IT Disasters at Your Medical Practice: 7 Steps to Prepare, Recover

August 23, 2013
Nelson Gomes

Here are seven of the critical steps for medical practices to take for disaster preparedness, recovery, and business continuity of their IT services.

An information technology (IT) disaster, like a natural disaster, can happen to your medical practice at any moment. An IT disaster may be small, such as if a computer used for admissions goes down. It can be medium-sized, such as your wireless networking going out, crippling those devices that rely on a wireless signal to function properly. Then there are major disasters, such as if the servers that host your practice's billing, accounting data, and medical records fail.

It is likely that your practice will experience at least a small IT disaster every few years. If that's all you encounter, consider yourself fortunate; statistics show that nearly one in five businesses suffers a major disruption to its data or voice networks or communications systems every year ("Business Continuity and Disaster Recovery for InfoSec Managers,"2005). But regardless of the size of the disaster, all IT disasters can have a significant, negative impact your practice's finances and operations.

Here are seven of the critical steps for medical practices to take for disaster preparedness, recovery, and business continuity.

1. Perform an IT assessment. Before you can even begin to plan for responding to an IT disaster, you need to understand how your practice relies on IT, which includes: identifying the technology your practice uses; what the technology is used for; and where the technology is kept and stored-either on-site, off-site, or in the cloud.

This assessment will help you to paint a complete picture of the different ways your practice uses different IT systems, and will allow you to identify "mission-critical" applications, such as an EHR, practice management software, and phone systems. You should also use this assessment to identify areas where your IT systems may be at a higher risk for disaster, such as a server sitting on a floor, thus increasing the potential for damage from a water spill.

2. Conduct risk analysis. With the assessment completed, you will want to conduct a risk analysis that identifies what would transpire to your practice's operation - the business and clinical impact - if a disaster were to affect any of your IT components and what backup plans you have in place (if any).

3. Identify a disaster recovery coordinator. This is the staff member who will be tasked with assembling an IT disaster recovery plan and leading implementation of that plan, if - and more likely when - necessary. It is critical for your practice and its leadership to support the efforts of this individual and ensure he or she has the time and resources to assemble a plan and conduct the other necessary steps associated with the plan, as will be discussed later in this piece.

4. Assemble the plan. Once you have assigned a staff member to the role of disaster recovery coordinator, it's time to put together your disaster recovery plan. This will likely be a lengthy process as there are many different elements that need to go into the plan, and many different scenarios (the potential impact of any IT disaster) to address.

The plan should include at least the following:

Goals - This should include everything you need to accomplish to recover from a particular disaster scenario.

Steps to achieve the goals - For example, if your phone systems go down, you may put a message on your answering service providing an alternate phone number. If your servers are down, goals may include accessing a system on the cloud if you have invested in such a resource or possibly having a process for temporarily directing patients to another location.

Responsibilities - Who is involved in these steps and what is their responsibility?

Timeline to achieve goals - Keep in mind that in many situations, a fast recovery may mean greater expense if the recovery process involves outside parties.

5. Test the plan. A plan may look great on paper, but there's no way of knowing whether the plan should be successful without testing it. Therefore, it is imperative to schedule IT disaster drills, as you would a fire drill, and observe how staff responds. Look for potential deficiencies and solicit feedback from drill participants.

It is also worthwhile to conduct mock disasters where you simulate a disaster with only select members of the practice's leadership knowing the scenario is a drill. This will allow you to see how staff truly respond under pressure.

6. Document everything. Your assessment, risk analysis, plan, tests and any other steps you take regarding disaster recovery should be documented, with that documentation - especially the plan - easily accessible, preferably both on- and off-site.

7.Maintain the plan. Finally, treat your IT disaster recovery plan as a living document, with the disaster recovery coordinator updating it any time your practice makes changes to its IT systems.

Nelson Gomesis the president and CEO of PriorityOne Group, a New Jersey-based healthcare IT consulting firm. Gomes has 20 years experience in IT, including 15 specifically in health IT, providing services to medical practices, ambulatory surgery centers, and clinics. E-mail him here.