Security

The Importance of BCDR in Healthcare’s Digital Transformation

Business continuity and disaster recovery plans enable organizations to modernize while mitigating risks.

Novid Parsi is a freelance writer based in St. Louis who covers a wide range of fields, including healthcare and technology.

Today’s health systems cannot wait for a disaster to strike before determining how to respond. They need to have in place a business continuity and disaster recovery plan that lays out both how the business will keep operating amid an incident and how it will recover any disrupted systems.

With intensifying threats such as natural disasters, power outages and cyberattacks, the need for BCDR plans has grown even more urgent. As a risk mitigation strategy, a BCDR plan “ensures that mission-critical services can withstand and recover from disruptions,” says John Doyle, global CTO for healthcare and life sciences at Microsoft.

For organizations undergoing digital transformation, BCDR plans must be baked into the modernization strategy from the start, Doyle says. “BCDR plans shouldn’t be an afterthought. They should be foundational to a digital transformation strategy.”

Digital transformation does not fundamentally change BCDR but does add to it, says Dan Henke, vice president of information security for Missouri-based healthcare system Mercy. “You need to make sure that business continuity and disaster recovery are part of the digital transformation process,” he says. “The big challenge is keeping your BCDR plan up to date as you introduce new technology.”

Click the banner below to learn why cyber resilience is essential to healthcare success.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

To stay current, BCDR plans should not be treated as one-and-done projects; they need to evolve and adapt. “Static BCDR plans are not sufficient. Organizations need to continue to iterate their BCDR plans,” Doyle says.

Organizations also must identify the responsibilities and procedures for incidents affecting different environments, whether on-premises, cloud or hybrid. While organizations have responsibility for their on-premises systems, cloud providers can offer greater resiliency. For example, Pennsylvania-based Jefferson Health migrated its on-premises electronic health records to Microsoft Azure, in part to mitigate risk, citing the cloud solution’s BCDR advantages.

Creating Robust BCDR Plans for Healthcare

Healthcare organizations must proactively create their BCDR plans before a disaster hits. That starts with a business impact analysis that identifies the most critical business functions and their potential vulnerabilities, as well as the impacts of downtime.

A business continuity plan should specify which procedures would enable the business to continue to function during downtime — even at reduced capacity — until systems are brought back up. This might involve temporarily switching to manual processes or alternative systems.

It’s not technologically or financially feasible to bring all systems back up at once. That’s why, as part of its disaster recovery plan, an organization should determine which systems are most critical and have to be recovered first. “It’s superimportant to understand the prioritization of systems during the recovery,” Doyle says.

As part of the disaster recovery plan, a business must determine both its recovery point objective (how much data loss it can tolerate) and its recovery time objective (how long it can wait before fully restoring operations).

In addition, organizations must ensure any disrupted systems were not compromised during downtime. That’s vital when an organization uses its own data to train artificial intelligence tools. An incident could lead to data poisoning, compromising the data used to train AI models. “As organizations adopt more modern technologies like AI, BCDR ensures those innovations are resilient, secure and always available,” Doyle says.

With any BCDR plan, training and testing are not optional. Staff should be trained on what to do in the event of a disruption; whether, for instance, they use paper or an alternative system during downtime.

And as more organizations add new systems and tools, testing and modernization should go hand in hand. “Rigorous testing should be done during the development of a solution, not after the solution is developed,” Doyle says.

“We’re at an inflection point,” he adds. “More and more organizations are using modern technology. As they adopt these solutions and services, they need BCDR as part of that process.”

If you don’t protect your critical systems at the time of a business interruption, you can have not only a business revenue impact but also possibly a patient safety impact.”

Dan Henke Vice President of Information Security, Mercy

BCDR’s Life-Critical Role in Healthcare

In healthcare, the No. 1 priority, always, is the patient. As a result, healthcare’s BCDR plans have to identify the essential systems that healthcare providers need to serve patients: systems that affect patient safety and health information, care continuity and quality, and regulatory compliance.

Any systems directly affecting the patient, such as the EHR and on-premises medical devices, take precedence in the BCDR hierarchy. “We always look at our EHR as the most critical system,” Henke says.

As in other industries, healthcare’s BCDR plans must address the entire business continuity process. If a disaster strikes, do healthcare providers collect information on paper? If so, is there a process to digitize those paper records once systems are back up?

For healthcare systems, the risk of inadequate BCDR plans is clear, Henke says: “If you don’t protect your critical systems at the time of a business interruption, you can have not only a business revenue impact but also possibly a patient safety impact.”

SDI Productions/Getty Image