Disaster recovery in healthcare: Free plan template and overview

Why is disaster recovery in healthcare important?

A major difference from non-healthcare DR plans is the inclusion of specialized systems used in hospitals, not just the assets in a data center or network facility. Specialized systems might have their own DR plan that addresses their nuances and specialized requirements. The key is to ensure that all mission-critical systems have plans to keep them running when a disruptive event occurs.

Considering the nature of healthcare, which covers a broad spectrum of activities, technology plays a critical role in just about every aspect. Healthcare professionals use tech to perform vital tasks, including the following:

• Manage patient registrations.
• Handle emergencies.
• Perform surgical procedures.
• Administer nuclear medicine.
• Deliver physical therapy.

Even the facilities that support the institution -- including security systems, primary and emergency power systems, HVAC systems, transportation resources, delivery of medications and other resources, and processing mail -- depend on the availability of a variety of specialized systems. Technology is everywhere.

Owing to the variety and complexity of the activities performed by hospitals, as well as the need for uninterruptible access to many specialized systems, healthcare DR activities are often more involved than in non-healthcare businesses. As such, not only are DR activities essential to IT infrastructures, systems, applications and networks, but they must address the unique systems that comprise a major teaching hospital.

Compliance with regulations is critical

Healthcare institutions are governed by many local, state and federal regulations and legislation. Many of these deal with the protection of patient information including medical records and Social Security numbers.

One key regulation is the Health Insurance Portability and Accountability Act (HIPAA). Compliance with HIPAA must be maintained and periodically demonstrated through audits and assessments. A documented DR plan that is regularly tested helps demonstrate compliance with HIPAA requirements.

Loss of resources can be life-threatening

Situations that prevent or make it difficult for hospitals to provide their many services can have life-threatening consequences. Loss of life stemming from a technology disruption might result in lawsuits and other litigation. If it can be demonstrated that the hospital was ill-prepared for a specific disruptive event, such as a severe storm or pandemic, that kind of information could have disastrous effects on the hospital's reputation. This might impede its ability to raise funds and donations to provide future care.

Consequences of the above and many other situations can be mitigated by initiating DR and related emergency plans to keep power running, keep the lights on, ensure that critical systems are operational and even maintain a proper breathable atmosphere.

Individual and private hospitals as well as large regional healthcare systems in the U.S. must have DR plans in place. This is true for hospitals in a major city or those located in a rural setting. Plans must be documented, regularly tested, have teams that are trained to launch and manage them, and must be supported by hospital administration.

Consider using this guide and template to review the content and completeness of existing DR plans. It might also be useful when preparing a DR plan while installing a new medical system.

Data gathering and setting a baseline

Once senior management has approved the development of a hospital DR plan, gather a team of employees to support the plan's development, testing and deployment. Personnel can come from both IT and medical staff, especially if the technology being protected has patient contact. Collaboration between administrative and healthcare personnel is an essential ingredient for success.

Assuming the IT team has completed a risk assessment and identified potential threats to the IT infrastructure and medical systems, the next step is to determine which assets are most important to hospital operations. Assuming that all IT systems and networks, hospital utilities and facilities, security systems, and specialized systems are performing normally, the hospital should be functioning normally. When an incident -- internal or external -- negatively affects the hospital's technology infrastructure, the ability to deliver healthcare services could be compromised. The inventory of assets is an essential baseline document for the DR plan.

A plan for disaster recovery in healthcare provides step-by-step procedures for recovering disrupted systems and networks, helping them resume normal operations. The goal of these processes is to minimize any negative impacts on hospital operations.

The DR process identifies critical IT systems, networks and specialized systems; prioritizes their time for recovery, and lists the steps needed to restart, reconfigure, and recover them. Storage and recovery of protected health information (PHI) is also a major DR consideration and might be subject to recovery objectives.

These metrics indicate how long data can be stored before it becomes out of date or otherwise unusable. A comprehensive healthcare IT DR plan also includes all the relevant supplier contacts, sources of expertise for recovering disrupted systems and a logical sequence of action steps to take for a smooth recovery.

Owing to the unique attributes of a hospital, DR teams might need to coordinate their IT plans with other emergency plans, such as relocating patients and building evacuations. People and patient issues must be addressed first, or at least concurrently, with efforts at recovering disrupted hospital systems and networks.

Technologies to consider in healthcare DR

There are numerous technologies organizations can use for a healthcare DR strategy. Traditional techniques for protecting critical healthcare systems include the following:

• Backup systems ready to be deployed if the primary system fails.
• Backup copies of operating systems, databases, and other specialized applications.
• Backups of critical data (especially PHI) kept in an alternate storage location.
• Diversely configured internal office networks to minimize network disruptions.
• Diversely routed external networks connecting hospitals with local carriers and other hospitals.
• Inventory of spare parts and components.
• Use of alternate hospital to support a backup IT site.
• Use of alternate hospital space as noted above for displaced patients and specialized systems that might have been disabled by an emergency.
• Access to system and application documentation.
• Training primary and alternate employees on recovery of critical systems.
• Sufficient emergency power systems, including uninterruptible power supply and standalone generators.

There have been several recent advancements in technology that can increase the likelihood of recovery after a disruption.

Cloud-based data storage, system recovery and disaster recovery resources play a major role in modern disaster recovery, keeping data safe offsite. Cloud-based DR services, such as DRaaS, can automate major elements of the technology DR process. Be mindful that cloud-based DR might not be appropriate for specialized systems, such as nuclear medicine, blood testing and surgical systems. Cloud operators are not likely to have such systems in their inventory.

VoIP technology helps eliminate the problem of a single large PBX system that serves a hospital. The switching elements can be distributed in multiple locations and connected via the internet. If one or more nodes are disabled, unaffected elements of the system might be recoverable.

Advances in cybersecurity technologies can help reduce the likelihood of the hospital's systems and networks being hacked and can help identify and mitigate impacts of virus and phishing attacks and ransomware attacks. Advances in data protection and security, such as system access using multi-factor authentication and data encryption can help protect PHI and other hospital data.

AI and machine learning are gradually finding a place in healthcare DR. For example, they can analyze performance data from multiple systems, networks and specialized devices and make predictions on how and when failures might occur.

These methods raise the bar on how systems and data, especially PHI, can be protected from unauthorized access and cyberattacks. They are also important for compliance with various regulations, such as HIPAA, which has specific requirements for data protection and data privacy.

Healthcare DR plan structure

According to NIST (National Institute for Standards and Technology) Special Publication 800-34, Contingency Planning for Information Technology Systems, the following summarizes an ideal structure for an IT DR plan that organizations can adapt for healthcare:

1. Develop a DR planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective healthcare DR plan.
2. Conduct a business impact analysis (BIA) to identify and prioritize critical IT systems and networks as well as unique critical healthcare systems; the BIA can help identify recovery objectives.
3. Conduct a risk assessment to identify internal and external risks, threats, and vulnerabilities to the hospital that could be exploited.
4. Identify preventive controls that can mitigate the effects of system disruptions and increase system survivability.
5. Develop recovery strategies to ensure that systems, applications, networks and specialized devices can be recovered quickly following a disruption.
6. Develop IT DR plans that contain detailed guidance and step-by-step procedures for restoring damaged systems, network resources, applications and specialized systems.
7. Establish a program for plan testing to identify technology and procedural issues and to identify procedures to correct problems.
8. Establish a training program to train designated personnel on the DR plan and their responsibilities during a disruptive event.
9. Establish a communications protocol for communicating with employees, the media, government agencies, patients, and other stakeholders.
10. Develop a plan maintenance activity so that the DR program is updated regularly to remain current with system enhancements and changes, as well as changes in hospital policies and protocols.

Step-by-step IT DR plan development

Using the framework from NIST SP 800-34, the above actions can be expanded into the following structured sequence of activities:

1. Meet with the hospital's technology, application, network administrator(s) and owners of specialized healthcare systems to establish the scope of the activity. This might include internal elements, external assets, third-party resources and links to other hospitals/vendors.
2. Gather all relevant network infrastructure documents such as network diagrams, equipment configurations and databases.
3. Gather data on all specialized healthcare systems and identify the subject matter experts who will be involved if a disaster occurs.
4. Obtain copies of existing IT and network DR plans, plus plans for specialized healthcare systems. If these do not exist, proceed with the following steps.
5. Using data from a risk assessment, confirm with administration what they perceive as the most serious threats to the hospital's IT infrastructure. Examples include fire, human error, loss of power, system failure or cyberattacks.
6. Using data from the risk assessment, confirm with administration what they perceive as the most serious vulnerabilities to the hospital's infrastructure. Examples include lack of backup power, out-of-date copies of databases and too many legacy systems.
7. Review historical records of hospital outages and disruptions and how the institution handled them.
8. Using data from the BIA, confirm with administration what they perceive as the most critical IT assets.
9. Determine the maximum outage time the administration can accept if the identified IT assets are unavailable.
10. Identify the operational procedures currently used to respond to critical outages.
11. Determine when these procedures were last tested to validate their relevance.
12. Identify emergency response team(s) for all critical IT infrastructure and system disruptions. Determine their level of training with critical systems, especially in emergencies.
13. Identify vendor emergency response capabilities. Have they ever been used? If they were, did they work properly? How much the hospital is paying for these services? Check the status of service contracts, presence of service-level agreements and if they have been used.
14. Compile results from all assessments into a gap analysis report that identifies what is currently done versus what ought to be done, with recommendations as to how to achieve the required level of preparedness, and estimated investment required.
15. Ask administration to review the report and agree on recommended actions.
16. Prepare IT disaster recovery plan(s) to address critical IT systems and networks, and specialized healthcare systems.
17. Identify and secure additional resources to help facilitate future recoveries.
18. Conduct tests of plans and system recovery assets to validate their operation.
19. Update DR plan documentation to reflect changes.
20. Schedule next review/audit of IT healthcare DR capabilities.

Important caveats

Before implementing a new healthcare DR plan, there are some considerations IT teams must make.

First of all. the plan will not go anywhere without administrative approval. Be sure to obtain hospital administration support so that plan goals can be achieved. Keep upper management informed along the way if necessary.

Take the IT healthcare DR planning process seriously. Although the plan can take a great deal of time for data gathering and analysis, ensure that plans have the right information and that information is current and accurate.

Take a look at disaster recovery standards that might help guide the process. Among the relevant standards to use when developing IT DR plans are NIST SP 800-34 and ISO/IEC 27031:2011 Information technology -- Security techniques -- Guidelines for information and communications technology readiness for business continuity.

Lastly, be flexible. The suggested template in this article can be modified as needed and is scalable to fit most healthcare organizations. Disaster recovery is not a one-size-fits-all field.

Reviewing the template

Following is the table of contents from the provided downloadable template, indicating key issues to address and activities to perform. Before modifying the template, take a look at the following sections and their functions:

Click the above image
to download our
free healthcare disaster
recovery plan template.

1. Information technology statement of intent. Set the stage and direction for the plan here.
2. Policy statement. Include an approved statement of policy regarding the provision of disaster recovery services in the hospital/healthcare facility.
3. Objectives. List the goals of disaster recovery in the healthcare DR plan.
4. Key personnel contact information. Keep key contact data near the front of the plan. It is often the information most likely to be used in the early stages of the incident and should be easy to locate.
5. Plan overview. Describe basic aspects of the plan, such as updates.
6. Emergency response. Describe what must be done immediately following the onset of an incident.
7. Disaster recovery team. List members and contact information of the hospital DR team.
8. Emergency alert, escalation and DR plan activation. Outline the steps to take through the early phase of the incident, leading to activation of the DR plan.
9. Media. Tips for dealing with the media.
10. Insurance. Summarize the insurance coverage associated with a healthcare IT environment and any other relevant policies.
11. Financial and legal issues. Specify the actions to take for dealing with financial and legal issues.
12. DR plan exercises. Underscore the importance of DR plan exercising.
13. Appendix A -- Technology Disaster Recovery Plan Templates. Sample templates for a variety of technology recoveries; useful to have technical documentation available from select vendors, especially for specialized healthcare systems.
14. Appendix B -- Suggested Forms. Ready-to-use forms that will help facilitate the plan completion.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.