“It's a cascading effect, and that is a large hit to the bottom line for hospitals running on razor-thin margins,” he says.
Even if healthcare organizations have not migrated their operations fully to the cloud, business continuity and disaster recovery (BCDR) is one area where the cloud can help.
For example, the Microsoft Azure cloud platform allowed Mount Sinai Health System to be better prepared for outage recovery through cloud-based geographic diversity and failover features. Meanwhile, Cook Children’s Health Care System in Fort Worth, Texas, migrated its electronic health records (EHRs) to the public cloud to gain more resiliency and be prepared for disasters or cyberattacks.
EXPLORE: Follow these best practices to improve cyber resilience in healthcare.
What Is BCDR?
“Business continuity and disaster recovery refers broadly to the process and steps organizations take to return to normal business operations in the event of a disaster or disruption. It is a key part of crisis management,” Nagaratnam says.
Business continuity plans are much broader and more proactive than disaster recovery plans, he adds. Disaster recovery plans are reactive and allow health systems to resume normal activity with systems intact after an outage.
In addition to downtime, failure to craft a strong BCDR plan can lead to data loss, financial penalties and reputational damage, Nagaratnam says.
While business continuity is the process of maintaining operations during a disaster, disaster recovery is the technical process of restoring connectivity after an outage, explains Al Berman, president of the DRI Foundation, a charitable arm of the Disaster Recovery Institute (DRI) International.
“The world does survive without technology for periods of time,” Berman adds. “We’ve seen that in hospitals, where hospitals continue to function despite the fact that they’re under ransomware.”
DISCOVER: How can healthcare organizations grow with a smarter backup strategy?
How to Craft a BCDR Plan for Healthcare
Health systems should come up with a BCDR plan for what to do at 12 hours, 48 hours and one week post-attack, Johnson advises. He adds that health systems need a plan that documents how to operate without their usual systems in addition to how to get back to a normal state. They can take lessons from aviation: Pilots are good at checklists, and they can deal with both a blown fuse and a loss of engines. Healthcare teams need a similar checklist in the event of a disaster, he says.
In addition, health systems should keep checklists for every department, workflow and critical area — including IT — to maintain processes, Johnson says.
Rajesh Sheth, vice president of AWS Elastic Block Store and backup at Amazon Web Services, advises that healthcare organizations incorporate a recovery time objectives and recovery point objectives in its BCDR plan. An RTO defines the maximum delay acceptable between service interruption and restoration, while an RPO describes how much data loss is acceptable between a service outage and the most recent recovery point. Healthcare organizations must decide on acceptable RTO and RPO thresholds for the organization.
Health systems should also analyze what it would cost to back up to a BCDR cloud, Berman advises, compared with a process like air gapping, which involves isolating a device from outside networks.