Five Secrets of Effective Business Continuity and Disaster Recovery Programs


Healthcare IT team assessing BCDR programsHealthcare providers don’t have to look far or long to know their threat landscape is escalating. Natural disasters like the hurricanes in Florida and Texas, mass casualty situations like the shooting in Las Vegas or the bombing in Boston, and data breaches like those that hit Equifax and Yahoo are daily reminders of the importance of business continuity and disaster recovery (BCDR) capabilities.

In fact, the ECRI Institute, a healthcare product testing and review organization, ranked ransomware and cybersecurity threats as the top healthcare technology hazard for 2018.

Yet, at the same time, many providers haven’t taken the necessary steps to ensure that when disaster strikes, their health information technology systems, both clinical and financial, are protected, or, if they do go down, can come back online quickly. That’s particularly worrisome, because providers are increasingly dependent on IT systems as they go paperless in virtually all areas of their operations.

Five common oversights that make providers vulnerable

Providers’ BCDR preparedness can suffer from some common problems:

  1. Delayed capital expenditure. Frequently, providers delay spending or spend little on BCDR after big health IT purchases or upgrades. Providers often kick that expense and decision to another quarter or fiscal year, when it might be too late.
  2. Lack of a plan or updated plan. Some providers have no BCDR plan. Others have put together a plan but haven’t updated it in three to five years because of changes in IT systems, management or personnel. Given the escalating threat environment, that’s not good enough.
  3. Lack of plan testing. Other providers have a BCDR plan in place but haven’t tested it or don’t regularly test it. It’s clear from recent experiences that providers that tested their BCDR plans fared better during natural disasters than those that didn’t.
  4. Insufficient depth of coverage. Some providers do spend money on BCDR plans and test them, but the plans they’ve invested in offer minimal protection. For example, they might not have set up redundant networks or offsite data storage, or taken advantage of new cloud-based services.
  5. Insufficient breadth of coverage. Too often, providers will invest in BCDR capabilities but only cover their primary health IT systems, like EHR systems. They forget about all the things that plug into EHR systems or are integrated with them, like radiology systems.

Clinical and financial consequences of an ineffective BCDR plan                     

An effective BCDR plan helps a provider restore patient critical systems within an established recovery time while maintaining data integrity and patient care services. Absent an effective plan, a provider can be left dead in the water when disaster hits.

From a clinical perspective, it may mean:

  • Trauma centers and emergency rooms may lose their ability to treat patients with life-threatening injuries or illnesses because they lack access to diagnostic imaging systems.
  • Canceling or postponing outpatient or elective surgeries.
  • Putting emergency departments on diversion, meaning patients must be sent to other facilities.

From a financial perspective, it may mean:

  • Losing revenue from the inability to treat patients as scheduled.
  • Increasing operating costs as organizations institute manual workarounds until full recovery.
  • Failing to comply with state and federal disaster-preparedness requirements.

We estimate that a hospital with monthly revenues of $20 million will lose more than $600,000 in revenue for every 24 hours that the facility is not able to care for patients.

Five essentials of an effective BCDR programs and management

Successful BCDR programs share a number of features, and their provider operators share a number of attributes.

  • The first is risk assessment. Forward-looking providers stay on top of the threat landscape. They educate themselves on existing and emerging risks. They read the latest reports, attending industry events and sharing what they learn with their peers. They tailor their BCDR programs to their specific risks.
  • The second is chain of command. Who’s responsible for BCDR is clear, and that job typically falls to the CIO or the chief information security officer (CISO). But, effective BCDR starts at the top with the c-suite. There must be buy-in from CEO on down with a commitment to adequate funding.
  • The third is downtime tolerance and recovery time objective. Providers with effective BCDR programs have pre-established downtime tolerance levels and recovery time objectives. They know the maximum time they can be down and the maximum time it should take to get back online. They build and fund their BCDR programs to meet those objectives. They don’t buy something off the shelf and see what happens.
  • The fourth is redundant systems. Providers with effective BCDR programs build in redundancies in order to meet their downtime tolerance levels and recovery time objectives. They use secure data centers in a different geographic area, they install “network shelters” to continue working during recovery and they take advantage of cloud-based or hosted services.
  • The fifth is regular testing. These providers test their BCDR programs on a regular basis and modify or upgrade them as necessary to meet any new risks and to adhere to their downtime tolerance levels and recovery time objectives.

Only 59 percent of health care organizations with CISOs conduct mock exercises to test their BCDR systems, according to the 2017 HIMSS Cybersecurity Survey. That drops to 40 percent for organizations without a CISO.

The providers that get it see having robust BCDR programs as competitive advantages in their markets. That’s from a clinical perspective, a financial perspective and from a reputation perspective. They don’t want to be known as the hospital that is always on ER diversion or whose systems are always going down.

If you are going to HIMSS, visit Change Healthcare booth 4202 and ask to speak to our customer John Zuziak, Chief Information Security Officer from University of Louisville Hospital, see our IT Solutions Consultant, Steven Ramirez, or book a meeting in advance.

Leave a Reply