Healthcare organizations have historically focused their disaster recovery efforts on protecting against unlikely but major events such as fires, floods and natural disasters. But with 24/7 hospital operations, even the smallest of interruptions can have serious consequences to delivering patient care.

The question now is, are these organizations prepared? The answer is no.

The typical disaster recovery program found in many healthcare organizations today lack an emphasis on the people side of recovery, updated documentation, planning for relevant scenarios and poor management of the event itself.  These gaps are problematic. The fact is that disaster recovery should be a top-level concern for senior management since it is vital to maintaining their organizations’ clinical and business systems and applications. The foundations of disaster recovery success are not just senior management sponsorship and participation. Success also requires building disaster recovery into the organizational culture by weaving its processes into the life cycle of every IT project and change management activity.

Organizations should formalize disaster recovery processes, starting with the creation of a team responsible for setting policy, governance and reporting.  This team must clearly articulate the consequences of downtime to leadership, so as to justify investments for operational availability and disaster recovery. How do they accomplish this? Perform a business impact analysis (BIA), during which critical clinical and business systems, applications and processes are identified and prioritized, and costs of downtime are evaluated.

The BIA should be performed by a team consisting of clinical and business staff and security and IT personnel. Key goals of the BIA should be to:

  • Agree on the cost of downtime over varying time periods

  • Identify system, application and process availability and recovery time objectives (RTOs)

  • Identify system, application and process recovery point objectives (RPOs)

The RTO defines how quickly systems, applications, services and processes must be operational following some kind of event, including recovery of data and end-user computer access. The RPO is the point in time that marks the end of the period during which data can still be recovered using backups, journals or transaction logs. It defines what an acceptable loss of data is. Many organizations accept that if a disaster occurs, they will recover using the last backup which could be 24 hours old or older.  For many healthcare organizations that just doesn’t cut it. Each organization should decide if they need more stringent RPOs for their EHRs and other critical assets to reduce the amount of transaction and data loss.
The BIA then identifies what the organization has at risk and which clinical and business systems, applications processes are most critical, thereby prioritizing risk management and recovery investments. The direct and indirect impacts of interruptions are assessed over time, resulting in RPO and RTO requirements. An end-to-end analysis of information flows through internal and external processing environments is also important to successfully identify recovery options for all potential scenarios.

The BIA results must then feed into the current recovery strategies and clinical and business requirements. This allows those responsible for the operation of the systems, applications and processes to create more effective and detailed recovery plans and procedures. The disaster recovery plans and procedures should then be tested to ensure that requirements can be met. Next a process should be established to keep the disaster recovery plans and procedures current by initiating a review of any change to clinical and business processes or computing environments.

A disaster recovery program can provide organizations with agility regardless of the type of interruption and includes key processes that should be repeated on an ongoing basis:

  • Obtain senior management support

  • Establish and maintain a disaster recovery team structure

  • Perform a BIA

  • Develop and maintain disaster recovery plans

  • Evaluate and maintain technologies to reduce RTOs and RPOs

  • Evaluate and maintain disaster recovery service providers to help plan, implement and maintain

  • Test, test, test

In this tough economic environment, it is tempting to cut resources in disaster recovery. Many organizations mistakenly view disaster recovery as an insurance policy against which they will likely never have to place a claim. However, thousands of organizations have invoked their recovery plans with IBM Business Continuity and Recovery Services and many more have invoked internal recovery plans.
A disaster recovery program requires many resources coming together to act as a team. Organizations who have been affected by disasters find that, despite the unforeseen nature of events, they were more nimble and ready to respond to the crisis after having developed effective recovery processes.

Brian Evans is a senior managing consultant with IBM Security Services and assists healthcare organizations in building regulatory compliant information security programs. With over 20 years of combined experience in healthcare IT management, consulting and information security, Brian previously served in the role of information security officer at the University of Alabama Birmingham Health System, New York Hospital Queens, Fletcher Allen Healthcare, Atlantic Health and the Ohio State University Health System. He can be reached at


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access