Security Issues in Disaster Recovery

There was a movie that came out a few years back with one line that has stuck with me, and the truth behind it is very evident. “There is opportunity in chaos!” And in recovery scenarios, opportunity abounds.

One of the real problems when doing business recovery is that too often, our focus is on getting up and going. We need to get the websites up so we can make money. We need to get the SQL databases going so we can make money. We can’t get email. We can’t do this. We can’t do that. And the temptation to take short cuts is very real, and often times it all happens just that way.

Part of the problem is an organizational issue. While some companies make Disaster Recovery part of the security team’s mission, their existence is often forgotten. So instead security team focuses on databases or servers etc. This causes security issues.

Disaster Recovery for HIPAA-compliant organizations

One place security can’t be ignored is when HIPAA raises its head. The need to maintain security is written into the law for HIPAA-compliant organizations, and protection of personal health information is paramount, especially during DR situations. But this can still cause shortcuts, and all it takes is the right time and the right set of circumstances. Consider an incident that happened following Hurricane Sandy. The phone rings at one analyst’s desk who’s involved in the recovery, the person on the other end IDs themselves as Dr. So-and-So, and needs information on the following patients right away so they can treat them. The Doctor gives the correct information over the phone (just in case you’re wondering, there are more than a few websites out there that has doctors info, including license numbers etc), identifies himself correctly, and the information is given. Problem was, it wasn’t Dr. So-and-So making the request. The requestor had done his homework, had gotten the doctors information and gotten exactly what he needed. (Social engineering works every time).

Saving backups

Let’s look at a couple of other incidents that were preventable. First of all, backup tapes. Despite a lot of screaming and shouting to the contrary, tape is alive and well, and doesn’t seem to be going anywhere. Thousands of businesses still use tape as either their primary means of backup, or to supplement their online backups. Every now and again, tapes turn up either lost or stolen. Tapes can contain client information, employee information, and so on. The perfect time to steal a tape is whenever we might expect it to go missing (as in terms of natural disaster, as in washed out to sea). Also, in the normal course of restoring things, some safeguards of the tape inventory might be short circuited. After the information is restored, what happens to the tape? Is there a way to keep track of the tapes that came in vs those that we’re finished with? It’s simple to misplace them or worse yet, to allow someone to stash one and just walk away with it.

Using only encrypted data

Of course, only encrypted data should leave the company. We’re talking strong, military grade encryption. And while it is true to that any encryption can be hacked, it’s also true that if they want it that bad, make them work for it. Good 256-bit encryption keys would take years to crack, and that’s even with decent computers. In short, make the data useless to anyone except you.


Of course, some folks are moving away from tape. The reason being that cloud storage is often cheaper and faster. But that still doesn’t lessen the potential for security problems. So make sure

  • your data is encrypted
  • only a handful of people can access the cloud storage site
  • you can monitor who’s accessing it and when

You can learn more about staying compliant to the regulations, under which your organization falls, here.