Vital Records and Business Continuity Planning
By Dr. Jim Kennedy, MRP, MBCI, CBRM CHS-IV.
As business continuity and disaster recovery professionals we continue to address the rapidly changing face of business and technology. We are caught up in the frenzy of our employers or clients wishing to converge their voice and data networks. We must maintain the RTOs and RPOs necessary to restore mission critical infrastructures along with all of the electronic data that moves across networks or is stored on magnetic media. We know that companies that go through a severe loss of mission critical computerized records may never reopen.
However, as we have seen from past disasters, like those suffered during hurricanes Katrina and Rita or even the most recent floods in the Midwestern portions of the United States, that electronic and digital data is not the only medium of information critical to an organization’s business mission. Neither is electronic data the only storage medium of importance to customers or patients who rely upon critical paper records and their protection for their financial futures or health and wellbeing.
Disasters such as floods, fires and tornadoes can happen almost anywhere and at any time. Some come with prior warning, but most do not. With hurricanes there is often advanced warning, but the actual ultimate severity is still pretty much a ‘best guess’ due to the complex factors which can change a category three into a category five or change the final direction of a storm. Those changes can mean the difference between severe flooding, levee breaches, and near absolute destruction of property or just a lot of rain and some local street flooding and wind damage.
We have seen and experienced some of the most destructive weather and natural disasters imaginable in the last ten years. We also know that more localized incidents like a roof collapse under the weight of above average snowfall or a pipe bursting due to age can also cause catastrophic outcomes. As contingency planners we continue to learn and base our future efforts on lessons learned from the past. We have learned to apply an ‘all hazards’ approach when planning.
We also need to take an ‘all media’ approach to data protection. As such, we all need to look very closely at the continued reliance of businesses such as financial, healthcare, government, and education on paper records and information.
Until businesses can move entirely to the use of electronic records and adequately back up that information, organizations will continue to remain vulnerable to all types of disasters. Many organizations today could fail and never reopen their doors if they suffered a loss of just paper records due to a fire or flood.
As we saw during the catastrophic destruction of hurricane Katrina and then Rita, thousands of medical records were permanently lost and healthcare was ultimately compromised in the region. Doctors in attempting to treat their patients could not find their medical records. So they (the doctors) could not look for past allergies to medications or previous illnesses. Patients often did not know the names of their critical prescriptions so they were forced to go without.
Small and medium businesses that had lost their computers in the storm had also lost several weeks of paper business transactions. Architectural and engineering firms lost many important drawings not maintained on computers and numerous local and county governments lost paper deeds, court records, birth records and many other valuable papers and documents.
Natural disasters are not the only incidents to threaten vital paper records. I was personally involved several years ago in an incident in which a local bank vault, used to archive not only financial records but other vital records of the community, became fully engulfed in a fire. The only way to get to and then put the fire out was to drill several holes in the concrete ceiling above the vault and then fill it with water to extinguish the blaze. The very water used to extinguish the blaze and save the building from the fire also compromised and/or destroyed important documents and records, many of which had been there for over one hundred years. Luckily with the help of a document recovery company the bank was able to restore some of the records over time, but with a very expensive price tag.
Even paper files and records that are kept in an off-site storage facility can be susceptible to the same types of damage and destruction that other businesses are. In many instances widespread natural disasters, like floods, often compromise off-site storage facilities in the same manner as the primary sites that sent them there for protection.
So as you can see paper continues to be a medium on which many critical records and irreplaceable information continues to reside. So as contingency planners we need to ensure that our evaluation of business includes any and all data that is critical to the operation of that business – that includes vital paper documents and records.
Defining, identifying and inventorying vital paper records
This is possibly the most important and sometime the most difficult first step to proper data protection. This is where organizations need to distinguish between important data and a vital record. A vital record is defined by the Business Continuity Institute as: Computerized or paper record which is considered to be essential to the continuation of the business following an incident.
Typically only between 3 to 15 percent of the paper records archived are typically categorized as vital. However, in the case of healthcare and governmental organizations this number can be quite a bit higher. So, someone at a senior level in the organization must make the final judgment as to what is vital and what is not. Also, many paper records are maintained for legal reasons. Many need to be maintained due to some type of regulation from the FDA, SEC, Internal Revenue, or HIPAA. The terms of the retention period can vary from three years to seven years for tax information to the life of a patient for some medical records. So an organization’s legal council should also be contacted for their recommendations.
Categories of recorded data, on paper, that typically fall under the category of vital may include:
- Patient healthcare records, controlled drug administration, results of clinical trials, and etc.
- Birth records, court records, vital statistics and etc.
- Contracts/agreements that prove ownership of property, equipment, and etc.
- Operational records such as Sarbanes-Oxley accounting records, architectural drawings, shipping delivery records, software licenses, maintenance contracts, and etc.
- Current client files and account information
- Intellectual property such as source code, formulas, schematics, SOPs, and etc.
- Legal documents such as tax records and correspondence or other documents which is a part of ongoing litigation
Assessing the threat to vital records
The identification of hazards that can result in damage or destruction of paper records is the very important next step. Flooding or water damage of records in storage areas can occur due to:
- Pipes bursting or leaking
- Roof leaks or collapse (rain, snow)
- Localized flooding (water main breaks, traffic accidents)
- Chemical spills
The risk of damage due to fire is possible when:
- Fire detection and protection mechanisms are not proper for the types of materials being protected or are in place and not maintained and checked annually (e.g., sprinklers can cause more damage from water than fire would have caused)
- NO SMOKING protocols are not established and adhered to
- Improper housekeeping is found in document storage areas (e.g., flammable liquids, cleaning solvents, or other materials are found in the same area or in close proximity as document storage, and there is an accumulation of flammable materials)
- Paper records are not stored in a UL or CSA rated fireproof/fire safe and water retardant storage cabinet
Other threats to paper records:
Some paper records due to age or paper material used can be damaged due to improper handling or environmental excesses such as temperature, humidity, or sun or fluorescent light. As such these need to be protected by:
- Air conditioning to maintain constant temperature and humidity levels
- In storage cabinets to keep the document from direct light of any kind
So any threats to the maintenance and operation of air conditioning or environmental controls must be considered as well.
Another red flag is a lack of adequate levels of security protection in storage containers or spaces used for on or off site storage locations. Adequate access controls and proper 7 X 24 X 365 monitoring of the records must be maintained at any storage facility selected to house vital records.
Establish a plan to protect vital records
In order to protect vital records from disaster many organizations:
- Move and store the paper records off-site at a facility specializing in transportation of vital records and providing secured vaulting services;
- Convert paper to other media such as: optical disk, microfiche, microfilm, magnetic disk or tape and etc.
Each of these contingencies is good provided that it provides the necessary flexibility to access records when needed and provides the necessary protection to properly preserve those records. That is whether or not the vital records will be kept on or off site the vaulting facility must have adequate security, provide proper environmental controls (humidity and air conditioning), have adequate fire protection facilities, and employ trusted or bonded workers.
In any case all threats identified in the risk assessment should be addressed, either by: elimination through mitigation; adequately insuring against loss; or a cognizant decision by senior management is made to ignore.
Once the threats have been addressed the business continuity plan can proceed in the development of the sections on vital records protection, restoration and recovery. The plan should include a thorough inventory of all vital records stored on or off site. The plan should also include a description of how records will be identified, transported, and handled during restoration. Also the plan should designate who is the responsible party within the organization to authorize initial storage and any subsequent recovery of vital records so that the confidentiality and integrity of the data can be maintained.
One component of the vital paper records plan should include an agreement or contract with a document recovery and restoration company in case documents are compromised during an incident. This saves time by identifying one of the first organizations to be contacted if paper records are damaged. If not a contract, at least have emergency contact information of such an organization included in the plan.
Once the plan has been exercised, including the vital records component, and found to be ‘fit-for-purpose’ the contingency planner can breathe somewhat easier and the plan can be finalized and released.
Summing it up
Paper records can be as critical to the operation and survival of a business as other forms of media. We as business continuity or resilience planners need to adopt an ‘all hazards’ and an ‘all media’ approach when developing plans to ensure that we have provided the necessary due diligence to protect our businesses and its associated operations.
Dr. Jim Kennedy has a PhD in Technology and Operations Management and is the business continuity/security services practice lead and principal consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of two books, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. [email protected]