Are You Confident in Your Health System’s Business Resilience?

Man hands using laptop with data protection interface in office
Jun 13, 2024

Are You Confident in Your Health System’s Business Resilience?

Mike Garzone

Written by Mike Garzone

Category: IT Strategy & Implementation - Security

Prevention is Essential, but Disruption is Inevitable

Hospital and health systems’ ability to stay in business depends on IT systems and infrastructure being able to withstand and recover from various disruptions, such as ransomware attacks, hardware failures, natural disasters, and human errors. Given rapidly evolving cyber threats, the realities of modernization, and many other factors, experiencing disruption is not a matter of “if” for healthcare delivery organizations – it’s a matter of when.

Prevention is essential. Hospitals and health systems must implement necessary and responsible defense measures, work hard on education and training, and make information security part of their DNA. However, when the inevitable disruption happens, it is equally important to have well-documented and regularly rehearsed plans to respond and recover. Active testing of the plans will also help mitigate the inherent unknowns associated with disruption, allowing the CIO to provide senior leadership and the board with well-informed estimates regarding how much a recovery will cost and how long it will take.

The Importance of Business Resilience

Numerous factors are influencing business resilience and making it more critical than ever. When a ransomware attack happens, or a natural disaster strikes, your organization needs to be able to quickly respond and recover.

Newsletter Graphic 1 (June 2024)

The problem is disruption is not just inevitable; it’s also expensive. Beyond the cost of the recovery effort itself, there is lost revenue from not being able to perform basic business functions such as documenting care in the EHR, billing for services in the revenue cycle system, or ordering supplies in the ERP. Exacerbating the challenge is the uncertainty associated with disruption. Not knowing if you will be locked out of a core system for a day, a week, or longer could be a difference of millions or tens of millions of dollars. There are also patient safety risks that could manifest depending on the applications involved and the length of the outage.

Business resilience is not only about how your organization responds to and recovers from a disruption like a ransomware attack. It’s also about mitigating any unknowns related to how much the restoration will cost, how long the recovery will take, and the effectiveness of the processes and technologies involved. And more, it is about continuing to improve all components of the plan based on a cycle of discovery, validation, and regular rehearsals.


Maximizing the Effectiveness of the Business Resilience Cycle

The cycle of business resilience involves the business continuity plan, incident response plan, disaster recovery plan, and business impact analysis.

Graphic 2 for Newsletter (June 2024)
Keys to maximizing the effectiveness of this cycle include:
  • Ensure all processes and procedures related to response and recovery are well-documented and reflect input from business stakeholders throughout the organization. Ownership of business resilience is not the sole responsibility of IT. The IT department plays a crucial role, but senior leaders across every department and business line need to be fully engaged and highly involved in decision-making (e.g., developing the processes and procedures to follow in the wake of a crisis). Every health system is different, and each component of your business resilience plan must account for your organization’s unique technology environment, workflows, and known interdependencies.


  • Regularly rehearse a simulated disruption. The most effective way to ensure your hospital or health system is prepared for disruption is to actively rehearse your business resilience plans. Schedule a time when your organization will simulate a disruption, such as a core application being unavailable in the wake of a ransomware attack. Don’t just ask staff what they would do. Have them follow the documented processes required if the EHR or another system was encrypted.


  • Use the findings from the rehearsal to validate and improve your plans. How well did the rehearsal go? How long did each step take? How well did the communication points and processes work in real time? How effective are the tools being used to recover data? Are there tools or strategies that could recover your environment faster? Did everyone know their role? Are there interdependencies (either technology-related or process-related) that your organization hadn’t accounted for? After you’ve validated the tools and processes in your plans and discovered opportunities for improvement, make the appropriate changes and then schedule another rehearsal in the near future.

The Bottom Line

No hospital or health system CIO can tell their board in good conscience that the organization is immune to disruption. Successful ransomware attacks are going to happen. Natural disasters and other crises will occur. Instead, what CIOs should be able to communicate to senior leadership and the board is:

  1. The organization is taking all responsible and necessary precautions to prevent ransomware attacks and other types of disruption.
  2. When the inevitable disruption or crisis does occur, the organization has a well-documented and regularly rehearsed plan in place to recover and respond.
  3. Based on those rehearsals, the organization has a well-informed estimate about how much recovery will cost and how long it will take.

Is Your Organization Ready to Effectively Respond and Recover from a Ransomware Attack or Other Crisis?

  • Do you have a well-documented plan for getting your organization back up and running quickly and efficiently?
  • Do all departments (not just IT) understand what to do when disruption hits? Have they trained and been tested?
  • Are there formalized processes for what, when, and how to communicate to patients
  • Do you know:
    • What exactly do you need to restore (network and/or endpoints)?
    • How much restoration will cost?
    • How long the recovery will take?

Impact Advisors can help you understand and minimize your vulnerabilities while also helping you prepare for the day something gets through. We provide industry-leading expertise to help you build business resiliency backed by three years as Best in KLAS® for Security and Privacy Consulting Services.