If you were to ask yourself how you would function during massive data losses or without access to your computers, you'd probably realize that doing so would be impossible. As critical infrastructure, the healthcare industry must have a sound prevention strategy paired with robust disaster recovery and business continuity plans.
Recognizing Healthcare's Unique Role in the Community
Healthcare organizations are seen as pillars and stabilizing forces within a community. Some, like hospitals, require community access 24-7. Even if a facility isn't physically open, healthcare organizations provide essential information for their patients at all hours.
If it's midnight and a child is sick, a parent will go to their healthcare practice's website for information. They'll go looking for answers, they'll make a phone call, and the healthcare organization has to be there.
Many healthcare organizations have the added obligation of maintaining operations through unforeseen experiences, including disasters whether natural or engineered. This underscores the need for disaster recovery and business continuity plans focused on data and necessary technology.
Disaster Recovery and Business Continuity Work Together
Business continuity and disaster recovery rely on one another, but it's good to treat each plan as an individual, fluid document that needs to be updated regularly.
Disaster Recovery Plan
A disaster recovery plan helps a healthcare organization resume normal operations or gives it the tools to make continuation possible. Continuation includes access to medical data needed to manage care and perform other critical functions. Access to data is essential for ongoing operations when your community may need it most.
When it comes to data, a disaster recovery includes how to access and resume information access to an acceptable status quo.
For example, if a cyberattack locks access to patient data, anyone who needs to use that data won't have access until the incident is resolved. (Ransomware is a serious issue in healthcare. Since 2016 ransomware attacks have resulted in the theft or encryption of more than 25 million individuals' records.)
Disaster recovery is the ability to recover from that scenario.
Business Continuity Plan
Where disaster recovery ends and business continuity starts is the point where you've recovered your data. From there, you need to establish how you'll rebuild your organization into the period beyond. The business continuity plan focuses on how the healthcare entity will continue to provide services in an emergency, including what is needed to establish secure access to technology. It leans into a healthcare organization's ongoing responsibility for the public.
While these two plans are sufficient for many businesses, healthcare needs a third component, a prevention strategy designed to reduce the risk of an IT or data event that results in loss of service or protected data.
Why Healthcare Needs Prevention Strategy
Regaining data access control (disaster recovery) is critical for continuing normal operations (business continuity.) Prevention strategy increases the likelihood of the best scenario: no disaster, no plan needed.
One reason is that in addition to healthcare's obligation to the community, the data it uses and maintains is considered legally protected information. Healthcare providers need to maintain operations and meet the commitments of mandated compliance and data security.
Protected Health Information (PHI) is any information created, used, or disclosed while providing healthcare services that someone could use to identify an individual. The HIPAA Privacy Rule provides federal protections for that information when held by covered entities and gives patients various rights concerning that information.
Abiding by HIPAA rules is not optional. The effects of breached technology and access to PHI have serious implications for healthcare facilities, those responsible for data security, and of course, patients.
In addition, if PHI is inappropriately accessed, reporting is required.
Meeting Security Obligations while Maintaining Operations
Access to technology, including hardware, software, mobile devices, and the data that powers those tools is not negotiable in today's medical practice.
The challenge for healthcare providers is to meet the mandate to keep operating and meet security requirements while doing so. Mandated compliance for data security and the need for near-constant access to critical patient data can feel at odds, a feeling that can be heightened during a crisis.
Additionally, we have higher expectations of healthcare organizations than we would anybody else in the community. Disaster and business recovery plans have additional scrutiny for those in healthcare.
Cyberattack Incidents Are Disasters
It's easy to envision how events like a pandemic or a fire or something are disasters, but anything that causes a loss or severe impact to critical infrastructure qualifies. The loss of technical and technological systems, like hardware, software, medical equipment, or redundant technology is a disaster in healthcare. That also means something as basic as a data disclosure may need to use the recovery and continuity plans.
Cybersecurity incidents have risen to the top of modern disasters. While they range in impact and severity, data breaches present a serious and constantly growing problem.
Preventative measures are required to reduce the impact of these engineered disasters.
Plan for "When" Not "If"
Forward-thinking healthcare practices recognize that experiencing a cyberattack is not a matter of "if" but "when." A third of organizations will experience ransomware attacks in some way or shape or form. In 2020 there were 599 healthcare breaches, a 55.1% increase over 2019.
Healthcare hackers have become an industry threat and the US healthcare industry's data is a major target. In addition to holding data critical to patient care hostage, healthcare data contains information that bad actors can sell to identity thieves or confidential information may be released. It's also possible for bad actors to interfere with or seize control of wireless medical equipment.
Regaining data access control (data recovery) is critical for continuing normal operations (business continuity.)
For this reason, preventative measures like disaster recovery testing to reinstate data based on backups, network penetration tests, and cybersecurity training for staff are vital parts of a recovery plan.
What's Involved in IT and Data Disaster Recovery
While planning, network and telecommunications redundancy, data backup solutions, anti-malware systems, and even backup power generators must be considered. Establishing a disaster recovery team as part of an internal IT department or with a partner can make the process easier.
Of immediate concern is mitigating downtime and service access to reduce any threats to patient care, including continued access to patient records and other required data.
In addition to reducing the impact on patients, an effective disaster recovery plan can help mitigate and manage compliance-related issues, including fines, lawsuits, and closures. Further, if you're an individual that in some way has blatantly failed your responsibility, you could be held personally liable and serve time in jail.
The plan must include realistic expectations as well. Even with good leadership, it can take significant time to recover fully: in 2020, it took more than 230 days for most healthcare organizations to recover from a data breach, and hacking and IT incidents were the cause of 67% of those breaches.
Prevention Strategies Help Lower IT and Data Risks
Unlike with a natural disaster, healthcare organizations are not powerless against all these factors. Healthcare entities can take affordable, manageable steps to prevent an IT or data disaster from occurring. Even small, starting steps diminish and reduce the impact of a confidential information data breach incident and its liability.
Prevention strategies include taking steps to practice good digital hygiene and closing security gaps, educating staff, and testing disaster recovery plans before they're needed.
Practice Good Digital Hygiene
IT and data disasters can't be entirely zeroed, but simple efforts can significantly reduce their risk and impact. Regular, recurring housekeeping and maintenance on IT systems ensure that those vulnerabilities are shored up and make it harder for a data disaster to occur. Even actions as simple as deploying patches on all technological systems and maintaining against known vulnerabilities.
Healthcare organizations need to ensure that breaches are not occurring as a result of highly preventable situations. Even unintentional violations due to unencrypted email attachments, unsecured wifi networks, inappropriate access to tech items like ipads, laptops, or monitoring equipment containing PHI, and many others, can trigger an event.
Educate Staff Before the Plan Is Needed
Educating staff on legal obligations and what is needed to maintain systems and data security is vital for all healthcare entities, no matter what size. Understanding ways that data can be compromised by hackers, like phishing, helps protect the entire system. Providing information on what tools, processes, and resources can help achieve better results when it's time to use the plans you've made. Be sure to include all staff responsible for PHI, including the staff of satellite offices, clinics, community health outreach, to name a few.
Test and Drill the Plan
Disaster recovery and business continuity plans are most effective if reviewed, tested, and drilled before they are needed. Ideally, a team should run through the plan using a test scenario to ensure end-to-end security and compliance. However, even a tabletop drill can improve the plan and identify additional preventative actions.
Matching Plans with Actions
Identifying the myriad challenges of healthcare organizations can be daunting. Creating plans, matching them against mandates, and putting together an implementation plan that can roll out quickly are a few of the many aspects to consider.
The good news is that solutions specific to recovery and maintaining operability throughout the entire scope exist, from the initial backup plans to a complete restoration plan that utilizes properly encrypted methods to reestablish technology and data.
Access to those who understand the landscape and challenges healthcare providers face in IT and data security will improve the process. An internal IT team of subject matter experts or an outsourced IT support partner with industry-specific knowledge will help a healthcare entity meet the constantly changing issues that IT and health data present.
An effective prevention strategy partnered with solid disaster recovery and business continuity plans fulfill a healthcare entity's obligation —and create peace of mind for the entire community.