Hospitals Should Include IT Recovery in Disaster Planning

Conducting risk assessments is a good start to uncovering IT-related and other vulnerabilities in advance of a real disaster, said Timothy Rearick, FACHE, manager at the Tallahassee, FL, location of North Highland, a management and technology consulting firm. He recently spoke to HealthLeaders' sister publication, Briefings on HIPAA.

Rearick said you can reduce risks by taking the following steps:

• Identify threats. Consider the risks to your organization using the categories of natural threats (e.g., tornadoes, hurricanes, and floods), human threats (e.g., staff shortages), and environmental threats (e.g., power failures).
• Recognize vulnerabilities. Take our initial hurricane scenario and imagine your hospital in the midst of it. What if your emergency generator is in the basement and you're close to sea level? The likelihood that you will lose electric power—and potentially IT systems—because of a hurricane and flooding is your vulnerability.
• Determine the effect. If a flood causes you to lose power, what other problems will it lead to? How will this affect your organization?
• Develop a list of remediation activities. Figure out possible steps to offset the various threats and vulnerabilities you've identified.

Once you've completed these steps, establish your priorities, Rearick said. Use an orderly, logical approach to determine which of your identified threats and vulnerabilities are most significant with respect to cost and risk, and then act on them.

"With the proliferation of the Web and Web-based applications, you're opening up your systems," he said. "There is risk now in the way we exchange information."

Don't always conduct IT recovery exercises with worst-case scenarios, Grogan said. More mundane, but more likely, events often aren't reflected in recovery plans, which is a mistake, he added. Take a look at what IT incidents have caused disruptions in the past and use them as the basis for drill scenarios.