HDRP Healthcare Disaster Recovery Planning

1
HDRPHealthcare Disaster Recovery Planning
An overview of readiness for Disaster
Recovery/Business and Operations Continuity
Planning in a healthcare environment.
2
Introduction

• It is vital for healthcare providers to take the
  development and maintenance of a disaster
  recovery plan seriously. It is not a process that
  can be left until someone finds enough time to
  deal with it. A serious incident can occur at any
  time.
• Disaster Recovery (DR) has always been important
  to healthcare, but the events of recent years
  have increased the awareness and highlighted the
  importance of this often overlooked business
  function. The loss of mission critical systems
  can result in the disability of business
  continuity and patient care. The ability to
  recover systems quickly, accurately and
  completely is critical to the ongoing business,
  operations and clinical up time success during a
  crisis.

3
Industry Terms

• DRP Disaster Recovery Plan
• BCP Business Contingency or Continuity Plan
• RPO Recovery Plan Objective
• RTO Recovery Time Objective
• BOIA Business and Operational Impact Assessment
• RA Risk Assessment
• Hot Site A commercial DR service that allows
  the continuance of computer and network
  operations by providing system and
  infrastructure.
• Cold Site Similar to a hot site but the client
  provides the hardware.
• RCO Remote Computing Option, where the
  application and system requirements are provided
  on a remote network and brought on-line only in
  case of an emergency and access to the remote
  network and application is done through secure
  standard WAN technologies.
• Outsourcing Vendors that will provide the
  entire planning, recovery options and plan
  maintenance.
• DR Planning Tools Software and templates that
  provide a guide for planning and maintenance.

4
Topics of Discussion

• Awareness and Compelling Reasons
• HIPAA Regulations
• Business Impact Analysis (BIA)
• Risk Assessment
• What is Healthcare Disaster Recovery Planning
  (HDRP)
• First Steps
• Awareness
• Assessments
• Process Ranking
• Creating the DR Plan Infrastructure

5
Healthcare Disaster Recovery Planning
What is it.

• Healthcare Disaster Recovery and Contingency
  Planning is the creation of coordinated efforts
  for restoring system (s), data, IT and clinical
  operations that will support mission critical
  applications and processes such as
• Patient Care
• Patient Management
• Medical Records (EMR, HER)
• Financials
• Departmental such as
• Lab
• Radiology
• Imaging
• Outpatient services
• It is the infrastructure that will ensure the
  continuity of key automated processes that are
  critical to the continuance of business and
  patient care operations.

6
Awareness Compelling Reasons

• Compliance Regulations
• Emergency Preparedness
• Natural Disaster (s)
• Human Caused Disasters
• Technological Disasters
• Growing Dependency on automation for business and
  patient care
• Up to date with technology
• Cyberspace Threats
• Cost of downtime

7
DRP vs. BCP - What is the difference

• BCP is the general term that disaster recovery
  planning is evolving to.
• A DRP was or is considered reactive and usually
  focuses on recovering a computing environment.
  Although measures may be taken to harden the
  computing infrastructure to prevent a disaster,
  the plans main objective (RPO) is to recover
  from damage to the computing infrastructure.
• In healthcare, the needs to continue with
  business and patient care during an event is
  critical, therefore DR planners started to
  strategize on how to include business and patient
  care continuity or contingency planning as part
  of the DRP. BCP is not only proactive, it is
  intended to keep the organization operational
  during an event, not just recovering the
  computers after the fact.

8
Awareness - Compliance - HIPAA

• Health Insurance Portability and Accountability
  ACT (HIPAA)

"Each entity needs to determine its own risk in
the event of an emergency that would result in a
loss of operations. A contingency plan may
involve highly complex processes in one
processing site, or simple manual processes in
another. The contents of any given contingency
plan will depend upon the nature and
configuration of the entity devising it." --
(From the Department of Health and Human
Services, 45 CFR Parts 160, 162, and 164, Health
Insurance Reform Security Standards Final Rule)
9
Regulation Compliance - HIPAA

• Disaster recovery (DR) planning often fails to
  take into consideration how various regulations
  and compliance issues will impact the firm after
  a disaster strikes.
• Though it doesn't impact all businesses, those
  regulated by the Health Insurance Portability and
  Accountability Act of 1996 (HIPAA) will quickly
  find that DR planning for this regulation is an
  intricate web of potential pitfalls.
• One thing that is clear from HIPAA's security
  rule is that producing a DR plan is a HIPAA
  requirement however, the act is written to be
  "technologically neutral," which leaves room for
  each covered entity to choose the technology best
  suited to its needs.

10
Compliance Core Principles
Mandates
HIPAA
11
Awareness - Emergency Preparedness
The goal of emergency preparedness is to give
individuals and organizations the preparation and
knowledge to effectively respond to an emergency.

• Bioterrorism
• Anthrax
• Plague
• Tularemia
• Chemical Emergencies
• Nerve Agents
• Chlorine
• Ricin
• Sarin
• Radiation Emergency
• Dirty Bombs
• Nuclear

• Mass Casualties
• Explosions
• Burns
• Trauma
• Natural Disasters
• Tornados
• Hurricanes
• Wildfires
• Earthquakes
• Outbreaks Incidents
• Avian Flu
• Seasonal Flu
• Mumps

12
Awareness - Natural Disasters

• Although technological advances has given the
  ability to predict the occurrence of certain
  events, some events are difficult to predict or
  can not be predicted at all. Recent events have
  demonstrated the magnitude and impact of such
  events.
• Some of these natural disasters are
• Earthquakes or Seismic events
• Hurricanes
• Typhoons
• Wildfires
• Tornados
• Tsunamis
• Others

13
Awareness Human Caused Disasters

• Human caused disasters can be divided in two
  separate categories, Intentional, Accidental.
• Intentional Disasters
• Terrorism
• Bioterrorism
• Intentional explosions
• Arson
• Civil Disorder
• Collateral Damage
• Cyber threats
• Accidental Disasters
• Non intentional Contamination
• Accidents involving
• Non intentional explosions
• Accidental collateral damage
• Accidental fires
• Epidemic

14
Awareness Technological Disasters

• Technological disasters have the most number of
  occurrences. They are related to technology in
  the practice automation. But sometimes they can
  be unrelated involving vendors, service providers
  and non-related technologies.
• Some of these disaster include
• System (s) failure or crashes
• Application and or software failure
• Utility Outages
• Power, water and gas
• Technology service providers
• Cable and telephone company
• Satellite services
• Wireless
• Outages
• Neighboring technology disasters that may affect
  you.

15
Awareness Dependency on Automation and
Technology Update

• As computing technology advances, the dependency
  on healthcare automation grows. In most cases
  this technology is crucial to the continuance of
  patient care and administration processes.
• Vendors and service providers are constantly
  offering improvements and or better technology
  related to hardware and software that give
  physicians and administrators better automated
  tools or processes. The dependency in automation
  is accentuated more in the clinical and financial
  aspects of a practice.
• Some of these dependencies are in
• Hardware
• Clinical, administrative and financial
  applications
• Network LAN/WAN/Wireless
• Specialty integrated medical equipment

16
Actual hospital IS environment - MHMC
17
Awareness Financial Impact
High Availability Cannot Be Acquired
Out-Of-The-Box It Is Built Into the
Architecture and Preserved by Effective Processes

• Productivity Loss
• Number of Fully Burdened Employee impacted

• Lost Revenue
• Direct Loss
• Compensatory Payments
• Lost Future Revenues
• Investment Loss

• Delayed Collections
• Billing Losses
• Missed Discounts

• Extra Expense
• Cost to Recover
• Overtime Expense
• Increased Fraud Risk
• Increased Error Rate
• Travel Expenses
• Temporary Employees

• Damaged Reputation
• Patient, Suppliers, Partners, Banks, Financial
  Markets
• Credit Ratings

• Penalties
• Contractual
• Regulatory
• Legal

18
Recovery metrics for evaluating DRP/BCP strategies
Clinical and Business Operations
Strategic Planning and Control, Architecture
Definition for Clinical and Business Processes
Applications
HIS Legacy Applications, Data Structures, Naming
Conventions, Quality Standards Application
Integrations
DRP/BCP Management Practices
Change, Problem, Configuration
Support Systems
Operations Automation, Logical Security, HIS,
Departmental Middleware, Database
System (S) Software
Operating Systems
System (s) Hardware
Capacity Planning, Servers, User Interface
Storage Devices, Routers, Switches
Enterprise Facilities
Facilities Management, Environmental, Clinical,
Administration, Utilities, Safety and
Preparedness
19
Business and Operation Impact Assessment
What is a Business and Operation Impact Assessment

• A Business and Operation Impact Analysis (BOIA)
  is the foundation for business and patient care
  continuity planning. A detailed BOIA should
  identify the business, financial and clinical
  operational impacts that may result from a
  disruption of operations. Negative impacts may
  results in
• Cost of downtime
• Loss of Revenue
• Inability to continue with patient care
• Loss of automated processes

20
Risk Assessment

• What is a Risk Assessment
• A risk assessment is the analysis of possible
  disasters, including natural, technical, social
  and human threats that can result in short or
  long term downtime. Each functional area of the
  organization should be analyzed to determine the
  potential negative consequences and impact
  associated with various disaster scenarios.
  During the risk assessment process consideration
  should be given to evaluate the safety of
  critical documents and vital records related to
  the continuance of patient care and business
  operations.

• Although the exact nature of potential disasters
  or their resulting consequences are difficult to
  determine or predict, it is beneficial to perform
  a comprehensive risk assessment of all threats
  that can realistically occur. Regardless of the
  type of threat, the goals of business and
  clinical operations continuity and disaster
  recovery planning are to ensure the safety of
  patients, employees and systems recovery during
  and following a disaster

21
Risk Assessment

• Risk Assessment cont.
• Items to consider in determining the probability
  of a specific disaster should include, but not be
  limited to
• Geographic location
• Topography of the area
• Proximity to power sources, water bodies, and
  airports
• Degree of accessibility to the organization
• History of local utility companies in providing
  uninterrupted services
• History of the areas susceptibility to natural
  threats
• Proximity to major highways which transport
  hazardous waste and combustible products
• Proximity to nuclear power plants
• Other factors

22
Awareness Financial Impacts

• Awareness
• It is good practice to understand and demonstrate
  a clear commitment to establishing and
  maintaining effective disaster recovery and
  contingency planning processes.
• All management and clinical staff should be
  informed that a disaster recovery plan is
  required in order to ensure that the essential
  business and clinical functions are able to
  continue in the event of serious adverse
  circumstances.

23
The First Steps

• Planning
• A good start is to create a list of all necessary
  documents and information. Where this may include
  documents containing sensitive patient and
  business information.
• Care must be taken to ensure that confidentiality
  is not compromised and regulatory requirements
  are met.
• A list of documents and information which could
  be required as part of the planning.
• Create an effective backup strategy that will
  ensure the safety of critical patient and
  financial information

24
The First Steps

• Assessing Key Business and Clinical Areas
• The disaster recovery plan should include a
  descriptive list of the organization's major
  business and clinical areas. This list should
  rank the areas in order of importance to the
  overall organization.
• Each item should include a brief description of
  the business and clinical processes and main
  dependencies on systems, communications,
  personnel, information systems and data.

25
Approaches to HDRP

• Infrastructure
• Office space, phones, intranets, LAN/WAN access,
  internet/intranet, security etc.
• Systems Restore
• Includes both Hardware and Operating System
• Critical Applications
• Includes programs that are critical to the
  continuity of the business and patient care.
• Data
• Live records containing business and clinical
  transactions as well as specific procedures and
  business rules.
• Operations Continuity
• Daily operations and tasks to secure the
  continuance business and patient care processes.

26
Getting Started

• Assess
• Assessments are critical to the planning of
  healthcare disaster recovery. They can provide
  detail information that can be crucial when
  making a decision. Accurate Disaster Recovery
  Planning can be accomplished by having
  information before hand regarding risk factors
  and the impact of operations interruption.
• Determine what the Recovery Plan and Time
  Recovery Objectives.
• Determine what the objectives are for planning
  and recovery time.
• Determine the requirements for planning.
• These are the planning requirements that need to
  be met in order to accomplish your recovery plan
  and time objectives (RPO RTO).

27
The Disaster Recovery Plan

• The Workflow
• It is crucial to develop an effective workflow.
  The workflow can determine how your DR plan will
  be executed.
• It also provides a guide and road map to the
  decision making process.
• The response and recovery time frame will impact
  on overhead costs and loss of revenue.

Restore To Normal Operations
Crisis Anticipation/ Declaration
Restore From Backup
Emergency Response
Mobilize Resources
Restore Application
Resume Operations
Remote Location
Remote Location
Remote Location
Remote Location
Overhead Costs and Loss of Revenue
28
Getting Started

• Disaster Recovery Options
• Outsourcing Planning knowledge, development
  maintenance Engagement on hourly or fixed rates
  
• DR Planning Tools DRP development
  maintenance. One time charge plus support pending
  on delivery options, web-based or standalone.
• Cold Site - Recovery site based on options and
  contractual agreement. Monthly or per occurrence
  charge.
• Hot Site For complete redundancy and recovery
  site based on options and contractual agreement.
  Monthly charge. (Expensive)
• RCO Based on options and contractual agreement.
  Monthly or per occurrence charge. (Least
  Expensive)
• Self Sufficient Where the organization provides
  its own recovery option (s).

29
Getting Started

• Disaster Recovery Plan Testing
• It ensures that the Plan works
• It ensures that team members are up to date with
  changes
• It assess changes needed to adapt to new
  technology and processes
• Test the plan simulating real possible scenarios
• The plan should be tested at least once a year

30
The Disaster Recovery Plan

• In conclusion
• Healthcare Disaster Recovery Planning is a
  comprehensive and complex process that needs keen
  assessments and evaluation.
• In order to create and effective plan you must
• First Assess
• Second Determine your objective
• Third Determine the requirements
• Fourth Develop the plan
• Fifth Implement the plan
• Six Test the plan
• Seven Keep the plan up to date.

31
Always Remember this.
Being proactive with a disaster recovery and or
contingency plan will ensure a planned reaction
to mitigate an unplanned business, clinical or
systems disruption during a disaster
situation Charlie Olmeda
Questions and Answers

• Thank you
• For more information on
• Healthcare Disaster Recovery Planning
• please contact Charles Olmeda at
• (704) 414-6637 or (704) 641-9535
• colmeda_at_hcitservices.com