Security

Healthcare Disaster Recovery: Building a Clinical Care Resilience Plan

Having a downtime plan is only the first step. Healthcare organizations need to test their plans to ensure clinical staff know what to do when systems go down.

Novid Parsi

Novid Parsi is a freelance writer based in St. Louis who covers a wide range of fields, including healthcare and technology.

For today’s hospitals, “IT is a mission-critical aspect of delivering care,” says Josh Howell, healthcare CTO at Rubrik, which means IT security is just as mission critical. “Security has to be right 100% of the time. The attackers only have to be right once.”

For the times when attackers do get it right, healthcare organizations need to have in place a clinical care resilience plan that enables them to continue providing care, even during an unscheduled IT outage.

DISCOVER: Ensure healthcare business continuity when IT fails.

Healthcare Disaster Recovery and Cyber Resilience Planning

Historically, Howell says, disaster recovery has meant countering the threat of physical damage, such as a cut fiber-optic cable or a flooded data center. This typically involved creating a physically removed disaster recovery site that had a network tightly integrated with the production site.

But this approach doesn’t work in an era of cyberthreats, when attackers can compromise both production and disaster recovery sites.

Instead, healthcare organizations should create cyber resilience plans that can withstand ransomware attacks and other cyberthreats.

As Howell says, a cyber resilience plan answers the question, “How does a healthcare system get back online in a way that protects clinical care and continuity of care for patients?”

Click the banner below for a cyber resilience strategy that supports success.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

Minimum Viable Hospital: Establishing Your Baseline for Clinical Continuity

The concept of a minimum viable hospital represents the most critical functions that healthcare organizations must have to provide clinical continuity.

To determine its own minimum viable hospital, a healthcare organization must identify the roughly 30 to 50 applications it needs to keep delivering patient care during an outage. These might include apps that schedule patients into hospital rooms, order labs or surgical supplies, and pay employees.

When building its minimum viable hospital, Franciscan Health, a 12-hospital health system in Indiana and Illinois, evaluated more than 100 applications that integrate with its electronic health records and pared that list down to about 60.

“These are the applications required to be minimally viable in a clinical setting,” says Charles Christian, vice president of technology and CTO at Franciscan Health.

A minimum viable hospital also should involve identifying the tech-dependent healthcare procedures, such as advanced cancer treatments, for which paper-based processes are simply insufficient.

HIPAA Compliance and Patient Data Protection During a Disaster

Healthcare organizations need to know where all their patient data lives so that, during a cyberattack, they understand the full extent of the breach. They can’t wait until an attack to discover, for instance, that some employees have been exporting certain patient data sets.

“Healthcare organizations need to get a handle on where their overexposed sensitive data is,” Howell says, noting the federal Cybersecurity and Infrastructure Security Agency’s principle that “you cannot protect what you cannot see.”

With 360-degree vision into its patient data, a healthcare organization knows which patients to notify if attackers compromise its systems. As a result, “it’s easier to comply with HIPAA and notify the right patients,” Howell says.

Building a Healthcare BCDR Plan That Covers Key Clinical Workflows

For healthcare organizations, a business continuity and disaster recovery plan has one overarching goal: continuing to serve patients.

To achieve that, a BCDR plan must cover the key clinical workflows. “The hardest part about resilience and business continuity is the workflows,” Christian says.

Significantly, a BCDR plan documents what employees need to do when technology goes down, Christian notes. For instance, clinical staff need to know how to use whiteboards to track patients or how to use paper forms to submit lab orders.

In addition to being documented, the BCDR plan must be tested. That’s especially critical when many healthcare employees have never provided care without technology. “They need to know how to operate while we’re working to get the network back up,” Christian says.

The BCDR plan also should establish the recovery time objective and recovery point objective. The RTO is the maximum length of time it should take to restore normal operations following an outage, while the RPO is the maximum amount of data an organization can lose. Franciscan Health’s target RTO, for example, is 72 hours.

The hardest part about resilience and business continuity is the workflows.”

Charles Christian Vice President of Technology and CTO, Franciscan Health

IT Restoration Sequencing: Using Disaster Recovery Tools To Prioritize Clinical Systems

A healthcare system can have anywhere from several hundred to a few thousand applications. It’s impossible to recover that many apps all at once. Once an organization identifies the 30 to 50 applications that make up its minimum viable hospital, it can determine the order in which to recover them.

Effective IT restoration is enabled by an isolated recovery environment; an IRE is a physically separate, air-gapped clean room in which to restore data and applications.

Cyberattacks can last from days to weeks, and that can take a heavy toll on the humans involved. To mitigate this challenge, healthcare organizations need to automate their process of activating their IRE.

Organizations with a clear, well-drilled plan to activate their IRE can cut days off the recovery process, Howell adds — “and that’s measured in less impact to patient care and less financial loss for the healthcare system.”

Testing and Exercising Your Disaster Recovery Plan: Tabletop Drills and Downtime Procedures

While tabletop drills helpfully determine who does what during downtime, they’re not enough on their own. Every BCDR plan needs real-world tests.

By deploying its clinical care resilience plan, a healthcare organization sees what works and what doesn’t, and gains visibility on “the sheer complexity and number of healthcare applications and how interconnected they all are,” Howell says. “You won’t learn that unless you run real-world tests.”

Testing also should involve documenting and practicing all the manual downtime processes, such as locating the whiteboards, Christian says. “You have to do drills to make sure everybody is aware of what they need to be doing.”

shapecharge/Getty Images