Why HIT executives are worried about business continuity
The mid-year outlook for cyberattacks, phishing and breaches continues to look grim. Recent reports litter the headlines, such as the ransomware attack impacting 85,000 patients in California, or the misconfigured FTP server exposing data of 205,000 patients. This disturbing trend plaguing the healthcare industry, remains a top-of-mind concern for hospital and health system executives. In fact, 67 percent of CISOs believe a cybersecurity attack will happen to their organization in 2018, according to a recent report conducted by the Ponemon Institute and sponsored by Opus.
The threat is real and healthcare leaders know it. But they’re not hiding their heads in the sand; hospitals are putting the technology, resources, and plans in place to meet today’s growing number of threats by establishing business continuity plans and defining policies for IT disaster recovery.
In a Spok survey of CHIME CIOs conducted in early 2018, healthcare leaders were asked how confident they are their organization could recover from a disaster scenario. The results show seven in 10 CIOs are only “somewhat” or “not very” confident their hospital could recover from a disaster (5 percent have no confidence at all). It appears business continuity plans might be keeping healthcare leaders up at night.
The survey asked difficult (but necessary) business continuity and disaster recovery questions. Let’s examine how healthcare CIOs responded:
• When asked how often their organizations test business continuity plans, 56 percent test annually, 10 percent quarterly, and 10 percent test on an ongoing basis. Alarmingly, 10 percent were not sure how often their organization tested its plan, and 14 percent said they never test.
• Inability to treat patients (73 percent), damage to their hospital’s reputation and credibility (61 percent), and loss of revenue (58 percent) were the top business continuity concerns cited by CIOs.
• Most CIOs said the data center (95 percent) and EHR (88 percent) have recovery systems in place.
• When asked what environments are not covered in their business continuity plan, 59 percent indicated power plant and 40 percent said connectivity to public internet.
• More CIOs said they’re cutting costs (61 percent) rather than increasing disaster recovery investments (39 percent).
• Slightly more than half (56 percent) of CIOs said they’re using vendor expertise and services to assist in business continuity planning; only 5 percent indicated they would not use vendor support.
• Only 30 percent are using cloud-based business continuity services.
What’s the best advice to offer healthcare leaders? Use your position as a healthcare IT leader to ensure the organization is prepared. These days, HIT executives can’t afford not to invest in business continuity. Here are a few tips to implement a more proactive approach to business continuity planning and avoiding disasters.
• Although the CIO is normally the champion and leader of business continuity planning, it is imperative that cross-functional leadership participate in the process, as every area of a business or healthcare organization could be affected.
• Organizations should test their business continuity plan periodically, as needed to ensure their plan is complete, effective and allows staff to get hands-on practice executing it.
• As noted above, one of the top business continuity concerns for CIOs is the inability to treat patients. Hospitals rely on the EHR because it is linked to many hospital functions, including admitting, billing, pharmacy, radiology and laboratory systems. Patient safety and quality of care is increasingly dependent on the EHR and other integrated technology, so the business continuity plan should outline a recovery time objective that can restore operations without seriously affecting the organization’s ability to provide patient care.
• Quantifying the cost of downtime is a good strategy to defend budgeting for business continuity and disaster recover investments, especially for resources that you’ve prioritized for mission-critical applications.
• A vendor’s business continuity planning is an important element of a provider organization’s continuity. Talk to your vendors, ask questions, and know the details of their plan. And make sure business continuity is not lumped together with redundancy—you don’t want IT concerns (redundancy) to be the only part of your vendor’s plan.
• Development, planning, and testing of a business continuity plan can be a significant undertaking, but savvy IT leaders know that breaking it down into manageable tasks and engaging a cross-functional team leads to success. Cybersecurity attacks, natural disasters, and complex system failures are increasing in frequency, so plan and respond efficiently.
Tom Saine is CIO and CISO at Spok, Inc., a role he’s held since 2008. Saine provides executive leadership for the company’s Information Technology and Wireless Messaging Network teams. He is a Certified Information Systems Security Professional (CISSP) and holds a Bachelor of Science in Management from California Coast University and a Master of Science in Engineering Management from Columbus University.
To read more about business continuity and disaster recovery, download the 7 Must-Ask Questions Infographic or 2018 Guide: How to Prove the Value of Business Continuity.