Joplin, MO was hit by a massive tornado on Sunday evening that did extensive damage to the St. John’s Regional Medical Center hospital. There are reports that x-rays from the hospital have been found in driveways 70 miles east of the hospital.

On Twitter Steven Waldren sheds some very interesting and insightful perspectives:

Steven’s quotes gets to the bottom of Disaster Recovery.  When an actual disaster hits and your servers are destroyed how do you get to your data? Having tape backups or offsite backups are fine but if your servers are gone where do you restore the data?

Disaster Recovery (DR) planning is more than ensuring you have a backup of your data. It is about ensuring that your organization can still function and get to critical systems even when your primary systems have been destroyed. With cloud-based Disaster Recovery solutions the cost of implementing DR has been significantly lowered. All healthcare organizations should be looking into some sort of DR that will not only ensure that data is properly backed up but will allow for access to critical data in the event of a real disaster.

Contingency planning and DR planning are required under the HIPAA Security Rule:

STANDARD § 164.308(a)(7)Contingency Plan

The purpose of contingency planning is to establish strategies for recovering access to EPHI should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations. The goal is to ensure that organizations have their EPHI available when it is needed. The Contingency Plan standard requires that covered entities:

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

DISASTER RECOVERY PLAN (R) – § 164.308(a)(7)(ii)(B)

The Disaster Recovery Plan implementation specification requires covered entities to:

“Establish (and implement as needed) procedures to restore any loss of data.” Some covered entities may already have a general disaster plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover EPHI

A final takeaway is that the time to think about Disaster Recovery is before a disaster hits. Implementing DR is not only required under HIPAA but is critical to any business to ensure that the organization can continue to operate even when primary systems are destroyed.