A Strong DR Plan Can Save Healthcare Organizations from Major Headaches
The Importance of Disaster Recovery
IT disruptions are inevitable, and they can stem from a number of sources. Whether human error, a weather event, or technology failure causes disruption, there’s no way to prevent it entirely. However, technology failures don’t have to come with data loss and downtime, which is why disaster recovery (DR) planning is so critical for all organizations—those in healthcare, in particular.
According to a study by the Ponemon Institute, unplanned downtime at a healthcare organization can cost an average of $7,900 a minute per incident. Though the study was conducted in 2013, we can only suspect that the number has increased over the last several years. Needless to say, in an ecosystem centered on the lives of patients, downtime without a DR plan can completely debilitate a hospital, hospice center, or doctor’s office.
“If infrastructure goes down, you paralyze an institution. So you need it to be redundant from a power and data standpoint. I always worry about that.”
– VP of IT at NJ hospital system
A Healthcare-specific Risk Profile: Sensitive Data, Patient Lives, and HIPAA Compliance
DR planning is critical to protecting the entirety of a healthcare organization in the event of an unplanned catastrophe. In healthcare, risk has to be managed differently because it’s not just revenue that’s at stake. It’s ensuring HIPAA compliance, protecting ePHI, and potentially patient lives. In spite of a high risk profile throughout healthcare, DR is often the last line item for healthcare IT budgets. Financial constraints have made it notably difficult for hospitals to invest in redundant data center facilities due to low return on investment or positive impact to patient care.
Imagine an example of possible operational impacts: if an EHR system goes offline, it will effectively slow everything and everyone down. Caregivers won’t be able to easily look up patient information, causing frustration for patients and employees. The downtime would also cause major safety concerns, since calculating dosages and looking up drug interactions are suddenly unavailable, which puts far greater pressure on everyone in the hospital to not make mistakes in an environment where technology is almost always there to help.
There is an exponentially greater amount of information to protect because the healthcare landscape is changing, and that’s a major driver for due diligence around strong DR practices:
Increased reliance on electronic data
Medical imaging/EHRs producing unprecedented amounts of data
Real-time access required across disparate sites of care, creating complications in storage, recovery, and security
Migration to paperless environments
Clinicians demand mobile, always-available patient system access
Without a robust DR plan in place, consequences to a healthcare organization experiencing downtime range from considerable financial costs, irreparable damage to organizational reputation, and the potential to expose sensitive patient data.
Potential Consequences of Loss of Data
Can impact patient outcomes and have life-or-death consequences
Cause a loss of revenue from inability to treat patients
Diminish credibility in patient trust, resulting in churn
Potential Costs of Loss of Data
Penalties for violated government and industry regulations
Costs for recovering and repairing lost data
Legal costs of meeting internal and external compliance requirements
HIPAA mandates that all healthcare organizations have a DR plan and complete a risk assessment to identify which events are most likely to disrupt confidentiality or availability. Enforcement of HIPAA security requirements is increasing, as well: Section 164.308 requires data backup, DR, and emergency-mode operations planning, yet so many healthcare organizations only have basic DR protocols. HITECH is also increasing penalties, oversight, and mandatory breach notifications and extending obligations to business associates.
HIPAA covered entities must have a contingency plan in place to ensure continued access to ePHI in the event of a system failure.
DR requirements include DR, ePHI, data backup, and emergency mode operation plans.
Organizations must explain how sensitive healthcare data will be moved without violating HIPAA privacy and security requirements.
Further, while compliance is not negotiable, it is also not equal to a healthy DR practice; taking full measures to develop a DR plan that will effectively address risks and ensure recovery in the event of a disaster will require protective measures beyond solely meeting HIPAA mandates.
Yes, Testing is Part of Disaster Recovery.
Equally important to an effective DR plan is testing—your plan is only as strong as its weakest link, thus regular testing is critical in order to identify vulnerabilities and ensure ongoing efficacy. Converse to prescribed best practices, Peak 10’s 2nd National IT Trends in Healthcare study actually determined that most healthcare organizations execute DR testing less than once annually:
56% of study participants reported that they test their DR plan once per year or less.
25% reported quarterly DR testing.
Without regular testing, there is no way to know for sure that your DR plan will work in the event of catastrophe, and if it doesn’t, and a catastrophic event happens, the organization is in the same position as if they had no DR plan at all. Here’s the kicker: according to a report by the Disaster Recovery Preparedness Council, more than 65% of organizations who do test their DR plan don’t pass their own test, which clearly exemplifies why frequent testing is so important; it allows healthcare organizations to identify what won’t work and how they should change it. Further, since so many organizations don’t pass their own DR tests, that means many who aren’t testing at all simply won’t recover IT operations sufficiently if disaster does come to pass, which in a hospital setting, is a risk not worth taking. The more time that passes between DR tests, the greater the risks.
How a Strong DR Plan Can Enable Compliance and Prevent Irrevocable Consequences
The healthcare industry is ripe with opportunity for the introduction of new technologies to enhance care delivery and the overall patient experience, streamline operations, and more. However, these opportunities also open the door to the potential for more cyberattacks and lost or stolen data. It is past time for IT healthcare professionals to review privacy and security policies and procedures. Healthcare organizations should also insist that their service level agreements (SLAs) with a technology provider specify agreed upon security objectives and outline processes for ensuring compliance. It’s not a cure-all, but it can help facilitate more effective data loss prevention.
Achieving ongoing HIPAA/HITECH compliance and a strong disaster recovery plan can be a complex undertaking. All organizations differ in size, budget and practice, so it’s advisable to seek legal and technical counsel and confer with experts on HIPAA compliance. Make certain that your technical team and your cloud service provider architect a DR solution that meets your objectives and will provide longevity.
If your healthcare organization hasn’t visited your DR plan lately, now is the time. If your IT team is looking to review or improve your DR plan, contact us at www.peak10.com/contact-us or (866) 473-2510 to speak with one of our experts today.
Did you catch the 2016 Peak 10 Healthcare IT Study? Check out the Peak 10 Industry Spotlight: Healthcare IT website to learn more about IT trends, pressures, and plans among industry peers, including the significance of disaster recovery.