Disaster recovery planning for information technology functions - Feature Article

Nursing Homes, Feb, 2003 by Steven Lewis

Most nursing homes typically don't have sufficient staff and/or budget for comprehensive disaster planning. The approach that we recommend involves recognizing that disaster planning is an ongoing activity, one that evolves with the facility. The key is to have a systematic framework within which the evolving pieces of the plan can be filled in over time. By now, one would hope, organizations have taken some of the more basic steps toward enhancing resident and staff security from the effects of a disaster--physical safety, continuity of vital services, counseling arrangements, and the like. HIPAA regulations apply specifically to information system security. They require advance planning for the recovery of the organization's computer and business functions following a disaster.

What does this involve? The Disaster Recovery Yellow Pages[TM] recommends the following systematic approach:

* develop a formal method of documenting the dimensions of the disaster as they impact the organization;

* understand where the organization's functions fit into planned stages of recovery;

* identify unique vulnerabilities and serious risks; and

* follow the procedural steps of disaster planning, including concepts for testing the plan.

Documenting the Dimensions of the Disaster

Even though disasters come in an infinite variety, their effects on the organization's IT can be analyzed as three "dimensions of loss":

* loss of information

* loss of access (to information, facilities, etc.)

* loss of personnel

Loss of information could be caused by events ranging from the "low-tech" destruction of paper files in a fire or storm to the inadvertent "high-tech" destruction of network files during an upgrade to a new software release.

Loss of access might be to buildings housing IT, support services, parts and supplies, information, etc., resulting from destruction of property by fire or explosion, flooding, loss of electric power, work stoppages as a result of union picket lines, etc.

Loss of personnel, when evaluated as a risk factor to the organization, depends on the organization. Some might be vulnerable to the loss of an entire class of workers, such as in a union work action; others might be vulnerable to the loss of a few key employees.

Fitting Into the Stages of Recovery

To help avoid wasting scarce resources on prematurely restoring high-profile functions sooner than they can actually be supported, the Table offers a timetable delineating four distinct stages of recovery from most disasters.

Identifying Unique Vulnerabilities and Serious Risks

To do this properly requires a "brainstorming" process involving employees themselves during departmental or group meetings. Reviewing the potential impacts of possible disasters begins to build their awareness of disaster planning and will likely uncover areas of potential risk that management might not recognize.

Proceeding With Disaster Planning

Once the organization's unique vulnerabilities and other serious risks have been identified, you need to begin the planning process:

* Obtain top management's guidelines to prioritize the protection or restoration of operations. Senior management should "rank" the various IT functions, based on how long the organization can survive without each one. Once senior management determines how long each function can be suspended, then lower-level management can decide on the best technical means to meet those recovery goals.

* Determine how to restore each operation to meet the management guidelines, and assign a disaster-recovery team (including a "second in command") for each operation.

* Take a complete inventory of everything that cannot be replaced generically (e.g., specific forms, files, equipment, etc.).

* Write the plan down, including specific personnel assignments, recovery procedures for each function, updated inventory of equipment (both generic and specialized), and phone numbers of all employees, IT vendors, and board members. There should also be listed contact numbers for residents' families and after-hours contacts for vendors, insurance agents, etc.

* Review the plan with all employees as it pertains specifically to them. This is a means of verifying that the plan is actually workable and that any needed additional cross-training has been accomplished.

* Test the plan, review results, and modify the plan, as appropriate. Testing might involve some level of "reality checking." This would include what we call the "blink test," the independent expert (employee) assessment/structured walk-through, component tests, and "pull the plug" evaluation.

The "blink test" occurs when, upon hearing some detail of the plan, an employee blinks and says, "I can't do that," or "I don't have access to that information." Obviously, some adjustment is required. This can be helped by reviewing the plan with each employee, based on his/her expertise and familiarity with the daily ebb and flow of specific operations--the expert (employee) assessment and structured walk-through mentioned above. Because components of the plan have been specified and prioritized, each can be tested independently by employees with specific interest and expertise in those areas, e.g., recovery of computer backup files, transfer of data to the computer backup site, and operation of the backup site itself.