Healthcare IT Recovery: 4 Business Continuity Myths Debunked

January 09, 2018

Last year, healthcare was the most targeted industry for malware attacks, accounting for 40 percent of all security incidents in the third quarter. Not to mention, the U.S. experienced 15 natural disaster events with losses exceeding $1 billion each-a record.

These figures clearly demonstrate why your hospital must be prepared to handle primary IT systems failure by establishing a business continuity plan and defining policies for IT disaster recovery. Business continuity is not redundancy! Redundancy provides for the near real-time failover of systems and is primarily initiated automatically without human intervention. Business continuity and disaster recovery are processes to restore services following a catastrophic failure normally in a remote location that is geographically separated from the location of the primary failure. Let's examine-and debunk-four business continuity myths:

Myth #1: Business continuity plans are only about technology.

A comprehensive business continuity plan includes the people, processes, and technology needed to keep a hospital operational in the face of a disaster, cyberattack, or more common incidents like hardware failures or power outages. The plan should detail reliable backup systems that include lines of authority, communications, and timeframes for regaining access to data and restoring services. Additionally, this plan should be regularly reviewed and tested, so it's ready when needed-only 31 percent of companies test their business continuity plans more than once per year. Myth-busting takeaway: Don't consider your business continuity plan just a IT security issue-it's about identifying risk for your entire organization, developing a plan, and testing it!

Myth #2: Disaster recovery systems aren't worth the investment.

Business continuity plans and disaster recovery tend to get pushed to the backburner, as limited healthcare IT budgets make it difficult to invest in disaster recovery systems. Further, the return on investment is seen as limited, since there is only a 'chance' it might be utilized. However, as industry trends indicate, that chance is great, and growing larger every day: More than three-quarters of IT leaders report using their disaster recovery solutions after a security threat like malware or ransomware. And the average costs of these incidents tops $1 million in infrastructure and $1.2 million in operational damages. Myth-busting takeaway: When considering your disaster recovery investments, it's not a matter of 'if', but 'when' you'll use it.

Myth #3: Disaster recovery systems are only needed for those impacting patient care, like the EHR.

Our healthcare customers often tell us they've prepared for business continuity because they've invested in disaster recovery systems for those impacting patient care, like the EHR. In reality, virtually every hospital IT system impacts care delivery. Consider a disaster scenario causing your clinical communications to fail. If that system didn't have the appropriate recovery capabilities, your doctors, nurses, call center operators, and other staff would lose touch. We often hear that a failure of a hospitals critical communications system quickly becomes a patient safety issue. Myth-busting takeaway: Identify the most crucial functions and systems to be prioritized and don't forget about those needed to support care delivery.

Myth #4: My vendors have redundant systems, so I don't need to verify business continuity plans.

Your vendor's business continuity planning is an important element of your own continuity. Talk to your vendors, ask questions, and know the details of their plan. And make sure business continuity is not lumped together with redundancy-you don't want IT concerns (redundancy) to be the only part of your vendor's plan. A recent Deloitte survey indicated 87 percent of organizations faced a disruptive incident with their vendors.

At Spok, we don't preach business continuity, we practice it, too-we've invested heavily in business continuity from our side, including the creation and maintenance of a geographically separate disaster recovery site. If any of our offices, including our Technology Operations Center in Plano, Texas, is ever compromised, we can quickly divert all major aspects of our systems operation to an alternative location with limited interruption to Spok customers. Myth-busting takeaway: Know the specifics of your vendor's plan, but remember vendor continuity doesn't negate the need for your own disaster recovery systems.

These days you can't afford not to invest in business continuity for your hospital. By doing so, you're safeguarding more than systems and data. You're ensuring delivery of excellent patient care-efforts that could mean life and death for patients.

By Tom Saine

Tom Saine is Spok's Chief Information Officer, a role he's held since 2008. As CIO, he provides executive leadership for the company's Information Technology and Wireless Messaging Network teams. He is a Certified Information Systems Security Professional (CISSP). He holds a Bachelor of Science in Management from California Coast University and a Master's of Science in Engineering Management from Columbus University.