5 Key Facts About Disaster Recovery for EHRs

Before a crisis strikes, healthcare IT professionals must be ready for EHR disruptions due to disasters.

HIPAA requires all healthcare providers to develop contingency plans for disaster recovery, including data backup and emergency operations. With electronic health records (EHRs) at the center of patient care, access to patient medical data is absolutely critical. Read on to learn more about disaster preparedness, EHR disruptions, and how healthcare IT professionals can be informed and ready before a crisis strikes.

Despite regulatory requirements calling for disaster recovery plans, many healthcare facilities lack appropriate guidelines or the means to implement them. EHR outages are a reality, however, and providers must address this issue or face potentially dire consequences.

Here are five key facts about disaster planning and recovery for EHRs.

1. Many hospitals experience EHR outages, lack full compliance. A July 2016 HHS Office of Inspector General (OIG) report examined hospitals’ compliance with EHR contingency plans. The report surveyed 400 hospitals receiving Medicare incentive payments, and revealed several key statistics about the readiness of facilities to address EHR outages:
   • 95% of hospitals reported that they had written contingency plans in place to address EHR disruptions.
   • Only 68% of hospitals with written contingency plans included all four components required for full HIPAA compliance: a data backup plan, a disaster recovery plan, an emergency mode operations plan, and testing and revision procedures.
   • 59% of hospital respondents reported unplanned EHR disruptions that made their EHR systems unavailable to hospital staff. 24% of these hospitals delayed patient care as a result.
   • Reported causes of unplanned EHR disruptions included hardware malfunctions/failures, internet connectivity problems, power failures, natural disasters, and hacking incidents.
2. There are several kinds of disasters to consider. A comprehensive disaster recovery plan will address potential problems of all types. Software company Sisu notes that there are four main causes of disaster at healthcare facilities, including hardware failure, human error, software failure, and natural disasters such as floods or forest fires. Other risks include identity theft, cyber-attacks and data breaches, according to Healthcare Business & Technology, and these attacks may compromise both medical and financial data.
3. Preventive measures are an important part of EHR security and HIPAA compliance. Security Intelligence identifies five critical security issues that healthcare providers must address to secure patient records and comply with HIPAA regulations:
   • Admin controls and employee training, including updated policies and employee background checks.
   • Physical access controls that verify the identity of users and prevent unauthorized access to EHR data.
   • User access controls and audits to secure logins, prevent external access or inappropriate transmissions of data, and ensure proper access and security at workstations.
   • Media controls to ensure that sensitive data is removed from devices and equipment before hardware is replaced, sold, donated, or otherwise removed from service
   • Data encryption of user credentials, as well as encryption and segmentation of data to ensure that users access only data specific to their needs.
4. Comprehensive disaster planning is critical. Effective disaster plans are multi-step, multifaceted, and address multiple contingencies. Organizations must address security concerns, personnel requirements, staff training, compliance, data collection, and more. Online resources and planning guides address these issues and may help providers to develop appropriate guidelines for their organizations. For example,  Medical Economics and Health IT Security offer articles about healthcare disaster recovery planning, and Healthcare IT News has a four-part video series developed in conjunction with Sungard.
5. The threat of disaster may dictate storage options. TechTarget reports that many providers are turning to new forms of storage as a way to address disaster planning and threats from cyberattacks. Options include:
   • On-site backup networks, which can be used in conjunction with off-site recovery centers that house backup servers.
   • Hybrid cloud options, combining house-based networks with cloud backup.
   • “Hot sites,” which are subscription-based, off-site physical locations where providers can move IT operations after a disaster.
   • Migrations to cloud-based systems.

Overall, evolving technologies and the security threats that develop alongside them will require healthcare providers to explore and embrace storage options designed to address security and disaster planning.

Developing and implementing disaster recovery plans for EHRs is a difficult and complex process, but it is critical for healthcare facilities to ensure that patient care and patient access are not interrupted, data is secure and accessible, and compliance requirements are satisfied. By addressing these important issues before disaster strikes, healthcare IT professionals can prepare themselves and their staffs to address potential EHR outages of various types and to keep operations moving as smoothly as possible during difficult circumstances.