What Healthcare Facilities Should Know About Preparing for Disaster

Anna-Kay Sterling

Senior Systems Associate

October 30, 2018

Over the years, the Healthcare industry has grown, adapted and become highly dependent upon technology – and it has served this industry well, increasing operational value and effectiveness while reducing waste. It has transformed the way you do business and impacts everything from patient records (now being stored electronically and replacing paper) to patient registration, through the use of online and mobile technology. Technology has also made many of the day-to-day business operations much more convenient through the use of things such as medical imaging for patients and tele-monitoring (technology that can monitor vital signs and symptoms remotely).

As with every great reward, technology brings its fair share of risks to the industry – and as the use and need continues to expand, so does the need for ample security. Essentially, security comes in three forms – Confidentiality, Integrity and Availability (known as “CIA”) and this CIA model is key when safeguarding data. Let’s take a look at Availability, for example. Availability is simply ensuring that data remains constant and can be accessed when needed. This security objective may be considered high impact, depending on your risk tolerance.

As we all know, the hurricane season officially began in June and will run well into the latter part of the year. Reasons such as this make having a solid Business Continuity Plan critical to your organization.  It not only makes good business sense, but HIPPA Security Rules also “require healthcare facilities to establish procedures to enable continuation of critical business processes for protection of the security of electronic protected health information (ePHI) while operating in emergency mode.”

Have you considered and assessed the risk and the impact a natural disaster will have on your facility? The impact to your patients, the financial consequences that exist if your plan fails? The answer for many is a resounding “no.” It is estimated that almost 50% of Healthcare practices believe that their recovery plans are inadequate. This same survey went on to state that “the results are critical for addressing potential safety issues that affect the health and lives of millions of Americans who are increasingly subject to hurricanes, wildfires, and floods as well as other man-made disasters like digital and criminal attacks.”

Threats and risks are ever present. You may hear the term “It’s not a matter of IF, but WHEN something will happen.” The key here is mitigation, and ensuring that the controls in place are not only regularly tested, but also will be successful once activated.

Below are a few areas to consider when developing your Business Continuity Plan.

Business Impact Analysis

Your Business Continuity Plan (BCP) should focus on ensuring that your facility is capable of maintaining operational processes during and after a disruption. The BCP should also consider processes that are rated as top priorities. In addition it is very important to identify key system components and the impact a disaster will have on these processes. This procedure is called Business Impact Analysis (BIA). In the BIA consider the following:

  1. Determine business processes and recovery critically
    1. Identify the impact of a system disruption to key process and determine the total downtime your Healthcare facility is willing to accept.
  2. Identify resource requirements
    1. Identify key system resources and ensure the following is noted:
      1. System component (Application/Database server)
      2. Operating system
      3. Short description of the system
  3. Identify recovery priorities for system resources
    1. Consider the different factors that need to be in place to meet recovery priorities
Resilience

Resilience is the ability to quickly adapt and recover from any known or unknown changes to the environment. You need to ensure that, whatever the disaster, your practice will be able to recover and continue operations without experiencing significant loss or disruption.

Consider the infrastructure that you currently have in place. Does it have the capability to absorb the effects of a disaster and still be able to function properly? Don’t just consider the physical infrastructure, but also consider things such as the encompassing network your technology sits on. If you have determined that the impact to the availability of data to be high, NIST framework recommends having the following options, a fully redundant load balanced system at alternate sites, data mirroring, and offsite database replication. Implementing these options may come with a heavy price tag, therefore these options should be reviewed carefully and involve the opinions from key stakeholders. If you have determined that your practice can tolerate longer downtimes for recovery or restoration of data, the above options may not be necessary, however a proper risk assessment is critical in making that determination.

Backup and Recovery

To ensure your facility is able to quickly restore system operations, the facility should consider having a dependable backup and recovery procedure, which is also a requirement by HIPPA. You need to be diligent about ensuring patient data, along with significant systems, are backed up regularly. In addition, the success and failures of these backups should be monitored and you should consider storing data offsite which would help protect against loss if the primary location should be destroyed. Consider developing a test plan along with a test schedule to help identify deficiencies in your plan. We recommend performing testing of the plan at least annually to make sure the plan is in good shape and up to speed with any changes to your current threat environment.

Training

Finally, keeping your staff prepared for disaster is equally key to ensuring success of your BCP. To help ensure they are informed and prepared in the event of an outage, annual training should be conducted. Personnel identified to manage the development and execution of the plan should be involved in the training as well. Recovery personnel should be trained on the following:

  • Purpose of the plan;
  • Cross-team coordination and communication;
  • Reporting procedures;
  • Security requirements;
  • Team-specific processes (Activation and Notification, Recovery, and Reconstitution Phases);
  • Individual responsibilitiesRemember, it’s not a matter of “IF” but “WHEN” a disaster will strike. Having an effective BCP in place and testing and communicating the plan to all levels of management and staff will lessen the impact and greater your chances of recovery.
References

The Department of Homeland Security (DHS) Risk Lexicon (September 2008) defines resilience as the “ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions.” The DHS Risk Lexicon can be found at www.dhs.gov/xlibrary/assets/dhs_risk_lexicon.pdf.

https://www.cmu.edu/iso/governance/hipaa/docs/HIPAASecurityRulePolicyMap_FINALv1.0.pdf

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

https://www.hipaajournal.com/ocr-covered-entities-prepare-for-hurricanes-natural-disasters-8956/

https://www.prnewswire.com/news-releases/hurricane-warning-survey-reveals-healthcare-organizations-doubt-their-disaster-plans-are-up-to-the-task-300710898.html

Stay Up-to-date