Disaster recovery and business continuity are important considerations for all sectors, but become top priorities within the healthcare sector, where patient welfare is reliant on system availability. In this article, we review the unique challenges and requirements within the sector, and best practices and considerations for disaster recovery and business continuity strategies, including utilizing hot DR sites, network monitoring, and cybersecurity.
Understanding healthcare-specific risks and challenges
Disasters which could impact the sector are wide-ranging, from natural disasters compromising a physical server site, to power outages, and malicious attacks such as ransomware.
There are distinctive risks from these potential disasters to the sector specifically, including patient data privacy concerns and regulatory compliance. The data stored and processed by healthcare organisations is particularly sensitive, with patient records including identifiable personal information and medical details. Regulations for the sector vary worldwide, including HIPAA compliance in the U.S. and GDPR compliance in the UK and EU, with significant legal consequences to any breach. The loss of vital records could directly impact the patient, whether it is concerning medication, diagnosis or treatment. Worryingly, a study from Acuserve found that only 17% of healthcare executives have high confidence in their IT team’s ability to recover lost data.
Another major concern is the potential impact of any downtime on patient care. In a hospital, for example, systems are used to monitor patient information and transmit data between practitioners and locations. If these systems were to go down, even for a short time, this would prevent care and treatment of the patients, potentially even leading to patient deaths. It is vital in these high-risk environments that downtime is not just minimized, but eliminated altogether.
Cyberattacks, particularly ransomware, are a constant concern for the healthcare sector. A report ‘The State of Ransomware in Healthcare 2022’ showed concerning figures, with ransomware attacks doubling from 2020 to 2021, and the sector showing long recovery times after a ransomware attack – 44% took up to a week to recover from the most significant attack, and 25% took up to one month.
A recent example of the impact of a disaster on a healthcare organisation was the ransomware attack on hospital chain CommonSpirit Health in the U.S. in October 2022, which cost the organisation US$160 million. The attack forced CommonSpirit Health to take its systems offline, which impacted more than 100 of their facilities across the U.S. In addition to these costs, the company has faced two class action lawsuits relating to the attack, which alleged that CommonSpirit failed to implement appropriate cybersecurity measures.
Taking into account the gravity of the risks to the healthcare sector, which in the worst-case scenario could include loss of patient lives, it is clear that disaster recovery and business continuity should be top priority to these organisations.
What is the best disaster recovery plan for the healthcare sector?
At its core, the best disaster recovery plan for the healthcare sector will consist of processes and procedures that allow organisations to continue operations in the event of a disaster, and ensure they can resume business as usual as quickly as possible.
For the healthcare sector, where no downtime can be tolerated, and compliance requirements are rigorous, hot disaster recovery (hot DR) is the best solution. Hot DR is designed to operate seamlessly during a disaster by offering a replicated site equipped with all the necessary hardware, software, and applications. Hot DR gives the lowest possible recovery time objective (RTO) – the amount of time taken to recover from a disaster.
Hot DR includes real time replication to optimize your recovery point objective (RPO), with continuous back-ups to a secure secondary site. The RPO is the point in the server’s timeline that you can return to after a disaster, for example with daily back-ups, your maximum RPO would be 24 hours. With continuous replication, your RPO is as low as possible, keeping data loss to an absolute minimum.
Maintaining your own off-site DR environment is tricky for a healthcare organisation that does not necessarily have the in-house expertise or resources to set up or maintain this. Opting to use a provider that offers Disaster Recovery as a Service (DRaaS) for your hot DR solution outsources this requirement, giving you the peace of mind that in the case of a disaster, your site will failover to a certified and compliant secondary DR site. When outsourcing your infrastructure, ensure you are working with a reputable provider, with the relevant accreditations and compliance procedures in place to protect your sensitive data.
Infrastructure considerations for business continuity
While having a robust DR strategy is vital in the case of a disaster, minimizing the risk of a disaster in the first place should be central to your business continuity planning. There are several considerations for your healthcare organisation, including quality of hardware and software, security, and monitoring and management of your infrastructure.
Quality of hardware and software
The quality of hardware and software used in your environment has a significant impact on performance. The technology involved in hosting is constantly developing – your provider should invest in best-of-breed hosting architecture, ensuring top reliability, scalability and performance. Top-of-the-line platforms offer high performance and uptime guarantees, keeping your systems running in the most optimal way. Your provider should also periodically update and audit hardware and software to ensure ongoing reliability.
Healthcare organisations may face financial constraints which may be an obstacle when investing in the best infrastructure, however this is an instance in which cost should be considered holistically rather than in isolation. With investment in top hardware and software preventing downtime, slow performance and disasters, this can save you the potential costs arising from issues with lower quality infrastructure. Additionally, when you host your platforms with a provider, rather than buying your own hardware for an on-premise solution, the upfront costs are taken away from you, giving you the benefits in performance, while optimizing costs.
Security
A multi-layered approach to security will support you to protect your business against attacks, threats and vulnerabilities, while ensuring that you are meeting the necessary compliance requirements. This approach can include elements such as firewalls, multi-factor authentication, data encryption, intrusion protection and intrusion defense systems, and more. To maintain these security measures, ensure you are completing regular testing to identify any vulnerabilities in your systems so these can be repaired.
Keeping on top of cybersecurity best practice will protect your infrastructure, so to support your approach, you should ensure all staff using your systems undergo a detailed induction and ongoing security training.
Monitoring and management of infrastructure
In order for your DR plan to be implemented and your systems failover to your secondary site in the event of a disaster, your network will need to be monitored. Tracking and analyzing network performance in real time means any issues will be picked up immediately, and any subsequent measures taken. Often, the quicker an issue is picked up, the quicker and easier it will be to resolve. Effective monitoring can also identify potential issues before they reach the stage where your DR will be required, further reducing their impact. This monitoring can be effectively implemented by a managed service provider (MSP).
An MSP can provide support and peace of mind for organisations in the healthcare sector, expertly managing your infrastructure and allowing you to concentrate on running your business. Managed hosting can include all of the measures mentioned so far – disaster recovery planning, infrastructure design, security, and network monitoring. With these elements all taken out of your hands, you can be assured that your systems are running safely and effectively.
The risks present to the healthcare sector are evolving, particularly when it comes to cybersecurity, which means that best practices in infrastructure are also evolving. In a constantly busy organisation, it can be difficult to keep up with the landscape and know how to best protect yourself. Leveraging the expertise of an MSP who is up to date with the latest developments means your business can continue to be protected throughout this development.
Work with Hyve to build the best DR solution for your healthcare organisation
We have 20 years of experience supporting health and social care institutions through our fully managed hosting solutions. Our experts work with you to design a resilient, secure platform, with comprehensive DR and business continuity strategies in place.
Find full details of the DR solutions offered by Hyve on our disaster recovery page. For more information on our hosting solutions, visit our hosting for healthcare page.