The importance of disaster recovery
IT disruptions are inevitable, and they can stem from a number of sources. Whether human error, a weather event or technology failure causes disruption, there’s no way to prevent it entirely. However, technology failures don’t have to come with data loss and downtime, which is why disaster recovery (DR) planning is so critical for all organizations—those in healthcare, in particular.
According to a study by the Ponemon Institute, unplanned downtime at a healthcare organization can cost an average of $7,900 a minute per incident. Though the study was conducted in 2013, we can only suspect that the number increased over the last several years. Needless to say, in an ecosystem centered on the lives of patients, downtime without a DR plan can completely debilitate a hospital, hospice center or doctor’s office.
“If infrastructure goes down, you paralyze an institution. So you need it to be redundant from a power and data standpoint. I always worry about that.”
– VP of IT at New Jersey hospital system
A healthcare-specific risk profile: Sensitive data, patient lives and HIPAA compliance
DR planning is critical to protecting the entirety of a healthcare organization in the event of an unplanned catastrophe. In healthcare, risk is managed differently because it’s not just revenue that’s at stake. It’s ensuring HIPAA compliance, protecting ePHI and potentially patient lives. In spite of a high risk profile throughout healthcare, DR is often the last line item for healthcare IT budgets. Financial constraints make it notably difficult for hospitals to invest in redundant data center facilities due to low return on investment or positive impact to patient care.
Imagine an example of possible operational impacts: if an EHR system goes offline, it will effectively slow everything and everyone down. Caregivers can’t easily look up patient information, causing frustration for patients and employees. The downtime would also cause major safety concerns, since calculating dosages and looking up drug interactions are suddenly unavailable, which puts far greater pressure on everyone in the hospital to not make mistakes in an environment where technology is almost always there to help.
There is an exponentially greater amount of information to protect because the healthcare landscape is changing, and that’s a major driver for due diligence around strong DR practices:
- Increased reliance on electronic data Including medical imaging/EHRs producing unprecedented amounts of data and the real-time access requirements across disparate sites of care, creating complications in storage, recovery, and security.
- Migration to paperless environments
- Clinicians demand mobile, always-available patient system access
Without a robust DR plan in place, consequences to a healthcare organization experiencing downtime range from considerable financial costs, irreparable damage to organizational reputation and the potential to expose sensitive patient data.
Potential Consequences of Data Loss
- Impact patient outcomes and have life-or-death consequences
- Cause a loss of revenue from inability to treat patients
- Diminish credibility in patient trust, resulting in churn
Potential Consequences of Data Loss
- Penalties for violated government and industry regulations
- Costs for recovering and repairing lost data
- Legal costs of meeting internal and external compliance requirements
- Lost business
- Litigation costs
HIPAA mandates that all healthcare organizations have a DR plan and complete a risk assessment to identify which events are most likely to disrupt confidentiality or availability. Enforcement of HIPAA security requirements is increasing, as well. Section 164.308 requires data backup, DR and emergency-mode operations planning, yet so many healthcare organizations only have basic DR protocols. HITECH is also increasing penalties, oversight and mandatory breach notifications and extending obligations to business associates.
- HIPAA covered entities must have a contingency plan in place to ensure continued access to ePHI in the event of a system failure
- DR requirements include DR, ePHI, data backup, and emergency mode operation plans
- Organizations must explain how sensitive healthcare data is moved without violating HIPAA privacy and security requirements
Further, while compliance is not negotiable, it is also not equal to a healthy DR practice. Taking full measures to develop a DR plan that will effectively address risks and ensure recovery in the event of a disaster requires protective measures beyond solely meeting HIPAA mandates.
Yes, testing is part of disaster recovery
Equally important to an effective DR plan is testing—your plan is only as strong as its weakest link, thus regular testing is critical in order to identify vulnerabilities and ensure ongoing efficacy. Converse to prescribed best practices, Flexential’s 2nd National IT Trends in Healthcare study actually determined that most healthcare organizations execute DR testing less than once annually:
- 56% of study participants reported that they test their DR plan once per year or less
- 25% reported quarterly DR testing
Without regular testing, there is no way to know for sure that your DR plan will work in the event of catastrophe, and if it doesn’t, and a catastrophic event happens, the organization is in the same position as if they had no DR plan at all. Frequent testing allows healthcare organizations to identify what won’t work and how they should change it. Those who aren’t testing at all simply won’t recover IT operations sufficiently if disaster does come to pass, which in a hospital setting, is a risk not worth taking. The more time that passes between DR tests, the greater the risks.
How a strong DR plan can enable compliance and prevent irrevocable consequences
The healthcare industry is ripe with opportunity for the introduction of new technologies to enhance care delivery and the overall patient experience, streamline operations and more. However, these opportunities also open the door to the potential for more cyberattacks and lost or stolen data. It is past time for IT healthcare professionals to review privacy and security policies and procedures.
Healthcare organizations should also insist that their service level agreements (SLAs) with a technology provider specify agreed upon security objectives and outline processes for ensuring compliance. It’s not a cure-all, but it can help facilitate more effective data loss prevention.
Achieving ongoing HIPAA/HITECH compliance and a strong DR plan is a complex undertaking. All organizations differ in size, budget and practice, so it’s advisable to seek legal and technical counsel and confer with experts on HIPAA compliance. Make certain that your technical team and your cloud service provider architect a DR solution that meets your objectives and will provide longevity.
If your healthcare organization hasn’t visited your DR plan lately, now is the time. If your IT team is looking to review or improve your DR plan, contact us at www.flexential.com or (866) 473-2510 to speak with one of our experts today.