Improving Crisis PreparednessDon't Forget Testing Business Continuity Plans
It's hurricane season, but natural and man-made disasters can happen anytime. Unfortunately, healthcare organizations, especially smaller entities, are often unprepared for how to rebound so their data operations continue to run smoothly and securely in the wake of a crisis.
See Also: Creating a Culture of Security
Secure access to and exchange of patient data are critical components to clinical workflow and patient safety. Federal regulators are pushing for better coordinated care and for healthcare providers to participate in accountable care organizations; data disruptions can derail those efforts.
Testing business continuity and disaster recovery plans periodically, however, can help healthcare entities to be better prepared. That's assuming of course, that a hospital or clinic has a well-documented business continuity and disaster recovery plan to put into place.
For instance, if your organization's electronic health records network suddenly failed, do staffers know the proper procedures for shifting to paper? Does your workforce know whether it's OK if they take out their personal computing devices to access or send patient information in a pinch? What sort of patient privacy risk could that potentially create?
Under HIPAA, entities are required to have a contingency plan that covers data backup, disaster recovery and emergency mode operations. Two other HIPAA contingency plan provisions - testing and revision procedures, and applications and data criticality analysis, are considered "addressable" specifications that should be implemented where "it's a reasonable and appropriate safeguard."
So without a clear mandate to test business continuity and disaster plans - on top of a lack of resources or awareness - some healthcare organizations tend to skip that, or do it once and forget about it, Brad Garland, CEO of security and compliance consulting firm Garland Heart Management Group, recently told me. And that can have serious consequences in a crisis.
Brandon Tanner, senior manager of Rentsys Recovery Services, a provider of disaster recovery services, also recently described for me a major network outage at a client - a pathology lab test company that serves healthcare organizations across the country. The outage, which was not caused by a natural disaster, but rather "data corruption, compounded by human error," resulted in data being unavailable for a period of time, not only disrupting the lab company, but the many healthcare providers that needed access to test information.
"There was a business continuity plan in place, but it wasn't tested," Tanner says. Fortunately, the firm - which Tanner declined to identify - "dusted off the plan" and got systems back in action within 24 hours, "but there was a lot of impact to other organizations" in the meantime, he says. "Given the circumstances, 24 hours was good, but for the doctors [needing the lab data], it wasn't good," he says. It took several more months for all operations to be fully restored.
Had there been testing of the business continuity plan in advance, recovering from the crisis could've gone smoother, he says. Not only would key personnel and departments been better prepared, but there would've been an opportunity to also identify gaps in the plan that could've lessened the impact.
Garland not only recommends that table-top business continuity tests be performed every one or two years, but that the business continuity plans themselves be examined every six months or so. For instance, plans should be evaluated "any time there is a management or employee change that impacts the business," or if there are new IT systems added or upgrades to an organization, he suggests.
"Technology changes often, and business continuity and recovery plans need to reflect that, and be tested," he says.
Those who should participate in the table top exercises include an organization's business continuity team, which generally involves a cross section of leaders from HR, IT, data security, compliance and other key business components, he says.
Tanner suggests that to avoid overwhelming teams, components of the plan can be tested at different times. "Don't take everything at once; start with critical systems or those that are interdependent," he says. "Next time, test the plan for another set of systems."
Finally, while extreme weather events can knock out power or flood facilities, most network and system outages are due to other factors, Tanner says. "Disasters get headlines, but IT outages that aren't due to those sorts of events are worse," he says. If lots of organizations in a region are dealing with the pain of recovery after a hurricane, for instance, there's plenty of commiseration. But if an individual organization's systems crash for other reasons, followed by a messy recovery, then damage is compounded.
"Healthcare organizations need to secure their data and their reputations," Garland stresses.
So with hurricane season upon us, it's time for healthcare organizations to take stock of their disaster recovery and business continuity plans and put them to the test - before it's too late.