d82