Welcome to our Disaster Recovery Series. Are you minimizing data loss while keeping your business flowing?
Many healthcare organizations use the terms “disaster recovery” and “business continuity” to mean the same thing. When asked, CIOs, IT Directors and other technical staff, will usually tell you they have a Disaster Recovery Plan. Operational leadership and staff may say they have business continuity plans in place. Disaster Recovery and Business Continuity Planning are not the same. So what does your organization really have in place? Which one do you really need?
To make it more confusing, the HIPAA Security regulations call them “contingency plans” and contain elements of disaster recovery (centered around access to EPHI), but do not address operational continuity. To meet the federal requirements, many organizations have crafted plans, labeled them as such and pointed to the binders when auditors ask. In HIPAA-ese, contingency = data backup and restore.
From a practical standpoint, disaster recovery is an IT function using tools and processes to get it done. It is about minimizing, if not eliminating data loss, during downtimes. It is ensuring the organization can recover critical clinical and business data in the event of natural disasters, technical malfunctions and backhoes taking power and fiber lines.
Alternately, business continuity is not an IT function at all. It is a business and operational function, and it is about more than downtime procedures. Business continuity is ensuring the organization can care for patients when their access to data may be limited, not in real time or inaccessible. And once systems are back up, how to get operations back to normal and “catch up” the data.
Disaster Recovery and Business Continuity are separate processes. But they do touch upon and depend upon each other. IT builds an effective disaster recovery plan. Operations identify data criticality and key workflows necessary for patient care. Business continuity is impacted by actions IT takes during an untoward event, so IT must understand the cause-and-effect of recovery activities.
Neither the disaster recovery nor business continuity planning concepts address:
A more comprehensive and inclusive term for these necessary activities is Business Continuity Management (BCM). In addition to risk/threat assessment and response modeling, BCM encompasses effective recovery and continuity across an organization.
Business Continuity Management is really what healthcare organizations need to ensure:
It also meets HIPAA regulatory requirements and auditors will be happy.
So far, we’ve looked at how Disaster Recovery and Business Continuity Planning differ. And then how to take them both a step further with Business Continuity Management. What does your organization have in place? Do you have what you need?