To develop a disaster recovery plan for the organization’s health information system, the plan will be as following.
1. Identification and analysis of disaster risks/threats
There are many potential risks or treats from unexpected disasters that can lead to system failure. The essential functions of the hospital business include healthcare services, financial services, communicating with the central department, research and development services, teaching services, etc. Each function has different risk attributes. We have to consider the attributes of a risk in every single function, for example, the failure of servers used to provide healthcare service can make higher disaster if it occurs during the working hour than during the night. However, the impact of attacking servers for healthcare services is very high and costly.
2. Classification of risks based on relative weights
The potential risks should be classified into five categories: external risks, facility risks, data system risks, departmental risks, desk-level risk. In the server failure, for instance, the possible external risks include crimes, cyber-attacks, and human errors. The local facility may compromise due to electrical shortage, fire, air-conditioner malfunction leading to overheating of the server system.
3. Building the risk assessment
All potential risks will be listed and scored according to likelihood, impact, and restoration time if risks occur. A rough risk analysis score will be calculated by multiplying the likelihood, impact, and restoration time. The highest score is the greatest risk to the organization.
4. Determining the effects of disasters
Consideration of potential risks will cover four aspects: disaster-affected entities, downtime tolerance limits, cost of downtime, and interdependencies. Cyber-attacks to the servers, for example, can affect many issues. Healthcare personnel cannot gather or enter patient information to the system. Patient information can be stolen and used maliciously. The secret strategic plan is open to the public. In addition, the downtime tolerance limits are very low. The cost of downtime of servers is very high.
5. Evaluation of disaster recovery mechanisms
There are many possible methods for recovering data. Backup should be the main method to prevent system failure after facing disasters. The full backup is the most suitable, as the information of every patient should not be lost, although the cost is very high.
6. Disaster recovery committee
The personnel who will respond to the system failure after disasters must be documented in order to systematically activate and manage disaster recovery.