IT Disaster Preparedness and Response: 10 Essential Steps

It's been four years since Hurricane Sandy wreaked havoc along the East Coast. The storm, which became a hurricane on October 24, left devastation and death across six states.

Disasters like Hurricane Sandy and the recent Hurricane Mathew serve as important reminders of the need for an effective disaster response plan. For healthcare organizations, like all businesses, a disaster response plan should address many important areas, including information technology (IT).

The unfortunate reality is that disasters — both natural and man-made — are an unpredictable part of life. Like these disasters, an IT disaster can happen at any moment without warning. Fortunately, there are ways in which organizations can effectively prepare for and recover from an IT disaster.

Here are 10 essential steps you organization should follow so you can be more adequately prepared for and respond to an IT disaster.

1. Understand your technology. To prepare for an IT disaster requires you to first understand how your organizations could be affected. Perform an IT assessment that determines what technology your organization uses, how this technology is used (its role in your operations) and where it's located (i.e., on-site, off-site or in the cloud).

You should also determine the technology you need to run your operations. These are your "mission-critical" applications, and may include electronic medical records and practice management systems.

2. Improve preparation. After completing the IT assessment, conduct a risk analysis that identifies what would happen to your operations — the business and clinical impacts — if a disaster were to affect any of your IT components and what backup plans you have in place.

Use what you learn as an opportunity to make changes to decrease the chance of problems in the future. Simple solutions can include elevating computers sitting on a floor, which will decrease the potential for damage from flooding, or plugging computers into a surge protector, which decreases the risk of damage from a voltage spike.

3. Develop a comprehensive plan. An IT disaster plan must identify the steps an organization will take when an IT disaster occurs. The plan should address many elements, including objectives, both short- and, if necessary, long-term; what must happen to achieve those goals; who is assigned recovery responsibilities; and the timeline to achieve goals.

4. Choose a disaster recovery coordinator. In the event of an IT disaster, a member of your team will need to lead execution of your recovery plan. Choose someone to serve as your disaster recovery coordinator. This individual should oversee a disaster preparedness and recovery team comprised of representatives from all critical departments of the organization.

5. Determine your financial "pain" threshold. A serious IT disaster can cripple an organization for days if mission-critical applications go down and/or hardware is destroyed. In fact, an organization may not even be able to operate, at least out of the affected location.

While it is important to get everything fixed and operational again, it is also important to take into consideration that faster recovery likely means greater expense, especially when the recovery requires bringing in outside parties and/or staff overtime.

It is important to determine how much of a financial "pain" hit — in recovery expenses and lost revenue due to a closed or operations-reduced facility — you are willing to take in order to recover from an IT disaster. Work to find a solution that meets your clinical and financial needs.

6. Train. When an IT disaster strikes, staff members must understand their recovery role and responsibilities or this can slow down the recovery process and even create more problems. Provide training and retraining on specific roles and responsibilities. Make sure more than one individual is trained and capable of performing a particular role and function in the event a staff member is unavailable to assist during a disaster.

7. Test the plan. Schedule IT disaster drills, and observe staff response. Drills help staff learn how to effectively respond to an IT disaster, and you can use the experience to solicit feedback from participants and make improvements.

Also consider conducting a mock disaster drill where a disaster is simulated. It is best if only a few members of the organization knowing the scenario is a drill. This will allow you to see how staff realistically respond and perform their duties under pressure.

8. Document everything. The work you perform concerning IT disaster preparation should be documented. In the event of an IT disaster, your recovery coordinator must act quickly and make appropriate decisions based upon the preparatory work. By documenting the IT assessment, response plan and staff roles and responsibilities, the coordinator will be in a better position to move the response and recovery process forward.

9. Maintain the plan. When your organization invests in new technology or experiences staff turnover, address these changes in your IT disaster plan. Treat your plan as a living document, with the recovery coordinator tasked with keeping it current.

10. Take this seriously. It can be easy to overlook IT disaster planning considering all of the other disaster planning your organization likely undertakes. But overlooking IT disaster planning can be its own disaster.

Many organizations that experience an IT disaster, as most organizations do least once in their lifetime, never fully recover. The loss of revenue from days closed and the cost of implementing recovery efforts — especially when unprepared, panic-driven decisions are made — can be financially devastating.

An IT disaster plan helps make recovery more likely, faster and cheaper. That's why it's better to prepare for the "what ifs" than to hope they never happen.

Leave a comment!

You must be logged in to post a comment.