Healthcare IT Disaster Risks
Tags: disaster recovery, health care it, healthcare it
A risk assessment that reviews the assets, threats, and vulnerabilities of the operation should be performed and annually updated. The risk assessment looks at events that affect assets in terms of a) frequency of occurrence and b) magnitude of impact. When reviewing assets, there are potential pitfalls to look out for. One of the first challenges is to be sure that you understand the asset’s nature and role in the business operation.
Business Impact Analysis
The BIA uses information generated by the risk assessment. The main difference is that the risk assessment focuses on losses and potential adverse events while the BIA focuses directly on the operational impacts to the business. Specifically, the BIA examines the operations and determines, once down, what direct losses are incurred, what secondary effects follow and where they appear, and how long losses can be sustained before they become operationally critical or fatal.
Your Action Plan
Regardless of the type or cause, every disaster goes through the same phases:
- Initial emergency state and reaction
- Stabilization and damage assessment
- Restoration and reparation
- Reconstitution and resumption.
The phases can vary depending on the disaster. For example, an explosion is instantaneous whereas a hacking attack is gradual but possibly just as damaging in its own way. There are several things you can do ahead of time to become resistant to disasters and recover faster once they have happened.
Disaster prevention will always be better than even the best recovery plan. You can’t prevent all disasters, but with the risk analysis and BIA you can make your enterprise more resilient and able to survive disasters when they do occur.
Prioritizing your organization’s risks from highest to lowest, your first goal is to cost-effectively mitigate all that you can. The goal of each mitigation should be to protect infrastructure but without adding unnecessary or unwanted complexity or technological fragility.
One of several preparatory measures required by HIPAA includes planning and performing system backups. Backups are a well-proven method of protecting vital data. While HIPAA doesn’t require a specific solution, it does require that you perform the function, plan it carefully, execute it consistently, and test it periodically to ensure that it works.
Emergency Mode Operations Plan (EMOP)
As a HIPAA requirement, the EMOP makes it possible to operate under adverse circumstances and remain in compliance with HIPAA’s privacy and security requirements, which is often difficult to achieve. In an emergency, delivering care where needed is always the priority, but that doesn’t mean caution can be set aside when handling sensitive information. Finding an efficient balance for doing both takes advance planning, solid organization, and leadership in execution. Targeted training lays the foundation to find that balance.
This post is excerpted and used with permission from Your Prescription for a Robust Healthcare IT Disaster Recovery Plan by Ross A. Leo
Healthcare IT Disaster Recovery Planning Series