healthcare disaster recovery guide

Velocity Technology Solutions / August 2015

2015 Guide: Healthcare Disaster Recovery Planning

This guide will:

• Detail change in healthcare and related technologies that are causing IT executives to reevaluate traditional approaches to disaster recovery

• Outline healthcare regulations that are triggering a shift in patient data and necessitating always available access to that data

• Provide leaders with a contingency plan checklist that can meet the requirements of HIPAA• Suggest a process for assessing and developing an effective disaster recovery plan for healthcare• Present criteria for selecting a managed disaster recovery provider that meets the requirements

of healthcare today and in the future• Show how healthcare enterprises can realize a 20%-40% reduction in disaster recovery expenses

while guaranteeing recoverability

2015 Guide: Healthcare Disaster Recovery Planning VelocityCloud.com 32015 Guide: Healthcare Disaster Recovery Planning2

A Modern Approach – Rethinking Disaster Recovery in 2015

TABLE OF CONTENTS

A Modern Approach – Rethinking Disaster Recovery 3

Downtime Is Not an Option – Why Disaster Recovery 5Is Critical in Healthcare

New Healthcare Regulations Trigger Disaster 6Recovery Review

A Checklist – HIPAA Compliant Contingency Plan 7

Assessing the Health of Your Current Disaster 8Recovery Plan

Developing an Effective Healthcare Disaster Recovery Plan 9

Disaster Recovery in 2015: Managed Disaster Recovery 10

A Guide to Selecting a Healthcare Disaster 11 Recovery Provider

A Proven Healthcare Solution: Velocity Managed 12Disaster Recovery

Healthcare Data is increasing at a rate of 48% each year, globally

The secure retrieval and protection of digital records against loss, theft, or disruption is presenting new challenges to IT leaders. There is a great deal of focus on loss and theft, but disruption of access due to system failure, natural disaster, or other contingency events is often overlooked. The standard for recovery and restoration becomes at what point will digital records be recovered and what is the threshold of time in which access to those records must be restored in order to preserve patient safety and guarantee quality of care.

A comprehensive approach to the recovery of critical applications as well as the rest of the infrastructure is required for healthcare organizations to not just survive an outage, but to also resume normal business operations in a more timely and efficient fashion.

Traditional disaster recovery (DR) methods no longer meet the requirements of today’s healthcare system. A recent report revealed that 82% of healthcare IT executives do not believe they are prepared for a disaster.2

82% of healthcare IT executives do not believe they are prepared for a disaster

A new era of increased reliance on technology in the healthcare sector is producing an unprecedented amount of data, increasing at a rate of 48% every year.1 With the promise of dramatic improvement in the quality of patient care, the shift towards electronic health records and digital images are effective approaches towards more efficient, accessible, and compliant services.

In addition to the measurable benefits with respect to physician workflow and patient related outcomes, The Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act of 2009, represents the nation’s first substantial commitment of federal resources to support the widespread adoption of electronic health records (EHRs). The HITECH Act authorizes the Centers for Medicare & Medicaid Services (CMS) to provide incentive payments to eligible professionals (EPs) and hospitals who adopt, implement, upgrade, or demonstrate meaningful use of certified electronic health record (EHR) technology. The CMS is making incentives available of up to $27 billion in EHR incentive payments, or as much as $44,000 (through Medicare) or $63,750 (through Medicaid) per eligible health care professional. Eligible hospitals, including critical access hospitals (CAHs), can qualify for incentive payments totaling some $2 million or more.

1 Driving Digital Growth in Healthcare, EMC, 2014

2 Meritalk Report: RX: ITasS and Trust, Meritalk Report, February 2014

https://velocitycloud.com/


Natural Disasters Hurricanes, floods, tornadoes, and earthquakes can significantly damage or completely bring down a healthcare data center, putting patients at risk if a disaster recovery plan is not in place. The widespread damage and operational shutdowns caused by Superstorm Sandy in 2012 forced hospitals to re-evaluate the integrity and effectiveness of their contingency plan highlighting deficiencies of traditional disaster recovery means.

System Failures and Outages While natural disasters and cyber attacks often capture headlines, system failures and power outages are the most common reasons for infrastructure downtime and data loss. A 2014 report revealed 40% of global healthcare organizations experienced an unplanned outage in the past 12 months.3

Traditional disaster recovery planning focuses on facilities or sites being compromised; more progressive thought allows for the recovery of a single system, a complex application, or the entire site.

Cyber Attacks, Data Breaches and Digital DisastersIT leaders traditionally think of natural disasters when considering disaster recovery plans, but cyber attacks could be healthcare’s greatest threat in 2015 and beyond. IDC analysts predict 50% of healthcare organizations in 2015 will have experienced 1-5 cyber attacks in the previous 12 months. Research in 2014 conducted by MIT Technology Review revealed that cyber attacks on hospitals increased 600% in just ten months.3

Cyber attacks on hospitals increased 600% in ten months ~ 2014 MIT Technology Review

Digital disasters force healthcare organizations to restrict access to critical records and disrupt system interoperability not just for compromised systems but for all systems. Having a flexible recovery strategy can eliminate this knee jerk reaction.

Modernizing Disaster Recovery The traditional view of disaster recovery as a “check the box” measure, or as an “elective procedure,” is rapidly shifting. Healthcare organizations realize that today’s contingency planning must guarantee recoverability at all levels to support ongoing patient care as well as compliance with government regulations. The most effective disaster recovery plans can also be used during scheduled downtime such as migrations, upgrades, and maintenance, while fulfilling business and continuity of business operations.

Downtime Is Not an Option: Why Disaster Recovery Is Critical in Healthcare

The requirement to adopt EHRs and the emergence of Health Information Exchanges (HIEs) are creating large amounts of complex data, which must be available immediately at the time and point of care.

Access to data is critical to patient safety and health outcomes, meaning that downtime is not an option. What was once considered an acceptable standard recovery time is no longer sufficient as care providers rely on electronic medical and health records.

While guaranteeing patient care and safety is paramount, downtime also presents a significant financial risk. One report shows healthcare organizations face average costs of $690,000 per outage incident, representing a 40% increase in three years due to the increase in electronic data. The report found that larger hospital groups with more extensive IT systems could pay out nearly $1.74 million per incident.4

Consequences of lost healthcare data:

• Lower quality patient care and health outcomes

• Inability to capture transactions

• Penalties for HIPAA non-compliance

• Unplanned cost of recovering and repairing infrastructure

3 Hackers are Homing in on Hospitals, MIT Technology Review, September 2014

Health Systems with Electronic Health Records

2014 2015 2016 2017 2018 2019 2020

95%80%

4 Ponemon Institute - Emerson Network Power Report, December 2013

Forces of Change in Disaster Recovery

“ Meaningful use” and reliance on technology

Increasing frequencyof disasters andbreaches

More stringentregulations for privacyand confidentiality

Traditional disaster recoverymethods no longer satisfy therequirements of technologyenabled health services.



New Healthcare Regulations Trigger Disaster Recovery Review

New regulatory requirements are driving a monumental shift in the stewardship of patient data. Modernizing disaster recovery plans is becoming a priority in order to comply with the ever increasing body of law regarding patient health information.

EHRElectronic Health Record (EHR) legislation that provides financial incentives for the adoption of EHR technology is causing a significant increase in patient data that needs protecting.

HIPAA The Health Insurance Portability and Accountability Act (HIPAA) requires hospitals to develop a contingency plan in the event of an emergency or outage.

HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens security rules. Under HITECH, there are significant increases in security enforcement and higher penalties for non-compliance.

Meaningful Use Compliance guidelines for EHRs include several meaningful use requirements related to disaster recovery. In the event of a disaster, hospitals are required to effectively recover electronic patient health information (ePHI). Healthcare systems must have contingency plans for providing access to ePHI in the event of a failure.

CMS QualificationsTo qualify for federal incentive payments by the Centers for Medicare and Medicaid Services (CMS), healthcare systems are required to recover electronic patient data in the event of a disaster.

A Checklist: HIPAA Compliant IT Contingency Plan

The Department of Health and Human Services has established the following guidelines to help fulfill the requirements of HIPAA.

A HIPAA Compliant IT Contingency Plan includes:

Data Backup Plan - Establish and implement procedures to create and maintain exact copies of electronic protected health information. These backups must be retrievable at any time and kept secure from unauthorized access.

Disaster Recovery Plan - Plans must include procedures to restore any loss of data. When a disaster event has passed, there must be the ability to retrieve and restore a backup of all protected health information.

Emergency Mode Operation Plan - Procedures must be established to enable the continuation of critical operations that secure electronic protected health information.

Testing and Revision Procedures - IT contingency plans must be periodically tested and revised based on changing conditions and requirements.

Applications and Data Criticality Plan - Contingency plans should

be prioritized based on the importance of the data and processes they cover. It should be documented which plans are highest priority during a disaster.



Developing an Effective Healthcare Disaster Recovery Plan The first step in disaster recovery planning is to conduct a business impact analysis (BIA). This involves identifying which systems and applications are most critical for operations and then prioritizing them in order for recovery. In the case of a healthcare organization, this includes determining the impact to patients and care delivery.

As part of your business impact analysis, three key measures of disaster recovery must be established:

Maximum Tolerable Downtime (MTD) - MTD is the total amount of time the system owner can accept for a business process outage or disruption including all intact considerations.

Recovery Time Objective (RTO) - RTO is the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on business process.

Recovery Point Objective (RPO) - RPO represents the point in time prior to a disruption to which business process data must be recovered after an outage.

Once MTD, RTO, and RPO are established for each business process, application, and system, a recovery strategy can be developed to meet your business objectives.

The next step is to identify possible points of failure and develop a strategy to address vulnerabilities. This is the point at which many healthcare providers begin discussing cloud-based disaster recovery plans.

Once seen as a security risk, cloud computing is now considered a security advantage compared to on-premise deployment, according to a recent survey of healthcare CIOs.5

If a decision is made to migrate to a cloud-based model, IT leaders must determine which aspects of the existing plan, including storage, data backup, replication and types of data can be addressed using a cloud disaster recovery solution.

Assessing the Health f Your Current Disaster

Recovery Plan

An important first step toward enhancing your disaster recovery plan is reviewing the plan currently in place. Consider the following key factors while assessing the strength of your plan:

Assess Your Current Capabilities Is your organization ready for a contingency event right now? Businesses often plan for this

but may not accurately measure their state-of-readiness. Recovery plans then fall short due to optimistic attitudes when systems are running smoothly and downtime is a rarity.

In other cases, plans are developed under pressure for audit purposes and include outcomes that are impossible to deliver. Businesses must ensure the disaster recovery plan aligns with IT integrations and deployments and is incorporated into the change-control process to account for new applications and servers. These ever changing requirements are often overlooked as the IT landscape is constantly evolving, but disaster recovery preparedness is evaluated and potentially updated once or twice a year.

Evaluate Your Disaster Recovery Team It is important to consider whether your team has the skills needed to successfully execute

your disaster recovery plan. Every healthcare organization has knowledgeable IT resources, but recovery requires a very specific set of skills and training along with the ability to perform under pressure during an outage or disaster.

Natural disasters also displace people. You may not be able to guarantee the availability of your staff during a disaster if they are not able to travel or need to take care of family needs.

These factors lead many healthcare systems to consider cloud based disaster recovery services. Disaster recovery as a service providers have the specialized skills and experience to design and support disaster recovery plans that meet the needs of technology enabled healthcare. In the event of a natural disaster, your local team can focus on providing the highest quality patient care while the service provider team recovers data and resumes operations.

5 IT Priorities for the Post-EHR Era, IDC Health Insights, 2014, January 2014.

Business Drivers: RPOs and RTOs are moving from days to hours

• Avoiding data loss is a top priority• Protecting data is the number one business driver• Protecting patient data is of utmost concern

SECONDS MINUTES HOURS DAYS WEEKS

Recovery Time Objective (RTO)Recovery Point Objective (RPO)WEEKS DAYS HOURS MINUTES SECONDS

1

2

3



Disaster Recovery in 2015: Managed Disaster Recovery The high cost and risk of traditional disaster recovery are no longer suitable for many healthcare organizations. Guaranteed recovery within an acceptable and continually shrinking timeframe is paramount to ensuring patient safety and quality of care. A growing number of health systems are abandoning “build your own” disaster recovery solutions for the more favorable cost, risk, and service attributes of the cloud.

Managed disaster recovery solutions include data protection and systems recovery platforms that enable cost savings, scalability, and operational assurances without large capital expenses and with decreased operating expenses. This is as compared to in-house disaster recovery solutions, which typically require more than one data center, as well as a dedicated and specialized technical and maintenance team (in order to guarantee a successful outcome).

This graphic shows the differences between traditional disaster recovery and managed cloud-based disaster recovery providers:

A Guide to Selecting a Healthcare Disaster Recovery Provider

There are special considerations that need to be made by healthcare executives when selecting a disaster recovery service provider.

Here’s a checklist of key capabilities to consider:

Compliant with HIPAA security requirements

Significant expertise in healthcare

High level of redundancy, including back-up generators and diverse network connectivity

Provides multiple sites in different FEMA regions

Enables customer to schedule testing as necessary

Allows customers to declare a contingency as desired, with low or no declaration fees

Provides for a reasonable recovery period without assessing extra fees

Demonstrates the ability to scale while still achieving required service levels

Provides flexibility in available RTO and RPO standards at different price points

Performs application and interoperability recovery

Traditional Managed Disaster Recovery

Significant startup costs Low or no startup costs

Variable and hidden costs Predictable monthly costs

Limited capacity and speed Elastic scalability and on-demand speed

Requires data center space Space available as needed

Successful testing may take 18 months Successful testing completed in 3 to 6 months



Velocity’s Unique Disaster Recovery Approach:

• Recovery managed on your behalf, allowing you to focus on other mission critical objectives

• You decide what constitutes a disaster, not us

• Predictable monthly cost, no declaration fees, and prompt availability for testing

• Fully managed services including disaster recovery planning, implementation, regular testing, and system interoperability

• Prompt deployment with a fully implemented and tested disaster recovery solution in three to six months

As the healthcare environment continues to move towards the full adoption of electronic records and increased reliance on technology for quality patient care, the time is now to ensure the efficacy of your organization’s ability to recover as well as to protect mission critical applications and patient data in the event of a contingency.

A Proven Healthcare Solution: Velocity Managed Disaster Recovery

Velocity Technology Solutions knows how to meet specific disaster recovery requirements of the healthcare industry. Our private cloud disaster recovery and hosting solutions deliver security, availability, and cost savings while guaranteeing recovery.

Why Velocity for Managed Disaster Recovery?

A Managed Disaster Recovery Solution from Velocity is designed to ensure the recoverability of your mission critical systems and data in the event of any contingency. Our goal is to make systems and data available in the shortest amount of time.

You can expect best-in-class service that includes:

• Advanced technologies to replicate data from your site to an appropriate Velocity data center

• Data de-duplication capabilities that identify redundant data, minimizing data transmission and storage requirements

• A secure private cloud environment following HIPPA security standards

• An expert staff that has managed hundreds of disaster recovery tests as well as successful recoveries during contingency events

• Data centers which feature multiple, redundant systems for power distribution. Servers are supplied by diverse power sources and a redundant switching infrastructure

• Multiple layers of physical and logical security for your enterprise, validated for compliance with SSAE 16 Type II SOC 1 and SSAE 16 Type II SOC 2 standards

• Cost savings of 20% to 40% when compared to a traditional approach

Time-to-Value

Value in 4 months versus 18 or longer

Typical Disaster Recovery Services

MONTHS

Sign Contract

Pay invoice/book test

First available test time

Test - 50% failure rate

Fix issues/book next test

Sign Contract

Assessment

Installation

Velocity Managed Disaster Recovery

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

Working DR

Working DR

Click here to schedule an appointment with a Managed Disaster Recovery expert.

Can your healthcare system really afford to wait 18 months, or longer, for a working disaster recovery plan?


https://www.velocitycloud.com/about-velocity/contact-us

https://www.velocitycloud.com/about-velocity/contact-us


Velocity Technology Solutions, Inc. is a leader in enterprise and business application hosting services

which are fully-managed and protected within a virtual private cloud. Velocity lowers operational

costs, provides world-class customer experiences, and delivers application access at top levels

of performance and availability. Velocity’s expertise managing software 24/7, combined with its

proprietary infrastructure design and cloud management platform, guarantee the availability,

security, and control over software. Velocity is the trusted partner for rapidly deploying application

software into a secure and resilient virtual private cloud.

Velocity is headquartered in Charlotte, North Carolina with facilities in North America, Europe,

and Asia. Velocity is a portfolio company of Silver Lake Sumeru, a global leader in private equity

investments in growth-oriented technology and technology-enabled companies.

Ensure the recoverability of your mission-critical systems and data in the event of a disaster.Velocity Managed Disaster Recovery


Velocity and the Velocity logo are registered trademarks of Velocity Technology Solutions, Inc. © 2015 Velocity Technology Solutions, Inc. All rights reserved. All other trademarks are the property of their respective owners. 08062015HCDRGUIDE

Velocity Technology Solutions1901 Roxborough RoadCharlotte, NC 28211

Phone: 888.430.9252

VelocityCloud.com

https://www.facebook.com/VelocityCloud

https://velocitycloud.com/blog

https://www.linkedin.com/company/78747?trk=tyah

https://www.youtube.com/channel/UC03tF-x_XwLgJtn0eNsGLmA

http://www.slideshare.net/tteugels

https://twitter.com/velocitycloud
