Back to top

Disaster Recovery Primer for Healthcare Providers

Judi Grassi

Why You Need a DR Plan

If you are a healthcare provider that has implemented Electronic Health Records (EHRs), HIPAA regulations require that you have a disaster recovery (DR) plan in place. But if you don’t have EHRs, backup and disaster recovery are still crucial to the continuity of your healthcare organization (HCO). You need to protect the data and systems you use for patient registration, email, billing, and accounts payable because without these systems, your operations can come to a halt.

A disaster can take many forms. From data breaches and stolen hardware to hurricanes and fires, it is only a matter of time before you experience some form of a disaster. If you don’t have your systems backed up and a plan in place to restore your systems, your data can be lost forever.

The 3-2-1 Backup Rule

Backup and recovery can be more complicated than you think. For example, many organizations only back up to either tape or disk that’s stored in-house, but there are problems with this approach. First, your tape/disk backup should be stored offsite. This ensures your data is safe in the event a man-made or natural disaster affects the facility where your systems are located. The downside to this approach is that you cannot get quick access if you need to restore data or specific files.

Furthermore, when storing tape or disk backups offsite, you want to be sure the storage site is not close to the site where your IT systems are located. For example, one provider stored its tape backups in a facility across the street from its offices so they could quickly retrieve them. Unfortunately, the region was hit by a major hurricane, destroying both the practice office and the tape storage facility.

In addition, storing your backups solely on tape media is not conducive to random access. If you want to restore a file that is at the end of a tape, the tape drive must go through the entire tape to find the file you want.

The fact is, you need to have multiple backups to ensure you can retrieve your data regardless of the type of data incident or disaster. Industry best practices dictate a 3-2-1 rule:

  • Maintain three copies of your data – the production data plus two backup copies
  • The two backup copies should be on different media – for example disk and tape, disk and cloud, or tape and cloud
  • One of the backup copies should be stored offsite – tape or disk backups must be stored a distance away from the production system or the backup is stored in the cloud

This approach ensures you have quick access to data regardless of the event. If you need to quickly restore one or more files, you can access a backup that is locally stored on disk or in the cloud. If your facility is destroyed, you can restore your data from offsite tape, disk storage, or from the cloud. Regardless of the circumstances, the 3-2-1 rule is the best approach to ensure you get your data back and get your practice back up and running fast.

Test Your DR Plan

Another “gotcha” can happen when you try to recover your data from a backup. One HCO consistently backed up their data but never tested data recovery. Somehow a glitch made data recovery impossible, but fortunately this HCO engaged a managed service provider (MSP) who discovered the backup issue before it became a major problem. The lesson: test your disaster recovery plan on a quarterly basis to be sure you can recover your data from your backups.

When it comes to ensuring you can retrieve your data and get your operations back up and running after a disaster, you want to regularly exercise your disaster recovery plan. At a minimum, small to midsize HCOs should perform tabletop exercises. A tabletop exercise is a meeting attended by all involved parties where they discuss a simulated emergency situation and the actions each party will take in a particular emergency. This provides the opportunity to clarify individual and team roles and responsibilities and collect new information to continuously update the disaster recovery plan. In addition to tabletop exercises, HCOs should also consider running drills and full-scale exercises. If your disaster recovery plan doesn’t work, you don’t want to discover that during an actual disaster.

Last Thoughts

Like many HCOs, you can look to an MSP to take on the responsibilities of data backup and disaster recovery as well as other IT management responsibilities. This allows your hospital, clinic, or practice to focus on your patients and let the MSP focus on your data and systems.

For more information on disaster recovery, contact Logically at 866.946.9638.