DR Solutions for Healthcare Organizations

DR Solutions for Healthcare Organizations 

Using Risk Analysis Data to Design a Feasible DR Solution

Facilitating high availability for systems and networks is a mission critical priority for medical institutions, especially hospitals and emergency units. The consequences of system downtime during high precision medical operations can be severe, in some cases even fatal.

The data gathered from a risk analysis exercise, especially on establishments with insurance coverage must form the basis for a comprehensive disaster recovery plan that has factored in all the practicalities and constraints of day to day operations in a medical institution.

HIPAA Contingency Plan Standard

HIPAA mandates the design and implementation of a disaster recovery plan that forecasts the possible impact of natural calamities and disruptive events on healthcare systems that use highly critical patient data. This compliance requirement has been detailed in the form of a contingency plan standard. This standard is part of the Administrative Safeguards section of the HIPAA Security Rule.

The disaster recovery plan along with its various response strategies to specific scenarios must be formally instituted through organizational policies and procedures.

A disaster recovery plan that adheres to the regulatory norms as outlined by HIPAA should provide a detailed blueprint of the medical institution’s:

The types of information that cyber criminals can access through data breaches include:

  • Plan of action during a crisis
  • Workaround options and alternatives
  • Requirments in terms of
  1. Resources
  2. Assets
  3. Hardware, Software & Technology
  4. Utilities and Infrastructure

The plan must also include strategies for facilitating data protection, transfer and storage, in line with HIPAA’s Privacy and Security Standards that extend to the proper handling of highly sensitive and classified information.

The HIPAA standard allows healthcare institutions a fair amount of freedom to design a disaster recovery plan based on their specific operational constraints. One of the main reasons is that an ineffective plan can have dire repercussions. People can be held accountable and penalized. Hence, it goes without saying that, from a healthcare service provider’s point of view, an ineffective plan amounts to noncompliance.

Budgetary Considerations

The allocation of sufficient funds towards the development of a comprehensive disaster recovery plan often gets overlooked in many healthcare organizations. Incorporating new technologies, adopting improvement management methodologies, installing more robust systems and similar such initiatives tend to take precedence in a bid to increase the probability of achieving the institution’s mainstream goals and targets.

Approval and backing from upper management and leadership teams does help immensely. However, emergency management teams must look to highlight the commercial implications of not having a disaster recovery plan in place.

IT teams can also look at incorporating response and recovery measures into their daily tasks and activities such that the impact of a full-fledged business disruption can be curbed to the extent possible.

Risk Analysis

This is a prerequisite for the development of any disaster recovery plan. Risk analysis exercises are important for assessing the IT requirements that provide an operational framework for business processes.

The logical step to follow after the risk analysis exercise is establishing the recovery time objective and recovery point objective (RTO and RPO, respectively). The feasibility of response and recovery measures depends largely on whether healthcare data, systems and operations can be restored within the RTO and RPO timeframes.

Disaster Recovery Strategies

Strategies outline the healthcare institution’s resiliency goals and objectives while plans detail the manner in which those goals are to be achieved. The ISO/IEC 27031 business continuity standard emphasizes the importance of choosing the right strategy before designing an appropriate plan. Other factors to be taken into consideration include:

  • RTO and RPO Objectives
  • Mission Criticality of Various Operations
  • Budgetary Considerations
  • Management Support
  • Resource Avaliability
  • Technical Requirements
  • Regulatory Norms

Sample Strategies:

1. Electronic Medical Record Systems

  • Recovery Time Objective: 6 Hours
  • Recovery Point Objective: 3 Hours
  • Threat:
  1. Server Malfunction
  2. Loss of Electronic PHI Data
  • Preventive Measures:
  1. Servers that run on SSL protocol
  2. HIPAA Compliant Cloud Service Hosting
  3. UPS
  4. Taking Regular Copies
  • Response Plan
  1. Checking UPS Runtime
  2. Switching to Alternate Server
  • Recovery Plan
  1. Failing back to main server
  2. Reinstalling backup data and interim files

2. Invoicing Systems

  • Recovery Time Objective:7 Hours
  • Recovery Time Objective:3 Hours
  • Threat:
  1. Server Malfunction
  2. Loss of accounts payable records and invoices
  • Preventive Measures
  1. Servers that run on SSL protocol
  2. HIPAA Compliant Cloud Server Hosting
  3. UPS
  4. Taking Regular Copies
  • Response Plan
  1. Maintaining Physical Records
  • Response Plan
  1. Failback to Main Server
  2. Reinstall backup data and interim files

3. Physical Facility

  • Recovery Time Objective: 3 Hours
  • Recovery Point Objective: 1 Hourse
  • Threat:
  1. Irreparable damage to security systems
  • Preventive Measures:
  1. Install Security Systems in a Safe Zone
  2. Use Protective Cabinets for Devices and Equipment
  • Response Plan
  1. Security Systems which are operational
  2. Data is available and accessible
  • Response Plan
  1. Restore damaged devices and components

Different Aspects of a Disaster Recovery Strategy

Personnel

Despite the growing presence of machine learning, automated systems and related capabilities in modern day computer systems, the availability of skilled staff is still a necessity that can’t be overlooked. Healthcare institutions must also ensure

  • Redundancy for mission critical job profiles
  • Detailed documentation of process that can facilitate seamless transitions during on-boaring and attrition
  • Regular skill set updates through training and knowledge sharing

Physical Locations

Healthcare organizations must consider the feasibility of options such as:

  • Backup Locations
  • Agreements with other organizations for resource sharing during crisis
  • Contracting third party BCDR Vendors
  • Provisioning of Utility Services such as power, gas, fuel & Water
  • Health and Safety of Working Staff and Patients
  • Security measures, including stringent entry and exit protocols

Technology

Proper infrastructure must be provided for IT equipment, including

  • Elevated Floors
  • Heating and Cooling Requirments
  • Steady and Stable Supply of Power
  • Backup Technology Centers
  • Seamless Failover to and failback from backup servers and systems
  • Cloud based solutions for leveraging security

Data

Proper infrastructure must be provided for IT equipment, including

  • Regular backups of data
  • Backup storage location in a risk free zone
  • Segregating data based on
  1. Priority
  2. Mission Criticality
  3. RTO and RPO Objectives
  • Mapping different data types to bandwidth requirements

Third Party Vendors

Healthcare organizations must negotiate contracts with external suppliers for all high priority systems, PHI data, processes and even resources. Backup supplier options must also be evaluated, especially for

  • Servers and Racks
  • Power supplies and batteries
  • Voice and Data Communication Services

Medical institutions must also ensure that an optimal level of delivery is leveraged by the external supplier through legally binding service level agreements. Outsourced segments of the disaster recovery solution must be in sync with the recovery time objective and recovery point objective established during the risk analysis exercise.

Policies & Procedures

The requirement for a disaster recovery plan must be formally incorporated into the healthcare organization’s policies and procedures in line with the outlined resiliency goals and objectives along with compliance standards.

Reaching a consensus on the various particulars of the healthcare organization’s resiliency policies can be a time consuming process as it requires the involvement of upper management and leadership teams, compliance personnel and key executives. Nevertheless, it must be reiterated at this juncture that building a disaster recovery capability, especially in a highly critical sector like healthcare, should be a holistic exercise in which all departments and divisions collaborate and collectively work towards a disaster recovery plan

See for yourself how the application works
Witness our cloud based platform’s security capabilities in action
Play around with the software and explore its features
Compare and choose a solution that’s relevant to your organization
Consult our experts and decide on a pricing mechanism

Request a Demo

Disasters

[carousel id=’1780′ items=’4′ items_desktop=’3′ margin_right=’5′ navigation=’false’] [item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/Chemical-Spills-Discharges.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/chemical-spills-and-discharges/”][item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/Riots-Public-Disturbances.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/riots-and-public-disturbances/”][item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/Terrorism.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/terrorism/”] [item img_link=”https://www.stayinbusiness.com/wp-content/uploads/2016/02/worst-product-recall.jpg” href=”https://www.stayinbusiness.com/resource/disaster-recovery/product-recall/”] [/carousel]

Request a Demo
Stay In Business