Healthcare IT Disaster Recovery Plan Testing

lifesupport464956775Organizations behave like living things in that they are always changing and evolving. Because they do, plans must change with them or risk becoming outdated and ineffective. Nothing could be more deadly to an organization’s surviving a disaster than an outdated continuity of operations plan (COOP).

HIPAA requires that you first build a plan and then take the next and equally important step: testing the plan. The plan must be tested and revised as necessary to ensure it remains relevant and current.

There are several tests that can be conducted to meet HIPAA requirements. Each has its benefits either as a standalone test or as a step in maturing the overall plan.

  1. Checklist: All participants review checklists of steps, equipment, and other items to verify that nothing is left out. Each round becomes more refined and more complete.
  2. Structured Walk-Through: This is a facilitated, scenario-based group exercise in which the team members are led through the exercise and arrive at the outcome. Since there’s no pressure of a real emergency, you can identify characteristics that, if left undiscovered, could have catastrophic impact during an actual event.
  3. Simulation: This test involves relocation to a recovery site without interrupting normal operations to observe the logistics needed to set up the relocated site and begin operations. This test allows the process to be improved and reduces confusion.
  4. Parallel: This test also involves an actual relocation and includes opening the recovery site and initiating processing. Without closing the home site, you can test the systems and equipment you’ll use to recover when the time comes. It therefore serves as a form of non-destructive testing that provides proof-of-concept.
  5. Full Interruption: Just what it sounds like, this test involves shutting down the home site and going to the off-site recovery location. The bad news is that this can be very costly and disruptive. This type of test can take more than a year to plan. The good news is HIPAA does not require this test.

For best results, these tests should be viewed and performed as progressive steps with each building on its predecessors. The more these tests are done, the stronger your plan becomes, and the more confident you can be about your ability to survive an adverse event.

This post is excerpted and used with permission from Your Prescription for a Robust Healthcare IT Disaster Recovery Plan by Ross A. Leo

Related Courses
It Risk Management
Data Center Infrastructure Management
Cybersecurity Foundations

In this article

Join the Conversation