Disasters aren’t a threat only in areas susceptible to tornados, earthquakes, hurricanes, and floods. Elsewhere, external risks exist; crime, fire, and bioterrorism pose similar threats, which is why the number of organizations that don’t have sufficient disaster recovery and business continuity plans is both surprising and alarming, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR.
“I’ve conducted numerous audits of providers, health plans, business associates, and vendors and it is very rare to find a complete, accurate, and tested disaster recovery plan accompanied by a business continuity plan,” Apgar says. “Often, plans do not exist, are incomplete, out of date, have not been tested, and/or concentrate only on the technical infrastructure and not the business.”
The solution is simple yet time-consuming, experts say. All organizations must document preparedness plans and conduct frequent training exercises and drills to ensure that personnel remain aware of their responsibilities.
Prepare for common problems
When a disaster occurs, organizations scramble to access patient medical records and keep the flow of patient care intact. But it’s not easy—especially if they are unprepared.
Organizations often underestimate the effect of flooding, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Van Meter, IA.
“A flood can damage paper records, and if [organizations] don’t have backups made and stored in a secure place, that can be a real problem,” Herold says.
Many organizations don’t build their computer facilities in areas protected against flooding. For example, when Hurricane Katrina hit New Orleans, one physician’s office maintained a backup server to allow operations to continue after a natural disaster, Apgar says.
“Unfortunately, the server was in the basement—not the place to be in the event of a flood,” he says.
Organizations frequently fail to consider how a disaster might affect companies to which they outsource work, says Herold. And many of the organizations that have designed and documented thorough plans don’t test the critical components of the plan, such as the backup media that would house patient information, she says.
“It doesn’t take long to do a test to make sure the backup is readable,” she explains. Failure to do so can have a significant clinical effect. Lost patient data is not only a privacy risk, it also puts patients’ health at risk and puts the business at risk for noncompliance.
Finally, lost data can cost an organization hundreds of thousands or even millions of dollars if it becomes necessary to hire forensics experts to recreate it, Herold says. “And there’s no guarantee they can do that anyway,” she adds.
Specifics of an effective plan
A disaster recovery plan alone is insufficient, says Apgar. “[A recovery plan] describes what to do at the moment of the disaster and how business is to be recovered,” he says. “It does not include how the business will continue to address mission-critical activities while business and technical infrastructure is recovered.”
Apgar offers the following recommendations for organizations that are designing or updating their plans:
- Complete an inventory of assets (i.e., hardware, software, facilities, staff members, and data)
- Prioritize assets from most to least important
- Determine how long the organization can continue working without certain data or hardware
- Be specific when determining what to recover first, who is responsible, and how it will occur
- Determine the method of technical recovery
- Locate and rent or list alternate sites for business operations during a disaster and afterward
- Train staff members responsible for disaster recovery plan implementation (e.g., establish phone trees and identify leaders and coordinators)
- Ensure that staff members have copies of the plan off-site; senior coordinators should have copies of the full plan and other staff members should have copies of sections for which they have responsibility
- Test the plan with tabletop exercises and a full drill
- Update the inventory and plan regularly, especially the list of responsible parties, which will likely change most frequently
Apgar also recommends developing a business continuity/emergency mode operations plan that:
- Defines the organization’s mission-critical activities, including those activities that must continue operating during and after a disaster until full recovery
- Determines which steps are necessary to address mission-critical activities
- Specifies how to notify patients, clients, and others where to go for services during and after a disaster
- Determines where to obtain emergency supplies (e.g., water, blankets, and food) necessary for the first few days of the disaster
- Establishes staff member responsibilities, including whom they should call for instructions regarding if and when to report when a disaster occurs
- Specifies who is responsible for establishing temporary operations and staff members assigned to assist him or her
- Specifies who is responsible for addressing mission-critical operations
- Instructs staff members who are responsible for continuing mission-critical activities what to do during a disaster
Apgar recommends involving the following personnel in your disaster planning:
- Privacy and information security officers
- Senior and midlevel management
- Procurement staff members
- Facilities management
- Select members of the work force, particularly those who are most knowledgeable and can define how to address mission-critical requirements
- Partner vendors
- Partner organizations
- A liaison between your organization and the local/state disaster response team
- Communications staff members
Practice makes perfect
Frequent practice is essential to protecting patient information, maintaining business operations, and remaining compliant during a disaster, says Herold. Dry runs are necessary to ensure that plans are workable. They can be tedious, but they are also incredibly useful.
“They show you holes in the plan,” says Herold. “If you don’t test, people aren’t necessarily sure what to do. That can lead to some big problems.” Herold recommends at least one dry run annually, with more frequent drills if your organizational structure undergoes major changes.
Continually update your plan to document procedural, personnel, and software changes.
Herold recalls a review of what initially appeared to be a very detailed disaster plan. “But when I looked closely at it, it was dated 1996,” she says. “All of their applications had changed and a lot of their personnel were gone, but they thought they could use the same plan.”
Failure to maintain an accurate and updated plan is a big mistake, says Apgar. “The bottom line is most organizations do not adequately plan for disasters, large or small. It is important for organizations to prepare for disasters taking into account more than just the computers. It is a whole organization activity,” he says.
Complete, tested disaster recovery and emergency mode operations plans and trained staff members who know how to respond appropriately can be the difference between staying in business and closing your doors after a disaster, says Apgar. They also can determine whether you have prepared staff members who are safe and productive during a disaster or untrained staff members in possible danger if a disaster occurs, he says.