25 September 2015 / Blog
Disaster Recovery No Longer An “Elective Procedure” In Light of Growing Cyber Security Threat To Healthcare Organizations
By: Velocity Staff
Fraud detection is a growing business amid ever-increasing security threats. A typical organization losing 5% of revenue each year to fraud, corresponding to annual losses exceeding $3.5 trillion worldwide. Cyber security often makes headlines as the culprit — and it is central to Friday’s meeting between President Barack Obama and China’s President Xi Jinping.
Consider the following:
- A typical organization loses 5% of revenue each year to fraud, corresponding to annual losses exceeding $3.5 trillion worldwide
- The median loss caused by fraud is $145,000
- 22% of fraud cases involve losses of at least $1 million
- The median duration of fraud cases is 18 months (amount of time from when the fraud commenced until it was detected)
Source: ACFE Report to the Nations on Occupational Fraud and Abuse, 2014
Cyber security is a particular threat in the healthcare industry, where IDC analysts predict 50% of healthcare organizations will have experienced 1-5 cyber attacks before 2015 is over. That risk is expected to rise as 2016 approaches. And the statistics do not improve. Research in 2014 conducted by MIT Technology Review revealed that cyber attacks on hospitals increased 600% in just ten months.
Digital disasters force healthcare organizations to restrict access to critical records and disrupt system interoperability not just for compromised systems but for all systems. Having a flexible recovery strategy can eliminate this knee jerk reaction.
Modernizing Disaster Recovery
The traditional view of disaster recovery as a “check the box” measure, or as an “elective procedure,” is rapidly shifting, especially in the face of strengthening and persistent threats, such as cyber attacks.
Healthcare organizations realize that today’s contingency planning must guarantee recoverability at all levels to support ongoing patient care as well as compliance with government regulations. The most effective disaster recovery plans can also be used during scheduled downtime such as migrations, upgrades, and maintenance, while fulfilling business and continuity of business operations.
“The data shows that even the most data-savvy hospital system is prone to attack. Implementing — and maintaining — a forward-thinking Managed Disaster Recovery plan is not just cutting edge, but imperative to upholding The Patient Bill of Rights,” says Paul Mockenhaupt, Senior Vice President, Innovation and Development at Velocity Technology Solutions.
Developing an Effective Healthcare Disaster Recovery Plan
The first step in disaster recovery planning is to conduct a business impact analysis (BIA). This involves identifying which systems and applications are most critical for operations and then prioritizing them in order for recovery. In the case of a healthcare organization, this includes determining the impact to patients and care delivery.
As part of your business impact analysis, three key measures of disaster recovery must be established:
- Maximum Tolerable Downtime (MTD) - MTD is the total amount of time the system owner can accept for a business process outage or disruption including all intact considerations.
- Recovery Time Objective (RTO) - RTO is the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on business process.
- Recovery Point Objective (RPO) - RPO represents the point in time prior to a disruption to which business process data must be recovered after an outage
Once MTD, RTO, and RPO are established for each business process, application, and system, a recovery strategy can be developed to meet your business objectives.
Business Drivers: RPOs and RTOs are moving from days to hours
Recovery Time Objectives
The next step is to identify possible points of failure and develop a strategy to address vulnerabilities. This is the point at which many healthcare providers begin discussing cloud-based disaster recovery plans.
Once seen as a security risk, cloud computing is now considered a security advantage compared to on-premise deployment, according to a recent survey of healthcare CIOs.
If a decision is made to migrate to a cloud-based model, IT leaders must determine which aspects of the existing plan, including storage, data backup, replication and types of data can be addressed using a cloud disaster recovery solution.
To learn more about Disaster Recovery as a Service and get our HIPAA compliant IT Contingency Plan checklist, click here.