How prepared are you to recover from a disaster?

When healthcare operations are disrupted, patients, reputations, and revenue can be harmed. The secondary effect is the impact of lost revenues. With a growing dependence on information systems, IT disaster recovery and business continuity planning are even more essential. While technical support staff is diligently supporting the organization, their disaster recovery and business continuity plans are sometimes lacking. Cyber attacks compound the criticality of being ready for a rapid response.

ECRI Institute, one of the nation’s leading patient safety and medical technology research organizations, places health technology cybersecurity at the top of its 2019 Top 10 Health Technology Hazards. In the case of a failure or disaster event, the majority of IT departments are struggling to say they are well prepared to recover their IT services and continue business operations. This is despite advanced replication technologies, cloud solutions, and complex data center architectures.

The need to plan, prepare, and practice has assumed added significance.

In recent years, the diversity of incident types that can lead to disasters has changed dramatically. TraditIconionally, organizations have categorized disasters as internal or external. Human error, environmental issues, single points of failure, and cyber issues are the likely causes of most disasters or major unplanned downtime. In addition, a new set of disastrous events has emerged, such as organized cyber-crime hacking events which can affect an organization’s infrastructure. While these aren’t entirely new, the expanding challenges that accompany preparedness and recovery from such events add complexities.

A well-written plan addresses: People, Processes, and Technology.

Disaster recovery planning traditionally focuses on information technology and the data centers that support information resources. The plan explains the systematic approach for quickly restoring critical information resources after an incident, business interruption, or a disastrous event.

How we can help.

  • Conduct a Business Impact Analysis (BIA) [1] to identify key business unit processes and critical applications/systems. Then rank and determine the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
  • Evaluate, create, or update the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) offering improvement recommendations.
  • Identify and document recovery strategies for information technology and work-a-round business operations so technology can be restored in time to meet the needs of the business.
  • Augment the existing business continuity and disaster recovery plans to address discrete infrastructure elements.
  • Create documentation (playbooks and flowcharts) and the steps that would be taken.
  • Conduct staff training on how to use the plan and supporting documentation.
  • Develop scenario-based testing exercises (tabletop) for partial functional testing of the plan and evaluate recovery strategies.

Conduct a Business Impact Analysis (BIA).

The Business Impact Analysis (BIA) [1] identifies and ranks key business unit processes and critical applications/systems to determine the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).

The development of appropriate disaster recovery strategies is based upon the RPO and RTO as determined by each department. Therefore, it is an essential first step in the development of an effective disaster recovery plan.

The information obtained in the BIA is also useful for helping each department create or update their departmental downtime procedures and/or contingency plans. BIAs also help identify additional systems that store, process or transmit sensitive information including ePHI. The departmental downtime procedures and/or contingency plans, along with the disaster recovery plan for information technology services are part of business continuity.

The BIA drives recovery strategies through establishing priorities for applications and information resources in resuming business operations.

Without a business impact analysis, the organization runs the risk of underestimating the resources required to respond to a disaster or business disruption. Information system redundancy and fault tolerance can be costly. Therefore, it is important that executive management recognizes the minimum resources necessary to sustain limited operations during a business disruption. The BIA helps the organization balance between the operational needs of the departments and the costs for maintaining high availability.

[1] Referred to in HIPAA’s Security Rule as Applications and data criticality analysis §164.308(a)(7)(ii)(E)