Security

Key Elements of Business Continuity and Disaster Recovery for Healthcare

Having a plan and following it are critical steps in reducing downtime and the impact on patients.

Nelson Carreira is an Executive Healthcare Strategist for CDW.

Eli Tarlow is a Healthcare Strategist at CDW.

When a healthcare organization’s mission-critical systems go down, it can leave patients at risk and potentially harm the hospital’s reputation within the community. That’s why it’s critical for the organization’s leadership teams to have a well-defined response and recovery plan in place so that the organization can resume operations quickly and with minimal disruption to patients and clinicians.

To recover quickly, healthcare systems must have a robust and continuously tested business continuity and disaster recovery plan in place. Not only that, but leadership teams must also ensure that their BCDR plans are executed effectively when downtime occurs.

To minimize downtime and maximize the success of recovery efforts, healthcare IT teams need to understand three key elements: putting into place key elements to prevent downtime in the first place, the immediate steps to take when an outage occurs, and the tools and resources available to assist health systems in their BCDR efforts.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

How Can Healthcare Organizations Prevent Downtime?

Ransomware, over-reliance on third parties such as cloud providers, and human error or misconfiguration are among the leading causes of downtime in healthcare.

While natural disasters can also cause downtime, their impact has diminished over time, largely due to the growth of cloud migration, which makes dependencies and failures of local data centers and a complete outage less likely. Cloud providers have multiple data centers in different locations, so if one is affected, others are still functional. Having redundancy built into an organization’s infrastructure can help prevent downtime. However, hospitals that remain largely reliant on on-premises data centers are more vulnerable to downtime caused by a natural disaster.

Organizations with on-premises data centers should ensure their data centers are located in physical spaces with minimal risk from environmental hazards.

It’s also important that healthcare organizations invest in the right technologies and strategies to prevent or reduce downtime, such as building a redundant and resilient infrastructure with backups of critical workflows.

The most significant step a health system can take to prevent or reduce downtime is to implement a robust, cyber-specific recovery program instead of relying on a traditional disaster recovery plan. For example, if a ransomware attack occurs and all of the organization’s Active Directory domain controls are encrypted, it can affect downstream systems. How can an organization recover from that? Not having a robust and cyber-specific plan in place is what can lead to 30-day outages.

DISCOVER: Here are eight ways to remain vigilant and ensure business continuity with disaster recovery.

What Should Health Systems Do When They Experience Downtime?

The biggest mistake a healthcare organization can do in response to an attack is to not follow their documented and tested procedures. While emotions may be high following an attack, it’s important that the leadership teams turn to their documented incident response plan rather than react out of panic. Another common mistake is belaboring the decision to begin downtime procedures in the hope that their systems will be restored quickly.

How Can Health Systems Ensure Business and Clinical Continuity?

Technology planning isn’t the only factor important to business continuity. Clinical care resilience also needs to be prioritized in healthcare. Organizations need to ensure that resiliency is built into its utility infrastructure systems to protect patients amid an outage. The organization should have enough materials on-premises and within the hospital to provide continuity of patient care. This includes masks, pen and paper, and prescription pads.

Not only do health systems need to have a technology, business and clinical continuity plan in place, they need to run simulations on these plans and update their documents based on what they learn. Organizations can simulate an outage within a single department to see how effective they are.

EXPLORE: Build healthcare IT infrastructure to meet the needs of organizations.

How Can a Partner Help Healthcare Organizations With Their BCDR?

An experienced technology partner such as CDW can help healthcare organizations improve their approach to BCDR. The first thing healthcare organizations should keep in mind is that business continuity and disaster recovery are separate but related concepts; they’re not interchangeable.

CDW can help health systems achieve business continuity in four phases:

Assess their current state. We look at their current business continuity plan to identify gaps and help organizations meet their business and care goals.
Provide recommendations. We can give healthcare organizations recommendations on how they can sustain their business and provide care amid unexpected downtime.
Remediate identified gaps. CDW experts can help healthcare organizations identify areas within their business continuity plan that need improvement, extending downtime-safe periods to weeks or even months.
Test their business continuity plan. We can test their business continuity plan regularly and provide continuous improvement. CDW can be a healthcare organization’s long-term partner to ensure they don’t fall behind on their ability to withstand extended downtime.

CDW can conduct a similar process for a health system’s disaster recovery plan. We would come in and assess the organization’s DR maturity and determine whether it is able to withstand a full cyberattack or not. We identify gaps and apply best practices related to people, processes and technology to help the organization accomplish its recovery time objectives.

CDW not only has the right services available to accomplish their goals, but we also have the full technology stack and good partnerships to apply BCDR best practices to just about any organization in the landscape.

Click the banner below to sign up for HealthTech’s weekly newsletter.

Improve BCDR with CDW’s Rebound Framework, Semperis’s Ready1

Rebound is a cyber recovery framework created by CDW that maps organizations’ cyber recovery goals to CDW’s offerings. We can help healthcare organizations understand what a good cyber recovery plan looks like and then help them design the plan and implement it into their operations. We also test the plan to ensure it works.

Before designing the plan, it’s important for organizations to undergo a business impact analysis and application dependency mapping. This helps the IT team understand the organization’s assets and what they connect to, creating visibility that allows the team to build out proper support.

In the assessment phase, we also help the organization categorize its applications in four tiers. Tier 0 is the most critical — that’s where you’ll find Active Directory, DNS, DHCP, networking and all the other systems that make everything else in the environment work. Tier 1 includes critical applications such as the electronic health record.

Once the organization understands its priority list, it can then build a proper architecture to support it. Health systems should have three landing zones: one to do vaulted backups so they’re immutable and ready when the organization needs them, a clean room to conduct simulation testing and data validation, and a recovery room in which to stand up operations when everything is down. The recovery room allows users to connect to the organization’s critical applications during downtime to maintain business continuity.

Rebound works in conjunction with Ready1, an enterprise resilience platform from Semperis, to bind an organization’s crisis management and incident response efforts together. In the event of a network outage, for example, Ready1 has the capabilities to create an event and link all the people needed to support the event in one location. Scribing capabilities are built in to keep track of which tasks are being handled as well as a running log of what’s been discussed. Ready1 also includes a back-channel communication system so that the crisis management and incident response teams can still connect if they have no access to their typical communication channels.

The platform can be used by everyone from executive level down to IT. It can also be used for events ranging from major cyberattacks to day-to-day outages, fires or even physical altercations. Those are all incidents that need to be managed and documented.

That digital documentation makes it possible to communicate what’s happening and what’s been done with doctors or FEMA officials. The hospital can just export the event and inform anyone of what’s occurred without having everybody come together to share notes. Ready1 minimizes the chaos significantly.

It also acts as a repository and document management system. In addition to providing a time-stamped, accurate record of an event, it also stores the organization’s policies, procedures, runbooks, playbooks and other important documents related to BCDR.

The beauty of Rebound and Ready1 is that they allow health systems to restore as quickly as possible, minimizing downtime and the potential impact on patient outcomes.

This article is part of HealthTech’s MonITor blog series.