Healthcare IT Disaster Recovery Plan and Criticality

Not every asset or system is equally important in emergency conditions. One of the more important steps HIPAA requires you to take in planning is determining which systems, applications, and data are important and prioritizing them in descending order for recovery.

When you look at the organization’s lines of operation and IT systems, you must determine what’s needed in order to function so that the most critical asset or system gets immediate attention. Here are some things to consider:

  1. What is the primary system, and what supports it? There’s a logical order of support and dependency of one system upon others that must be identified clearly.
  2. What is a must-have and what is a would-like-to-have? Under emergency conditions you should only initially address the most critical priorities. Otherwise organizational survival might be placed at risk.
  3. How long can an outage last before it becomes critical?
    1. Maximum Tolerable Downtime (MTD): This tells how long a given organizational element can be down before operational losses become fatal
    2. Recovery Time Objective (RTO): This describes the optimal amount of time it should take to get the off-site recovery location into operation
    3. Recovery Point Objective (RPO): This shows how close to true currency the data should be at the RTO

Once those questions are answered, you need to determine the kind of facilities you need.

  1. Hot Site: Fully equipped and available within hours. This is normally a subscription service, but it can be provided internally, and it’s usually expensive.
  2. Warm Site: This type of site is less expensive to maintain and normally requires equipment (servers, storage). IT also requires a longer lead time to bring on-line (up to a week).
  3. Cold Site: This is often just a secure location that houses no equipment or data, only power, lighting, and A/C. For this type of site you need to provide everything. The lead time can be up to a month to become operational.

Clearly, the more critical the data or application, the shorter you want the outage to be. Cost is also an important consideration. Outages and costs should be derived as outcomes from the Business Impact Analysis (BIA) and are based on estimated business losses. Once validated however, the choice of recovery solution — hot, warm, or cold — should be justified by the business case loss potential.

This post is excerpted and used with permission from Your Prescription for a Robust Healthcare IT Disaster Recovery Plan by Ross A. Leo

Related Courses
It Risk Management
Data Center Infrastructure Management
Cybersecurity Foundations

In this article

Join the Conversation


  1. T Pham Reply

    I would like to know more about the Business Impact Analysis (BIA) – how is this analysis conducted and what kind of results?

  2. Ross Leo Reply

    The BIA is best thought of as a complement to a risk analysis (RA): they both look at assets, they both look at threat-impact, and they both contain qualitatve and quantitative elements. Together they provide a complete look at your risk-threat posture.

    The BIA differs from the RA somewhat. The RA examines the asset-threat-vulnerability and assesses potential impact magnitude and frequency of occurrence of the threat agent/event. The RA focuses on these relationships with a view towards mitigation of the risk through protective, avoidance, or compensatory measures. The RA process seeks to prioritize such efforts for optimum reduction in exposure to losses.

    In contrast, the BIA looks at the business operation. The BIA examines the sensitivity, criticalality and overall contribution of a particular operational element to determine the direct and indirect impact to the business should the element suffer disruption or disablement. It seeks to quantify such impacts by various criteria in order to establish a priority order (high => low) for protective and recovery purposes: highest means recovery first, and so on.

    Both methods use scenarios to envisage impacts and potential losses. The BIA uses outage time and duration as a factor (since losses accumulate are varying rates), where RA does not. The RA uses probabilities of event occurrence, and types and percentages of potential impacts/losses, where the BIA looks more at the reduction in operational capabilities.

    Thus, the RA is akin to the Disaster Recovery portion of the overall continuity of operations plan (COOP) in that it focuses on the event, and the BIA is akin to the Business Continuity portion of the COOP in that it focuses on the business operation.
    The RA seeks to avoid or reduce the event effects in advance, and the BIA seeks to prioritize response and recovery efforts should the event occur.

    Together the RA and the BIA provide the necessary qualitative and quantitative results necessary for Management to make prudent, cost-effective decisions on mitigation and response in advance of adverse events.