Updated March 2025: Looking for a Business Associate Agreement? Download our FREE template.

Free BAA Download
Total HIPAA Logo

Do You Have a Disaster Recovery Plan, and Have You Tested It?

As much as we hope every business is preparing a Disaster Recovery Plan (DRP) to deal with the growing technological advancements with storing and sharing ePHI, at this moment in time the majority are still lagging behind. When your company’s data or the Protected Health Information of your employees is compromised are you prepared to respond?

A Disaster Recovery Plan describes how an organization plans to handle potential disasters, created both by natural causes and human error. If you need an idea for where to start with your DRP, check out these 9 key elements to create your plan here.

Even if your business has created a DRP, have you tested it? A DRP cannot be assumed to work without testing the program. By testing, you are to identify deficiencies and validate you can implement the plan.

Here are 3 simple steps to take before you begin testing your Disaster Recovery Plan:

  1. Break it down – Look at your DRP and figure out how to divide it into different segments based on areas of responsibility. That way, when it comes to the lower levels of testing (checklist, walkthrough, and simulation), you do not have to perform a full-scale test.
  2. Periodically Review – We recommend your staff or your assigned Emergency Team Leaders meet at least quarterly to review the DRP.—Meaning, examine in great detail for missing information or deficiencies in the written plan.
  3. Set Objectives – Determine exactly what it is you want to accomplish with this test. Set goals for your workforce to meet and outline what steps should be taken in order to meet those goals.

After taking these steps you can begin the testing process. Let’s review the different types of tests:

  • Checklist Testing- Create a checklist specific to each business process. Select teams who will carry out the responsibilities of each process. Checklists are cheap and easy to implement. This should be done before any other test because it acts as a foundation for the rest of the testing.
  • Walk-Through Testing- Before trying any sort of simulation with your business, gather all workforce members in a meeting room to walk through each scenario step-by-step. Assure every employee understands their tasks and duties for the corresponding situation. Awareness of all members is key to a DRP and tabletop testing can effectively demonstrate their roles. Additionally, this is a great way to find documentation errors or inconsistencies in your DRP.
  • Simulation Testing- Simulate a disaster as closely to a real disaster as possible without disrupting the business operation. This is the nearest you can get to a full test without interrupting daily operations.
  • Full Interruption Testing- A full interruption test is costly and interrupts normal operations. This test is closest to the real thing so it will help reduce errors and will better prepare the workforce for a real disaster. In this case, you shut down operations at the primary site and recover at the alternate site as laid out in the procedures for your DRP. Only do this once your team has practiced enough and feels comfortable with your plan. Your business will literally be shut down during this test and will only come back if you successfully complete the recovery plan.

After completing a test, it is important to follow these steps in order to evaluate and document the effectiveness of your plan and your workforce:

  • Identify Strengths and Weaknesses of the Plan- After completing the test, determine which aspects can be improved upon and which ones are working well. It’s also important to evaluate the steps that are taken and determine if any need to be added or if any are unnecessary or repetitive and can be removed from the plan.
  • Give Feedback on Performance- Remember to take notes throughout the test on the performance of each team or function. This will make giving feedback easier. The teams need to know what they did well and what needs improvement in order to make the Disaster Recovery Plan most effective.
  • Write Final Report- The final report should include objective results, performance overall and by teams, a summary of the test, and future recommendations. It should sum up the results of the test for future reference.

You should run a simulation of your disaster recovery plan so that your procedures become routine to your organization and team members. It is not enough to have a DRP written down and filed away. The DRP should be tested and ready to be successfully implemented.

https://www.sans.org/reading-room/whitepapers/recovery/disaster-recovery-plan-testing-cycle-plan-plan-cycle-563
Edwards, B. and Cooper, J. (1995) ‘Testing the disaster recovery plan’, Information Management & Computer Security, 3(1), pp. 21–27.

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2025

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document
Register for Webinar

Related Posts

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records

Essential Guide to Email Authentication and Deliverability: How to Configure DMARC, SPF, and DKIM Records
*This process is technical and requires access to your Domain Name Server (DNS). It’s recommended to have an IT professional handle these configurations to avoid potential issues. If you proceed yourself, back up your current settings with screenshots or copies before making any changes.
Organizations rely heavily on email for marketing and communication, making it a prime target for malicious actors. Phishing, spoofing, and other email attacks can inflict significant financial and reputational damage. In response to this growing threat, email providers are tightening their security measures, and businesses that aren’t paying attention risk having their emails blocked.
A recent announcement from Microsoft, highlighted in their Tech Community blog, highlights that Outlook is implementing stricter requirements for high-volume senders to protect users from unwanted and potentially harmful messages. This move serves as a clear signal: email authentication is no longer optional – it’s required for all organizations, regardless of their sending volume.
The key to making sure your emails reach their intended recipients is all in the configuration and alignment of your Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) records. These protocols verify an organization actually sent the emails and tells receiving servers your messages are legitimate and shouldn’t be sent to spam folders or blocked.
What makes SPF, DKIM, and DMARC so crucial?
SPF (Sender Policy Framework): This record lists the authorized mail servers permitted to send emails on your behalf. When your email server receives an email, it checks it and verifies if the sending server’s IP address matches the list in your SPF record. This helps prevent attackers from spoofing your domain using unauthorized servers.
DKIM (DomainKeys Identified Mail): DKIM adds a digital signature to your outgoing emails. This signature is cryptographically linked to your domain and verified by the receiving server using a public key published in your DNS records. DKIM ensures the integrity of the email content and confirms that it hasn’t been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds upon SPF and DKIM. It tells receiving servers what to do with emails that fail SPF and/or DKIM checks. You can set policies to “none” (monitor), “quarantine” (send to spam), or “reject” (block). DMARC also enables reporting, allowing you to gain valuable insights into who sends emails using your domain and identify potential spoofing attempts.
Microsoft’s Stance: A Wake-Up Call
The stricter requirements being implemented by Outlook for high-volume senders emphasize the need for organizations to set up and review their authentication protocols. While the current focus is on high-volume senders, it is clear: email providers are looking for authenticated mail. Failing to correctly set up your DMARC, SPF, and DKIM records will lead to deliverability issues of emails.
What Your Company Needs to Do Now:
Regardless of size or email volume, every company should take the following steps to make sure its email authentication is configured correctly. Here’s a checklist:
Audit Your Existing Records: Check for existing SPF, DKIM, and DMARC configurations. Are they accurate and up-to-date?
Implement Missing Records: If you are missing any of these records, add them immediately. *Consult with your IT team or email service provider for guidance.
Check Alignment: It’s crucial to make sure there is alignment between your SPF, DKIM, and DMARC records. This means that the domain used for SPF and the signing domain in DKIM should match the “From” address domain in your emails. DMARC relies on this alignment to function effectively.
Start with a Monitoring Policy: For DMARC, it’s often best to start with a “none” policy to monitor how your emails are being handled and identify any legitimate sending sources that might not be properly authenticated.
Gradually Enforce Stronger Policies: Once you clearly understand your email flows and have addressed any authentication issues, move gradually towards stronger DMARC policies like “quarantine” or “reject” to protect your domain from spoofing actively.
Regularly Review and Update: The email landscape is constantly changing. Regularly review and update your authentication records as needed, especially when changing your emails or third-party sending services.
The Benefits of Proper Email Authentication:
Properly configuring and aligning your DMARC, SPF, and DKIM records offers significant benefits:
Improved Email Deliverability: Your legitimate emails are more likely to reach the inbox, avoiding spam folders and blocks.
Enhanced Brand Reputation: Protecting your domain from spoofing builds trust with your recipients and safeguards your brand’s reputation.
Increased Security: You significantly reduce the risk of using your domain for phishing and other malicious activities.
Compliance with Evolving Standards: By staying ahead of the curve, you ensure your email practices align with the increasingly stringent requirements of email providers.
The message is clear: email authentication is no longer optional. The recent emphasis from major providers like Microsoft underscores its critical importance in maintaining reliable and secure email communication. By taking the steps to audit and align your DMARC, SPF, and DKIM records, your organization can protect itself, customers, and reputation. Don’t wait until your emails are blocked – act now to secure your email.
Have questions or need help with your HIPAA compliance? Schedule a call with our experts today. https://www.totalhipaa.com/get-started/
To check your DMARC Records go here
https://www.totalhipaa.com/dmarc-lookup-free/
All records, a free and easy tool to use
https://easydmarc.com/

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)