A hurricane strikes and your healthcare facility must care for an influx of injured patients. How quickly will you able to access your computer systems and electronic data?

While most healthcare facilities have disaster recovery plans in place, many are based on an outdated paradigm in which information technology was much less critical than it is today. Today, many healthcare providers lack adequate capabilities to restore critical information and services in an adequate amount of time in the event of a disaster.

With the rapid migration of healthcare systems from manual, paper-based processes to centralized computer systems, data backup and disaster recovery has become more critical than ever, but also more complex. This increasing reliance on computer systems has led to an explosive growth of data - and a growing challenge when disaster strikes.

Whether a disaster results from a hurricane or a computer hacker, damage to centralized technology systems will affect multiple processes and data. The longer it takes to reinstate systems and restore data, the more difficult it will be for the healthcare provider to continue operations.

We often work with healthcare systems looking to improve their disaster recovery strategies. Aligning the disaster recovery plan with the needs of the institution is a four-step process.

1. Determine business needs. First, interview end users, application owners and other stakeholders to uncover business processes and applications used. An important goal in this step is to establish the "recovery point objective" (RPO): How much data can the organization afford to lose? You also need to establish the recovery time objective (RTO): How long can the service be unavailable before the organization can no longer operate?

2. Gap analysis. What capabilities do the IT systems currently provide? How do these capabilities differ from the business requirements? With gap analysis, you can document key gaps and identify the impact of outages on the organization.

3. Design a plan to close the gaps. Create a technical and procedural plan to close the gaps. Where IT cannot currently provide the required RPO and RTO to the business, define a plan to ensure these objectives can be delivered.

4. Execute the plan: Closing the gaps between business needs and capabilities may be a multi-year process, depending on the time and resources available. In general, we recommend that an organization prioritize the most critical applications. If budget is unavailable to update systems and processes to provide the desired RPO and RTO for all systems, choose those with the greatest return on investment - the ones which are most important to the success of the organization. Plan to budget capital and/or operational funds in subsequent years to provide adequate recoverability for additional services.

Disaster recovery planning can be a valuable education process. Most importantly, it compels the organization to anticipate the worst - and to feel more confident about tackling the aftermath.