Disaster recovery planning is critical in healthcare

August 9, 2017

A catastrophe in healthcare IT can be a life or death matter. Here's how to make sure you're fully ready.

Disaster recovery planning is critical to protecting a healthcare organization. In healthcare, risk is managed differently because it's not just revenue that's at stake. It's potentially saving patient lives as well. In spite of a high-risk profile throughout healthcare, DR is often the last line item for healthcare IT budgets.

According to a study by the Ponemon Institute, unplanned downtime at healthcare organizations can cost an average of $7,900 a minute per incident. The study was conducted in 2013, so we can only suspect that the number has increased over the last several years. Needless to say, in an ecosystem centered on the lives of patients, downtime without a DR plan can cause life-threatening problems for a hospital, hospice center or doctor's office.

“If infrastructure goes down, you paralyze an institution. So you need it to be redundant from a power and data standpoint. I always worry about that.”

— VP of IT at New Jersey hospital system

Imagine a spiral of operational impacts: If an EHR system goes offline, it will slow everything and everyone down. Caregivers can't easily look up patient information, causing frustration for patients and employees. Calculating dosages and looking up drug interactions are suddenly unavailable, which puts far greater pressure on everyone in an environment that has come to rely so heavily on technology.

The high cost of not planning
Because the healthcare landscape is always changing, there is a constantly growing amount of information to protect. That's been a major driver for due diligence around strong DR practices. Some of the major factors include:

  • Increased reliance on electronic data
    • Medical imaging/EHRs producing unprecedented amounts of data
    • Real-time access required across disparate sites of care, complicating storage, recovery, and security
  • Migration to paperless environments
  • Clinicians demand mobile, always-available patient system access

Without a robust DR plan in place, a healthcare organization experiencing downtime risks considerable financial costs, irreparable damage to organizational reputation and the exposure sensitive patient data.

The HIPAA factor
HIPAA mandates that all healthcare organizations not only have a DR plan but complete a risk assessment to identify which events are most likely to disrupt confidentiality or availability. Enforcement of HIPAA security requirements is increasing as well. Section 164.308 requires data backup, DR and emergency-mode operations planning, yet so many healthcare organizations only have basic DR protocols. HITECH is also increasing penalties, oversight and mandatory breach notifications and extending obligations to business associates.

HIPAA Requirements:

  • HIPAA covered entities must have a contingency plan in place to ensure continued access to ePHI
  • DR requirements include DR, ePHI, data backup and emergency mode operation plans
  • Organizations must explain how sensitive healthcare data is moved without violating HIPAA privacy and security requirements

But simple compliance does not equal a healthy DR practice. Taking full measures to develop a DR plan that will effectively address risks and ensure recovery in the event of a disaster requires protective measures beyond solely meeting HIPAA mandates.

Testing, testing…
Equally important to an effective DR plan is testing. Regular testing can identify vulnerabilities and ensure ongoing efficacy. Contrary to prescribed best practices, Flexential's 2nd National IT Trends in Healthcare study determined that most healthcare organizations execute DR testing less than once annually:

  • 56% of study participants reported that they test their DR plan once per year or less
  • 25% reported quarterly DR testing

Without regular testing, there is no way to know for sure that your DR plan will work in the event of catastrophe. If it doesn't work properly, when a catastrophic event happens, the organization is in the same position as if they had no DR plan at all. Frequent testing allows healthcare organizations to identify what doesn't work and how to change it. The more time that passes between DR tests, the greater the risks.

A strong DR plan can enable compliance
New technologies have enhanced care delivery and the overall patient experience, streamlined operations and more, but they also open the door to the potential for more cyberattacks and lost or stolen data. Healthcare organizations should insist that their SLAs with a technology provider specify agreed upon security objectives and outline processes for ensuring compliance. It's not a cure-all, but it can help facilitate more effective data loss prevention.

Confer with experts on HIPAA compliance, including legal and technical counsel. Make sure that your technical team and your cloud service provider create a DR solution that meets your objectives and will provide longevity.

If your healthcare organization hasn't visited your DR plan lately, now is the time. To review or improve your DR plan, contact us at to speak with one of our experts today.