January 28, 2019
Welcome to the 3rd and final installment in our series on Cybersecurity. I’m your blog host and physician practice technologist, Michael Patrick. In the first two blogs in this series we covered social engineering and Phishing with a focus on defending against attacks. Now we cover what to do when disaster strikes.
It isn’t a matter of if, but when. At some point, critical system failure will affect clinical operations. But with the right strategies, one can minimize clinical downtime so you can keep seeing patients. Whether the disaster comes in the form of a natural disaster or some form of cyber attack, readiness is key.
Being in Healthcare IT for more than a decade, I’ve seen my share of disasters; from flooded locations to ransomware attacks. Unwelcome and debilitating, they cripple the operating effectiveness of a practice. Practice leaders often neglect the necessity and value of creating and testing a Disaster Recovery Plan (DRP) because a disaster is not upon them, or they believe a disaster is not eminent. So being prepared for one doesn’t naturally present itself as a priority. But it is eminent.
The difference between Retina practices that maintain efficiency and minimal disruption, and those that don’t, is an active commitment to a DRP. Highly efficient practices understand that an hour of downtime is an hour of lost productivity and untold dollars in patient satisfaction. Having a tested plan for a recovery process based on the risks applicable to your practice can help to eliminate time and mistakes when time really counts.
Making sure that your practice averts potential clinical interruptions isn’t the only reason to create and test a Disaster Recovery Plan. Within the HIPAA Security Rule, section § 164.308 (7)(ii)(B) states that a Disaster Recovery Plan is required within your Security Policy documentation. Fortunately, some of the information you need for your security risk analysis for HIPAA compliancy and a Disaster Recovery Plan are similar.
A 2017 Forrester Research study revealed that the number one cause of disaster was IT failure. In fact, IT failure was larger than the next two causes combined! So, before disaster strikes, what are some concrete steps you can take to start building your DRP and ensure that data loss and downtime are minimized? Let’s talk about the big three.
When something goes wrong, the first thing you need to know is what must be restored. This means having an up-to-date inventory of the hardware and software systems that are crucial to your operations, and the data that must be restored in the event of a failure. This includes a combined list of vendors whose operations may be tightly interconnected with your organization. Finally, two often overlooked pieces of information are insurance policy information and master call lists. If your IT systems were to fail, how will you get in contact with critical personnel to begin to assess the situation?
To build a successful backup and disaster recovery strategy, one needs to understand the risks your practices face. Think about which natural and man-made disasters your practice is susceptible to and ensure this is accounted for. Now turn your eye inwards to discuss and prioritize each of the practices processes and systems; this will provide a priority to those restoring processes. Lastly, think about how much potential time and data you are willing to lose in the event of a disaster occurring. For some, that answer might be “0.” For others, having to enter data manually after a disaster is less expensive than the technology required for an instantly redundant system. This choice is always a balance between the risk you expect, versus the amount of money needed to employ a DRP solution.
We have our inventory, identified risks, priorities, and time sensitivities. Now its time to discuss with your IT Team disaster recovery solutions to employ at your practice. All of this information can help your IT Team backup data critical to the operation of your practice. Having the tools and procedures in place to quickly recover from a disaster is a great start, but it does little good if they cannot be successfully brought to bear. Take time to test the written plan you’ve created and although it probably goes without saying, testing the recovery plan should be done in off hours to minimize the impact to daily operations. Finally, it is important to note that no disaster recovery plan will survive the long term. Unanticipated changes, changes in budget constraints, and constantly evolving threats mean that a disaster recovery plan must be constantly evolving, and tested, so that it fully supports the systems that need recovery.
As we all can appreciate, no plan is perfect. The only perfect disaster recovery plans are the ones that work for your practice. Unforeseen circumstances will require you to modify and update your strategies for disaster recovery constantly. These circumstances may come in the form of changing hardware, evolving vendors, or new data architectures. But they must all be accounted for when developing your disaster recovery plan.
One last point to mention is that this process needs executive direction and involvement to be successful. This cannot be delegated entirely, and conversely executive leadership for the practice will be the only team members that can properly prioritize the needs and processes of the practice in an emergency situation. This way, when disaster does strike, the team already knows their marching orders.
So there you have it! Now you have three concrete steps to insure your practice is back up and running the next time disaster strikes. We hope you don’t need them, but they are not to be ignored.
Many practices could use a little more help in the IT department. We’d love to help you out with all your IT needs. Feel free to email me @ firstname.lastname@example.org. Again, I’m Michael Patrick, your physician practice technologist. Stay on the lookout for our final blog in the series on Disaster Recover… what to do when it all goes wrong. Until then, like, share and/or comment on this post!
With more than 20 years of technology and technology sales experience, Michael has led Systeem’s operations since day one, connecting our clients with technology, processes and ideas that make their lives easier and happier.