Initial Steps for a Disaster Recovery Program
Healthcare organizations have historically focused their disaster recovery efforts on protecting against unlikely but major events such as fires, floods and natural disasters. But with 24/7 hospital operations, even the smallest of interruptions can have serious consequences to delivering patient care.
Healthcare organizations have historically focused their disaster recovery efforts on protecting against unlikely but major events such as fires, floods and natural disasters. But with 24/7 hospital operations, even the smallest of interruptions can have serious consequences to delivering patient care.
The question now is, are these organizations prepared? The answer is no.
The typical disaster recovery program found in many healthcare organizations today lack an emphasis on the people side of recovery, updated documentation, planning for relevant scenarios and poor management of the event itself. These gaps are problematic. The fact is that disaster recovery should be a top-level concern for senior management since it is vital to maintaining their organizations clinical and business systems and applications. The foundations of disaster recovery success are not just senior management sponsorship and participation. Success also requires building disaster recovery into the organizational culture by weaving its processes into the life cycle of every IT project and change management activity.
Organizations should formalize disaster recovery processes, starting with the creation of a team responsible for setting policy, governance and reporting. This team must clearly articulate the consequences of downtime to leadership, so as to justify investments for operational availability and disaster recovery. How do they accomplish this? Perform a business impact analysis (BIA), during which critical clinical and business systems, applications and processes are identified and prioritized, and costs of downtime are evaluated.
The BIA should be performed by a team consisting of clinical and business staff and security and IT personnel. Key goals of the BIA should be to:
The BIA then identifies what the organization has at risk and which clinical and business systems, applications processes are most critical, thereby prioritizing risk management and recovery investments. The direct and indirect impacts of interruptions are assessed over time, resulting in RPO and RTO requirements. An end-to-end analysis of information flows through internal and external processing environments is also important to successfully identify recovery options for all potential scenarios.
The BIA results must then feed into the current recovery strategies and clinical and business requirements. This allows those responsible for the operation of the systems, applications and processes to create more effective and detailed recovery plans and procedures. The disaster recovery plans and procedures should then be tested to ensure that requirements can be met. Next a process should be established to keep the disaster recovery plans and procedures current by initiating a review of any change to clinical and business processes or computing environments.
A disaster recovery program can provide organizations with agility regardless of the type of interruption and includes key processes that should be repeated on an ongoing basis:
A disaster recovery program requires many resources coming together to act as a team. Organizations who have been affected by disasters find that, despite the unforeseen nature of events, they were more nimble and ready to respond to the crisis after having developed effective recovery processes.
Brian Evans is a senior managing consultant with IBM Security Services and assists healthcare organizations in building regulatory compliant information security programs. With over 20 years of combined experience in healthcare IT management, consulting and information security, Brian previously served in the role of information security officer at the University of Alabama Birmingham Health System, New York Hospital Queens, Fletcher Allen Healthcare, Atlantic Health and the Ohio State University Health System. He can be reached at evansb@us.ibm.com.
The question now is, are these organizations prepared? The answer is no.
The typical disaster recovery program found in many healthcare organizations today lack an emphasis on the people side of recovery, updated documentation, planning for relevant scenarios and poor management of the event itself. These gaps are problematic. The fact is that disaster recovery should be a top-level concern for senior management since it is vital to maintaining their organizations clinical and business systems and applications. The foundations of disaster recovery success are not just senior management sponsorship and participation. Success also requires building disaster recovery into the organizational culture by weaving its processes into the life cycle of every IT project and change management activity.
Organizations should formalize disaster recovery processes, starting with the creation of a team responsible for setting policy, governance and reporting. This team must clearly articulate the consequences of downtime to leadership, so as to justify investments for operational availability and disaster recovery. How do they accomplish this? Perform a business impact analysis (BIA), during which critical clinical and business systems, applications and processes are identified and prioritized, and costs of downtime are evaluated.
The BIA should be performed by a team consisting of clinical and business staff and security and IT personnel. Key goals of the BIA should be to:
- Agree on the cost of downtime over varying time periods
- Identify system, application and process availability and recovery time objectives (RTOs)
- Identify system, application and process recovery point objectives (RPOs)
The BIA then identifies what the organization has at risk and which clinical and business systems, applications processes are most critical, thereby prioritizing risk management and recovery investments. The direct and indirect impacts of interruptions are assessed over time, resulting in RPO and RTO requirements. An end-to-end analysis of information flows through internal and external processing environments is also important to successfully identify recovery options for all potential scenarios.
The BIA results must then feed into the current recovery strategies and clinical and business requirements. This allows those responsible for the operation of the systems, applications and processes to create more effective and detailed recovery plans and procedures. The disaster recovery plans and procedures should then be tested to ensure that requirements can be met. Next a process should be established to keep the disaster recovery plans and procedures current by initiating a review of any change to clinical and business processes or computing environments.
A disaster recovery program can provide organizations with agility regardless of the type of interruption and includes key processes that should be repeated on an ongoing basis:
- Obtain senior management support
- Establish and maintain a disaster recovery team structure
- Perform a BIA
- Develop and maintain disaster recovery plans
- Evaluate and maintain technologies to reduce RTOs and RPOs
- Evaluate and maintain disaster recovery service providers to help plan, implement and maintain
- Test, test, test
A disaster recovery program requires many resources coming together to act as a team. Organizations who have been affected by disasters find that, despite the unforeseen nature of events, they were more nimble and ready to respond to the crisis after having developed effective recovery processes.
Brian Evans is a senior managing consultant with IBM Security Services and assists healthcare organizations in building regulatory compliant information security programs. With over 20 years of combined experience in healthcare IT management, consulting and information security, Brian previously served in the role of information security officer at the University of Alabama Birmingham Health System, New York Hospital Queens, Fletcher Allen Healthcare, Atlantic Health and the Ohio State University Health System. He can be reached at evansb@us.ibm.com.
More for you
Loading data for hdm_tax_topic #better-outcomes...