September 17, 2022 | By Greg Dougherty
Three Keys to a Successful Disaster Recovery Testing Plan for Healthcare IT
By Dr. Michael Brody, HIPAA Compliance Specialist, Opti9
We are currently in the midst of the largest and most sophisticated cyberattacks the world has ever seen. Most recently, the “Petya” worm crippled computers, with drug giant Merck potentially being affected along with hospitals in Pennsylvania’s Heritage Valley Health System, and other companies and government systems around the world.
Just over a month ago, the “WannaCry” ransomware program locked hundreds of thousands of computers across more than 150 countries, resulting in critical downtime and financial losses across a wide range of industries. Making international headlines, the United Kingdom’s National Health Service (NHS), arguably one of the most significant victims, was forced to shut down multiple doctors’ offices, divert emergency room patients and cancel critical operations as a result of the attack. Just last year, the Hollywood Presbyterian Medical Center was forced to pay cybercriminals roughly $17,000 in ransom after a full week of network downtime, during which time the hospital was forced to send nearly 1,000 patients to outside facilities.
However devastating, cyberattacks aren’t the only culprit of unexpected and detrimental downtime. Natural disasters, human error and infrastructure failures all contribute to the need for reliable and tested Disaster Recovery (DR) plans for the fast and comprehensive recovery of critical data and applications.
Unfortunately, many organizations that employ comprehensive DR plans harbor a dark secret: no one actually knows if they will even work in a real-world scenario. This nagging issue is a result of the complex and time-consuming process of testing, which often goes overlooked.
Healthcare organizations find themselves particularly vulnerable to the devastating effects of service disruption, given their obligation to maintain compliance with HIPAA standards. Though patient data can remain secure during unexpected downtime and even many cyberattacks, data security is only one component of HIPAA compliance. In total, there are three main pillars to HIPAA standards:
- Security of Data: Unauthorized users cannot gain access to sensitive data.
- Integrity of Data: All data remains intact for extended periods of time without interruption.
- Availability of Data: Data can be retrieved at any given time without delay.
The often-overlooked integrity and availability components of a viable DR plan require the use of reliable, up-to-date, and tested application recovery capability. Failure to ensure operability through routine testing can result in disastrous consequences. As hospitals continue to become increasingly integrated and reliant upon interoperability, a properly preconfigured DR plan is critical.
For healthcare organizations seeking a DR solution that doesn’t only work in theory, below are three key steps to ensuring successful testing.
One: Employ Modern, Automated Construction
For many traditional disaster recovery setups, there simply are no best-practice processes and procedures in place to ensure adequate, periodic testing. By proper premeditated planning and integration of the recovery site into the production network, per application automated testing can occur with minimal human intervention. A true Disaster Recover as-a-Service (DRaaS) solution is not only about replicating data; that’s the easy part. The important piece is how to make it just as available as the production infrastructure is, and that’s where the focus must be during initial planning to ensure ease of testing and automated failover.
Gone are the days of 10-page instructional manuals outlining how to perform testing and actual cutover to the recovery site. With this level of automation, you can not only automatically test the DR procedures, but periodically simulate outages in a fenced environment to ensure application functionality in a live scenario. Having data copied offsite only addresses very specific downtime scenarios and does not provide enterprises with the peace of mind that they can cutover specific applications to a recovery site easily and as required.
Two: Shift Application Accountability
By employing the aforementioned modern and automated DR solution, testing can now be performed on a “per-application” basis instead of as a complete site failover only. In doing so, testing of applications at the recovery site can now be performed individually. This allows the shifting of accountability for DR testing to the specific application owners, not the IT department. The application owners are also the more appropriate party to provide accountability that applications will perform as expected at the recovery site, since they are the ones who understand the performance expectations of each application.
Three: Partner with an Advanced DR Service Provider
An advanced DRaaS provider does not apply a cookie-cutter approach, but rather is a partner who is willing to fully customize a solution that affords the ability to integrate the recovery site in a way that it’s presented to the end-users in the same way that production is, thus ensuring the automation and testing strategy can actually take place. An enterprise-class healthcare DRaaS solution is a solution that ensures the availability of applications with aggressive Recovery Point Objectives (RPOs) of seconds and Recovery Time Objectives (RTOs) of minutes. A great example is a HIPAA-HITECH DRaaS offering that enables remote enterprise customers to keep a warm copy of their mission-critical applications in the cloud, with physical diversity across our secure data centers, ready to be used at a moment’s notice.
With the looming threat of ransomware attacks and the unpredictability of natural disasters, ensuring that your DR solution is in working order is of critical importance for all healthcare organizations.
About the Author
As a HIPAA Compliance Specialist, Dr. Michael Brody brings to Opti9 a long history of experience within the HIT sector. Dr. Brody provides invaluable insight into current HIT practices through regular contribution of online health technology content and assistance in overall product and service strategy. He is also instrumental in speaking with Opti9’s healthcare customers and technical engineers to help plan and architect technical solutions that comply with various HIPAA and security requirements. In 2013, Dr. Brody was appointed Chief Compliance Officer of ICS Software, a provider of Electronic Health Records (EHR) software to doctors and medical practices, and also serves as President and Chief Executive Officer of TLD Systems, a team of specialists in the fields of medicine, law and technology with the common goal of making HIPAA compliance affordable for the independent practitioner. He has presented multiple times at Healthcare Information and Management Systems Society (HIMSS) tradeshows and events, which include some of the largest and most important healthcare IT conferences in the world.