Security

Why Healthcare Organizations Need an IRE for Epic

Creating an isolated recovery environment for Epic can help hospitals provide care continuity amid unplanned downtime.

Doug McMillian is a Healthcare Strategist for CDW.

Mitigating and minimizing downtime is crucial for healthcare organizations because patient outcomes are on the line. With the cybersecurity landscape becoming increasingly perilous for health systems, organizations are focused not only on prevention but also on recovery to protect themselves and their patients.

The CDW Healthcare Strategist team is made up of former C-suite executives who understand the challenges today’s organizations face in maintaining clinical care continuity. At the 2025 CHIME Fall Forum in San Antonio, we connected with our former peers to discuss how to solve problems in healthcare with true collaborative strategy.

Cybersecurity remains a major focus for healthcare organizations, and it was one of our main topics of conversation this year. Cyber recovery is an important part of a health system’s overall security posture, and isolated recovery environments (IREs), especially for electronic health record solutions like Epic, are an effective tool to mitigate downtime and provide care continuity amid a cyberattack.

Click the banner below to discover the building blocks for a secure and efficient infrastructure.

ht-foundationsofcare-q225-animated-desktop

ht-foundationsofcare-q225-animated-mobile

What Is an Isolated Recovery Environment?

As ransomware evolved, traditional backup and disaster recovery wasn’t enough. We know that ransomware is on the rise, with attacks growing year over year, and we don’t see that changing for the foreseeable future. So, what else can organizations do to protect themselves? That’s where the connected concepts of vaulting, clean rooms and IREs come in.

Vaulting involves sending backups to an air-gapped, third-party location so they cannot be impacted by a cyberattack or disaster. When the organization is ready to restore operations, it can use a clean room — a secure environment where multiple parties can analyze data and systems collectively without the risk of reinfection. In the clean room, the team can perform restores and analysis to look for markers that show the ransomware didn’t impact the backups. Finally, in an IRE, the IT team can do an actual restore of everything to allow a subset of users back in so the organization can continue operations. It’s not intended to be full production; that comes later once the event has passed.

However, an Epic IRE implementation is unique and functions a little differently from a general IRE. Epic has its own architecture of database mirroring for disaster recovery. Essentially, Epic skips vaulting and uses its IRIS mirroring technology to set up the IRE and keep the data synchronized with production.

Keep in mind that while Epic normally has dozens of integrated third-party applications, those won’t be available in the IRE. It gets rid of those apps and provides only the data to keep operations moving, patient care flowing and revenue incoming throughout the incident. It’s essentially just web access or mobile web access. It could be considered minimum viable Epic.

What Do Health Systems Need To Know About Setting Up an Epic IRE?

The first thing to consider is whether the organization is using an Epic-hosted IRE environment or is self-hosting in the cloud. The cloud option makes sense for many health systems due to the ability to scale as needed and pay using operational dollars rather than a large capital investment.

For other applications, vaulting and clean rooms are likely needed as part of the recovery process. Many organizations buy products to air-gap their environment and facilitate the vault, clean room and IRE setup.

Another factor to consider is that the majority of Epic systems are tied into Active Directory for authentication. During a cyberattack, it’s likely that Active Directory will be down; the organization will be left with a third-party copy of Epic, with nothing to use for login. This can be a major challenge for organizations, but there are options.

The first is to fail back to Epic’s native authentication. However, this may mean having to go through password resets on a larger scale, and it won’t have multifactor authentication unless it’s turned on within Epic’s native multifactor solution — meaning the organization would have to enroll potentially thousands of people into MFA on the fly.

The other option is fairly new. Epic recently began offering OpenID Connect, which allows the organization to tie Epic with Okta or Microsoft EntraID for easier MFA. This year, we haven’t seen many organizations move toward this, but we expect to see that change over the next year or two as it brings down the barrier of entry and aligns with most identity maturity models.

93%

The percentage of surveyed healthcare organizations that experienced a cyberattack in the past 12 months

Source: proofpoint.com, "2025 Ponemon Healthcare Cybersecurity Report," November 2025

Health systems also need to have a plan for how to access Epic IRE. While the IRE environment is 100% necessary for continuing clinical operations, an organization needs to consider its entire technology stack. With the system’s computers likely bricked by ransomware, and the network down, how will the organization provide an alternative endpoint methodology, network and internet path to gain access to the IRE? As you can see, access must be considered thoughtfully.

There are a few more items that the operational database administrator will have to run through when it comes to the Epic layer. In a normal disaster recovery mirroring methodology, the mirror is set up, and the environment stays offline. For IRE, the mirroring is unique. Epic creates a logical volume mirror off the IRIS mirror, which means that the IRE is available while still mirroring from production.

The operational database administrator needs to develop the playbook or runbooks on how to bring the environment online. We stress that organizations should be testing the Epic IRE environment regularly — at a minimum, two times a year — but I would recommend doing it more often, as well as enabling the web services and testing full access from web and mobile.

Organizations also need to consider how to train end users to access the environment. How are they going to communicate and teach staff to log in to the IRE? These are some of the organizational things that must take place in addition to the day-to-day operations of keeping Epic up to date, including special and quarterly updates.

DISCOVER: Is Backup as a Service right for you?

Partnership Makes the Epic IRE Process More Accessible

We know that many healthcare organizations don’t feel like they have time to worry about a third-party environment while working to clean up what’s happening in their primary environment. That’s why CDW offers managed services to help organizations maintain care continuity during a crisis while the IT team works on getting the larger production environment up and running.

We’ve been doing Epic in the cloud for quite some time. My former organization, Cone Health, was one of the first to do this in 2018. Here at CDW, we’ve been building automation to help organizations get there faster. In addition to helping them build their environment, we can also help health systems manage it if they want to stay hands-off. We prioritize getting the IRE up as fast as possible to get clinicians up and running if the organization is hit with ransomware.

This article is part of HealthTech’s MonITor blog series.