Disaster Recovery Plans for Healthcare

Disaster Recovery Plans for Healthcare

May 6, 2014 | Bonnie Bigler, Client Relations Med USA
One of the things that have highlighted disaster recovery’s importance is the growing use of electronic health records (EHRs) and the concomitant growth of networking and interconnection. If a facility loses access to its computers it loses access to EHRs, treatment plans and other vital information that directly affects patient care. Healthcare organizations must maintain a high degree of system and network availability.
The first step in disaster recovery planning (DRP) is to conduct a business impact analysis (BIA). Business impact analysis (BIA) is an essential component of an organization’s business continuance plan; it includes an exploratory component to reveal any vulnerabilities, and a planning component to develop strategies for minimizing risk. The result of the analysis is a business impact analysis report, which describes the potential risks specific to the organization studied.
As part of a disaster recovery plan, BIA is likely to identify costs linked to failures, such as loss of cash flow, replacement of equipment, impacts to patients, care delivery, salaries paid to catch up with a backlog of work, and more.
The next step is to develop a plan to address the vulnerabilities. A HIPAA covered entity must have a contingency plan in place. Section 164.308 requires data backup, DRP, and emergency‐mode operations planning. Organizations must be able to have continued access to electronic protected health information (ePHI)
A HIPAA‐compliant disaster recovery plan must state how operations will be conducted in an emergency and which workforce members are responsible for carrying out those operations. The plan must also explain how data will be moved without violating HIPAA standards for privacy and security.
It is expected that your Data Backup Plan will be a living document. In other words, as your backup requirements and methodologies evolve over time, the Data Backup Plan must be kept up to date so that it always matches the backup procedure that is being used.
The next step is the Emergency Mode Operation Plan. This deals with your organization’s ability to cope with large-scale disasters. This should document the location of the alternate data center and the computing and storage resources that are available for hosting critical workloads.
According to Brien M. Posey at SearchHealthIT.com, “it is important for Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan to complement one another and to collectively form a comprehensive disaster recovery strategy. Just as importantly, the three plans must accurately reflect the procedures that the organization actually uses.”