by Ekram Kahn
Technology is only as good as your disaster-recovery plan. Most offices stop at backups; disaster-recovery plans are often overlooked. It is crucial to conceptually account for disaster scenarios that involve fire, flood, theft, vandalism, and sabotage. Ask yourself this question: Can I get all of my information technology systems up and running within 72 hours of complete system failure? If you can't answer yes to that question, then I suggest you assemble a team to formulate and execute a disaster-recovery plan. Several of the following steps are from a white paper by Cisco Systems on the topic of disaster recovery.
Management awareness
Management awareness is the first and most important step in creating a successful disaster-recovery plan. All key staff members should realize the impact of a complete system failure and how to best utilize the available resources to bring your practice back to full functioning status. Several key tasks are required to achieve management awareness.
Identify possible disaster scenarios
First, identify the top 10 disasters and analyze their impact on your practice. Your analysis should cover communications with suppliers and patients, the impact on operations, and disruption to key business processes. Complete this prestudy before embarking on the disaster-recovery planning process, realizing that it will require additional verification during the planning stage. Some possible disasters include fire, storm, water, earthquake, chemical accidents, nuclear accidents, war, terrorist attacks, and other crime. Most disasters are caused by fire or flood. Consequently, start with fire as your first case study. Assess the impact of a disaster on your practice from both a financial and physical (infrastructure) perspective by asking these questions:
- How much of my practice resources could be lost?
- What are the total costs?
- What efforts are required to rebuild?
- How long will it take to recover?
- What is the overall impact on my practice?
- How will patients be affected?
Disaster-recovery planning process
In the planning stage, categorize the processes, systems, and services in your network as mission-critical, important, and less-important. Establish plans to ensure that these are protected against the effects of a disaster. Follow these key steps:
- Establish a planning group.
- Perform risk assessments and audits.
- Establish priorities for your network and applications.
- Develop recovery strategies.
- Prepare an up-to-date inventory and document the plan.
- Develop verification criteria and procedures.
- Implement the plan.
Establish a planning group
A planning group manages the development and implementation of the disaster-recovery strategy. Include key people from both the clinical and administrative areas. This team will be responsible for all disaster-recovery activities.
Perform risk assessments, audits
To create the disaster-recovery plan, your planning group must thoroughly understand your practice's processes, technology, networks, systems, and services. The group should prepare a risk analysis and business impact analysis that includes at least the top 10 potential disasters. The risk analysis should consider the worst-case scenario of completely damaged facilities and destroyed resources. It should address geographic situations, current design, lead-times of services, and existing service contracts. Each analysis also should include an estimate of the cost of replacing damaged equipment, drafting additional resources, and setting up extra service contracts.
Establish network and applications priorities
When you have analyzed the risks from various disaster scenarios, assign a priority level to each:
- Mission critical - Network or application outage or destruction that would cause extreme disruption to the practice, major legal or financial ramifications, or threaten personal health and safety. The targeted system or data requires significant effort to restore, or its restoration is disruptive to the practice or other systems.
- Important - Network or application outage or destruction that would cause a moderate disruption to the practice, minor legal or financial ramifications, or provide problems with access to other systems. The targeted system or data requires a moderate effort to restore, or its restoration is disruptive to the system.
- Minor - Network or application outage or destruction that would cause a minor disruption to the practice. The targeted systems or network could be easily restored.
Develop resiliency design and recovery strategy
Just as the analysis of processes determines the priorities of the network, applications, and systems, the same analysis should be applied to your network design. Develop a recovery strategy for dealing with a disaster. Such a strategy may be applicable to several scenarios; however, the plan should be assessed against each scenario to identify any actions specific to different disaster types. Your plan should address these areas:
- People
- Facilities
- Network services
- Communication equipment
- Applications
- Clients and servers
- Support and maintenance contracts
- Additional vendor services
- Lead-time of Telco services
- Environmental situations
Your plan also should determine thresholds, such as the minimum level at which the practice can operate, the systems that must have full functionality, and the systems that can be minimized.
Prepare up-to-date inventory, plan documentation
It is important to keep your inventory up-to-date and have a complete list of all locations, devices, vendors, services, and contact names. The inventory and documentation should be part of the design and implementation process of all solutions. Your disaster-recovery documentation should include:
- Inventory of all software, hardware, devices, and service contracts
- Contracts/agreements related to hardware, software, and network integration
- License files and disks for the operating system and practice-management software
Develop verification criteria and procedures
Once you have created a draft of your plan, develop a verification process to test the strategy. If you've implemented your strategy, review and test it. It is important that you test and review your plan frequently.
Implementation
Now it's time to make some key decisions: How should your plan be implemented? Who are the critical staff members? What are their roles? Practice disaster recovery using roundtable discussions, role-playing, or disaster-scenario training. Consider having a disaster-recovery drill during a staff meeting once every quarter.
Backup and disaster recovery are topics that often are misunderstood or dangerously simplified. By designing a cohesive system that utilizes the technologies outlined and developing a plan, you should be able to restore from any disastrous situation. The process of developing this plan may seem like a daunting task, but it is necessary for the modern digital dental office. When implemented correctly, a dental computer network will function transparently. The only time you will notice it is when it is not available. Solid backup strategies, combined with a clear plan, will ensure maximum availability of all of your resources.
