Establishing a Disaster Plan For Health IT

Healthcare data is precious to hackers, and lost data can have disastrous implications for company success, patient health, public health, and safety. 

So healthcare organizations must have secure data, but what happens if a disaster strikes? Is the organization ready? Do you have your data backed up in the cloud? 

You can determine how prepared you are for a disaster in your healthcare organization by reading about creating healthcare IT disaster plans below. 

Create an IT System Inventory

You can’t cover every company asset unless you’re sure what they are and their effects on the healthcare organization. Start by writing a list of application systems, such as PACS and EHR, so that you have an authoritative list of company operations. Remember to include shared files, executive dashboards, patient portals, Intranet, and departmental file storage. 

Your goals are two-fold: 

  • Have a total understanding of the IT systems your healthcare organization uses; and
  • A list that is the bedrock of your disaster recovery plan. 

Perform a Business Impact Analysis

With your completed system inventory, do a business impact analysis on every system and application. You’ll need to collect information about every system, including hardware and software, vendor contracts, outbound and inbound interfaces, and how important each is to the company. 

The goal of collecting this data is to assist you in making a value assessment for all systems. The decisions you make about your data recovery strategy need to be based on this analysis. 

Establish RPOs and RTOs

Your Recovery Point Objectives tell you how far back you should go to restore data from your backups. Your business impact analysis should include an acceptable recovery point for all company systems. 

Recovery Time Objectives dictate how fast you’ll need to have each system operating again. It’s vital to determine your RTOs before the disaster occurs; at that point, patient care and safety are at risk. 

Different objectives for your disaster recovery should be a careful balance between your company’s expectations and budget.

Make a Contingency Plan

HIPAA mandates contingency planning if a cyber attack or natural disaster happens. Review HIPPA regulations to make sure your plan is fully compliant. The Department of Health and Human Services offers an audit program to help you. Take advantage of these services and be proactive. 

The disaster recovery plan has to have a site that is designated for a data center relocation. Talk to other businesses in your area about their plans. This can prevent several organizations from going to the same building during a disaster. 

Have a second and third site available, so you have somewhere to go during the crisis. Each site could have limitations and could necessitate more supplies or equipment. 

Detail the DR Plan

As you develop the disaster recovery plan, it’s vital that the project is recorded, accessible, and unambiguous. Ensure that all stakeholders’ critical components are defined and understood inside and outside the IT department. Depending on the nature of the disaster, your company might need to lean on workers outside the department. 

Test the Plan Against Your Company’s Goals

The last step is to test your disaster recovery plan. Test it against your company’s goals and ongoing threats. Test it against phishing attacks, ransomware, and natural disasters. If you find problems, revise and retest. 

Remember that your patients’ safety and care are the priority during a disaster. The vital point is to get your disaster recovery plan started now and be proactive about tests, improvement, and updates over time.