As the report states, not all data is equal, so identifying the criticality of existing IT systems and data is important. Administrators and IT teams do not need to back up every megabyte and every application.
The following questions are helpful in determining what is necessary to backup:
• How much data and time can you afford to lose? Knowing the cost of downtime can help senior management understand IT system disaster recovery hardware and software budgets.
• How much money and how many patient records would your practice lose if you lost all of your transaction data from the last twelve hours, or even the last ten minutes?
• What is the value of the knowledge contained in your practice's last twelve hours worth of emails and email attachments?
• What is your exposure if you cannot produce this data in compliance with HIPAA?
The next step is applying a formula to determine the cost of a potential data disaster. To calculate the "cost per occurrence" the formula is as follows: (To + Td) x (Hr + Lr).
To = Length of outage
Td = Time delta to data backup (How long since the last backup?)
Hr = Hourly rate of personnel (Calculate by monthly expense per department divided by the number of work hours.)
Lr = Lost revenue per hour (Applies if the department generates profit. A good rule is take profitability over three months and divide it by the number of work hours.)
Once the cost per occurrence is calculated, the report recommends considering two objectives — recovery point objective and recovery time objective. Recovery point objective is how much data the organization can afford to lose since the last backup. Depending on how frequently the organization restores data, RPO is measured in hours of data loss.
Recovery time objective is how quickly your organization would need to have health information restored. While a day would not matter as much for emails sent between departments, it could be more critical to restore patient records within hours.
Finally, a solution can be chosen. Possible solutions include:
• Backup — keeping data safe. For EHRs, data backup may be more important for RPO than RTO.
• High availability — keeping critical applications and data online. This is necessary for EHR compliance and business continuity.
• Disaster recovery — the ability to recover data in case the production system is damaged, destroyed or becomes unavailable for an undeterminable period of time. A disaster recovery solution that can restore data quickly and completely is required to meet low RPO and RTO thresholds.
More Articles on Health Information Data Protection:Insider Negligence Causes 39% of Data Breaches, Not Third Party
5 Steps to Estimate Potential Costs of a Data Breach
Report Provides Characteristics of Data Breach Vulnerability