Disaster Recovery and Contingency Plans Are Critical to Healthcare Cyber Security

More than two weeks after Hurricane Maria struck Puerto Rico in mid-September, five of the island’s 69 hospitals remained closed. Of the 64 hospitals operating fully or partially, only 17 were connected to the power grid, the governor’s office said at the time. The vast majority relied on generators to power electronic health records (EHRs) systems and other IT tools, medical equipment, storage refrigerators, and utilities.

Just weeks earlier, Hurricane Harvey battered the Texas and Louisiana coasts, forcing at least 16 hospitals in Texas to close in the storm’s immediate aftermath, and necessitating relocation of as many as 1,000 patients to hospitals and other medical facilities across the state. Shortly after Harvey hit the Gulf Coast, Hurricane Irma ravaged the Florida Keys and coastline, resulting in the tragic deaths of 12 residents of a nursing home that lost power.

These storms are sobering reminders to healthcare professionals that downtime literally can be deadly, whether the cause is a natural disaster, a ransomware attack, or an unexpected failure of the electrical grid. Not only can an outage prevent clinicians from using medical equipment to treat patients, it can prevent them from accessing and sharing vital data residing in EHRs.

It is imperative healthcare providers devise and implement disaster recovery (DR) and contingency planning to prevent (or at least minimize) downtime. While such a plan should include keeping MRI and ultrasound machines, surgical instruments, patient monitoring devices, and other medical and support equipment operational, preserving the network infrastructure so providers can access and share digital records in the event of a natural disaster or major cyber attack must be a top priority.

The cornerstone of healthcare DR and contingency planning is preparation. For example, large hospitals in the Houston area learned lessons from previous hurricanes, installing flood walls and flood gates to minimize water intrusion. Many also relocated power and IT equipment from facility basements and lower floors. These preventive measures played a large part in the ability to stay open during and immediately after Hurricane Harvey.

Disaster planning and preparation are most effective when they involve the healthcare provider’s entire staff, rather than just IT and department managers. Clinical and administrative employees should be included in brainstorming about potential worst-case scenarios regarding power loss, network capabilities, communications, and other digital and physical infrastructure systems.

But the key functional elements of successful healthcare DR and contingency planning are agility and flexibility — the capabilities of hospitals and private practices to respond quickly to outages and emergencies that threaten to bring down their IT and communications infrastructures. An agile network infrastructure allows healthcare providers to minimize or even eliminate downtime that can prevent clinicians from accessing EHRs; automatically back up the protected health information (PHI) of patients to remote locations; and preserve email, phone, and other modes of communication.

DR Priorities and Considerations

The top priorities of healthcare infrastructure DR and contingency planning are to protect data and workloads, and to maintain connections. Providers increasingly turn to cloud computing for DR and backup functionality. An HIMSS survey of healthcare IT decision-makers taken in January 2017 shows 84% of respondents consider the cloud to be a viable platform for DR and backup.

That same survey also shows more healthcare providers acting on that belief: 61% said their organizations used the cloud for disaster recovery, up from 42% in 2014. Brendan FitzGerald, director of research for HIMSS Analytics, says the exponential growth of healthcare data – much of it fueled by medical devices – is prompting providers to embrace the cloud as “a scalable, flexible [and reliable] infrastructure solution.”

Once a healthcare organization has made a commitment to the cloud, the next step is to decide which workloads to migrate to a cloud environment in the event of a natural disaster or cyber attack. These may include not just clinical applications and data, but analytics workloads, operational and financial data, and health information exchange.

In addition to determining which infrastructure components should be migrated to the cloud, healthcare providers also must see to it that their cloud models meet HIPAA compliance requirements designed to protect patient privacy. This means not just backing up PHI data, but securing it against breaches targeting EHRs, mobile apps, and connected medical devices.

Choosing the Right Disaster Recovery-as-a-Service (DRaaS) Partner

Hospitals and other healthcare providers operate on notoriously thin margins, which typically result in small and often unskilled IT staff. That’s why it’s crucial for healthcare organizations to choose the cloud and networking services providers that best meet their DR and contingency planning needs.

AT&T Business Solutions offers agile cloud-based continuity and security services that can help healthcare providers avoid potentially disastrous downtime from natural disasters, power grid outages, ransomware, and other threats. AT&T’s data-loss prevention, intrusion detection, and vulnerability scanning functionality can be deployed in the cloud, via a VPN, at mobile endpoints, and in a provider’s in-house data center.

AT&T FlexWare offers healthcare providers a cost-efficient, cloud-based network infrastructure that includes software-defined networking (SDN) and network function virtualization (NFV) technologies. By installing a single AT&T FlexWare device at one facility, healthcare providers can run multiple AT&T-certified virtual functions from best-of-breed vendors, including virtual routers, virtual security, and virtual WAN acceleration. Among the management benefits of AT&T FlexWare are proactive fault management, trouble isolation, and problem resolution – all essential to minimizing downtime and outages.

Security and business continuity must be top priorities for healthcare providers seeking networking solutions. Not only are providers under pressure to meet compliance requirements, their network infrastructures and PHI databases are prime targets for modern cyber criminals, while disaster may be a storm or earthquake away.

By delivering flexible and scalable cloud-based security, backup, and recovery solutions, AT&T Business Solutions and AT&T FlexWare offer healthcare providers the agility and reliability they need to sustain IT operations and network connectivity during and in the wake of disaster.