Not every asset or system is equally important in emergency conditions. One of the more important steps HIPAA requires you to take in planning is determining which systems, applications, and data are important and prioritizing them in descending order for recovery.
When you look at the organization’s lines of operation and IT systems, you must determine what’s needed in order to function so that the most critical asset or system gets immediate attention. Here are some things to consider:
- What is the primary system, and what supports it? There’s a logical order of support and dependency of one system upon others that must be identified clearly.
- What is a must-have and what is a would-like-to-have? Under emergency conditions you should only initially address the most critical priorities. Otherwise organizational survival might be placed at risk.
- How long can an outage last before it becomes critical?
- Maximum Tolerable Downtime (MTD): This tells how long a given organizational element can be down before operational losses become fatal
- Recovery Time Objective (RTO): This describes the optimal amount of time it should take to get the off-site recovery location into operation
- Recovery Point Objective (RPO): This shows how close to true currency the data should be at the RTO
Once those questions are answered, you need to determine the kind of facilities you need.
- Hot Site: Fully equipped and available within hours. This is normally a subscription service, but it can be provided internally, and it’s usually expensive.
- Warm Site: This type of site is less expensive to maintain and normally requires equipment (servers, storage). IT also requires a longer lead time to bring on-line (up to a week).
- Cold Site: This is often just a secure location that houses no equipment or data, only power, lighting, and A/C. For this type of site you need to provide everything. The lead time can be up to a month to become operational.
Clearly, the more critical the data or application, the shorter you want the outage to be. Cost is also an important consideration. Outages and costs should be derived as outcomes from the Business Impact Analysis (BIA) and are based on estimated business losses. Once validated however, the choice of recovery solution — hot, warm, or cold — should be justified by the business case loss potential.
This post is excerpted and used with permission from Your Prescription for a Robust Healthcare IT Disaster Recovery Plan by Ross A. Leo