Although once marketed solely as a technology for decreasing hardware costs, server virtualization has proved to be an excellent technology for use in disaster recovery situations. If an organization's physical servers have been destroyed, it is usually relatively easy to restore backups of those systems to virtual hardware. This allows the organization to restore functions quickly without having to worry too much about the underlying physical hardware.
Even though server virtualization might work well for disaster recovery, health care organizations do not have the luxury of deploying a virtualized disaster recovery site on a whim. Changes to such an organization's disaster recovery efforts require thorough planning: It must maintain Health Insurance Portability and Accountability Act (HIPAA) compliance and could be required to comply with Payment Card Industry (PCI) and Joint Commission standards.
So, does this mean that health care organizations cannot use virtualized disaster recovery sites? Absolutely not. It simply means that they have to take regulatory compliance into consideration whenever they make a change to their disaster recovery infrastructure.
In order to maintain HIPAA compliance, organizations are required to create and maintain three plans related to disaster recovery. If an organization makes any change to their disaster recovery efforts, such as to incorporate virtualized disaster recovery technology, these plans will have to be revised to reflect the changes.
The first plan a HIPAA covered entity is required to maintain is a data backup plan. This is intended to serve as proof that the organization has documented and implemented procedures for creating and maintaining exact copies of electronic health information. In other words, the data backup plan should provide a detailed description of backup procedures.
It is fully expected that an organization's backup requirements will evolve over time, so HIPAA auditors will look for the plan to be updated regularly. The plan's most recent revision must match the procedures that are currently in use in the organization.
It is worth noting that if a health care organization decides to incorporate server virtualization into its disaster recovery efforts, it might not have to worry about revising its data backup plan. That's because the data backup plan focuses on backing up data, not restoring it. With that focus, your data backup plan probably would not be affected unless you found yourself running your backup software on a virtual server or writing your backups to a virtual server (such as a virtualized instance of Microsoft System Center Data Protection Manager).
The second plan that health care organizations are required to document is a disaster recovery plan. While the data backup plan focuses on procedures for backing up data, the disaster recovery plan documents the procedures used to restore data after a disaster strikes.
Keep in mind that a disaster recovery plan does not focus primarily on restoring files that have been deleted accidentally by a user, but on dealing with catastrophic situations. The plan should describe the resources and procedures required to resume critical business processes after a natural or man-made disaster occurs.
As is the case with the data backup plan, HIPAA compliance requires that a disaster recovery plan include detailed procedures. Organizations are expected to revise these documented procedures as their recovery plans evolve.
Even though server virtualization might work well for disaster recovery, health care organizations do not have the luxury of deploying a virtualized disaster recovery site on a whim.
If a disaster strikes, you ideally should be able to restore your data to its original location. Depending on the scale of the disaster, however, this could prove to be impossible. After all, if your entire data center has been wiped out in a hurricane, the odds of being able to reuse your server hardware are pretty slim.
With that in mind, if you decide to use virtual servers as a part of your contingency plan, your disaster recovery plan will need to include procedures for restoring backups to virtual hardware. You also will be required to specify under what conditions the virtual machines will be used.
The emergency mode operations plan, the third and final one health care organizations are required to maintain, describes how the organization will continue to operate after a disaster, such as a fire or flood. Whether the emergency mode operations plan will need to be changed to reflect the use of virtual servers depends only on how the organization plans to use the virtual servers in the event of a disaster.
Suppose, for instance, that your plan is to restore your backups to virtual machines in the local data center if possible, but to fail over operations to a remote data center if necessary. In such a situation, the emergency mode operations plan probably would not require much revision, because your using server virtualization is irrelevant to the remote data center (which presumably is already in place).
On the other hand, let's say that if your data center is destroyed, your plan is to build a remote data center on the fly by using virtual server technology. In this situation, using virtual servers would be directly involved in emergency mode operations, so your emergency mode operations plan would need to address server virtualization.
Overall, virtualized servers can be extremely beneficial in disaster recovery situations. Even so, a HIPAA covered entity cannot legally use this approach unless its data backup, disaster recovery and emergency mode operations plans are updated (as necessary) to reflect its new disaster recovery strategy.
Brien M. Posey is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals, and was once in charge of IT security for Fort Knox. Contact him at firstname.lastname@example.org.
This was first published in January 2011