Most community hospitals and medical clinics view off-site backup as sufficient for their disaster recovery plans, but it’s not enough. In addition to the things you likely have in place today (a backup generator and off-site data storage), you must also undergo detailed planning and training to minimize downtime and data loss following a power outage, fire, natural disaster or a computer virus or cyber attack.
Remember, when disaster strikes, members of your IT staff may be unavailable as they deal with the upheaval in their personal lives. For this reason, your disaster recovery plan must be well-fleshed-out and shared outside the IT department so that both IT and non-tech-department personnel who are knowledgeable in IT can follow the process and assist in the recovery of your community hospital’s systems.
In this article, we take another look at your disaster recovery plan, with an emphasis on specifics, collaboration and training.
1) Prepare For Disaster
An important requirement of the HIPAA Security Rule is to have a formal IT disaster recovery plan. Best practices for this plan include six implementation steps. The steps include:
- Inventorying IT systems
- Conducting business impact analysis
- Creating a contingencies plan
- Getting down to the details of the plan
- Testing the plan
- Sharing the plan with key stakeholders outside the IT department
In many instances, however, community hospitals lose sight of the plan and allow it to become obsolete, even as information systems are added or replaced. To remain vigilant and current, your hospital should review its disaster recovery plan, rehearse its step and update the plan, which can lead to more rapid system restoration in the event of an actual emergency.
2) Document Disaster Recovery Steps In Detail
Two metrics that are crucial to include in your disaster recovery plan are recovery point objective (RPO) and recovery time objective (RTO). The RPO identifies how far back you’re willing to go to restore from backups. Your RTO defines how quickly you’ll need to have the system back up and running.
Backing up your data center every 24 hours at midnight means that in a worst-case scenario you will lose one day of data (that is, your RPO). It is important to know ahead of time that, in the event of the destruction of your data center, the ordering and delivery of new equipment, and the rebuilding of servers, can take upwards of four to five days. If it takes 96 to 120 hours to restore the hospital systems, your RTO is four to five days, a recovery time that is unacceptable by most hospital standards. A more favorable RTO of 24 to 48 hours can be achieved through a well-detailed and better-coordinated disaster recovery plan.
In preparing for disaster, community hospitals must not only know where their data center will be relocated, but also have a clear understanding of their infrastructure needs, power requirements and how data can be kept secure in the temporary environment.
If the backup site is a large room at a local high school, for instance, the hospital will want to ensure that the room is reserved, as others in the community may be clamoring for that space. The plan should spell this all out and have temporary occupancy agreements in place.
In addition, your hospital should develop its disaster recovery plan in a way that anyone knowledgeable in IT can follow. With today’s busy community hospital IT staffs, your disaster recovery planning team needs to include roles such as clinical analysts, department supervisors and superusers.
Nearly every hospital’s systems have their own idiosyncrasies, so the level of detail must be simple yet thorough enough to address issues such as which system to connect first, which interfaces are needed and more.
3) Simulate Real-World Circumstances
Once a disaster recovery plan is written, it should be tested – something that’s often a challenge for time-pressed hospital staffs. Make sure your disaster recovery team goes through all of the steps, even if it’s played out on a model scale over a meeting room table. This is a critical aspect of evaluating whether the plan makes sense. It’s also an opportunity to identify missing components and steps that may be out of sequence. Not only does this simulation better prepare the team members for an actual emergency, but it gives them the situational information they require to revise the plan as needed.
Full tests should be conducted annually at a minimum, while different routine actions (taking a file off the backup media and restoring it to the main system) should be tested on a quarterly basis.
Is your plan detailed and executable enough to enable fast recovery following a disaster? We can show you how to prepare and train for all eventualities.
Schedule a free Q&A session with our Virtual Security Officer to get started.