According to CISCO Disaster Recovery Plan Best Practices, they have proposed three core components that should be included in the disaster recovery plan which are,
(1) Identify and classify the threats/risks that may lead to disasters
(2) Define the resources and processes that ensure business continuity during the disaster
(3) Define the reconstitution mechanism to get the business back to normal from the disaster recovery state, after the effects of the disaster are mitigated
In healthcare settings in Thailand, for example, we have a strong health care system which is able to provide almost sufficient care to the majority of people comparing to many countries. Unfortunately, a disaster is one of the risks which may lead to a devastating data loss yet potentially preventable. There are various types of disasters depending on the area whether it might be flooding, fire (caused by lightning strikes, short electrical circuits, heat, etc.), accidental damage, earthquake, and so on. After certain risks have been estimated and evaluated, we have to determine the risk by using a risk assessment matrix. Then we must identify stakeholders and related committees in case the situation occurs.
Most hospitals in Thailand, they tend to keep all the data locally in the centralised database located in their very own hospitals. If anything happens, be a flood or fire, even they have a back up or replica in place, it would not be of much help. The problem is that there are rules clearly stated that a government data must not be kept on the third-party cloud. In this case, I suggest that each hospital should have another backup elsewhere which is not located in the same region or risky location. It could be a data centre of the MOPH or anywhere. However, the cost of maintaining a centralised database for such amount of healthcare data is very high, but the safety of the invaluable data is worth the price.