Biomedical Engineering Reference
In-Depth Information
b. If the organization's software applications
generally are run on-site, is its disaster-
recovery site located off-site (or vice
versa)?
c. Have the advantages and disadvantages of
the locations of the organization's primary
software-operations and disaster-recovery
sites been taken into account in the various
contracting processes?
d. If the institution's software applications
are run in a Web-based or remote-
computing mode, is the vendor's disaster-
recovery plan accessible to the institution,
and has the institution reviewed that plan?
e. Based upon the review of the remote
vendor's disaster plan, is it necessary for
the organization to separately contract for
a disaster-recovery site for that application,
or can the primary agreement be consid-
ered to include a disaster-recovery compo-
nent?
f. If the institution is relying upon the
disaster-recovery plans of the remote
vendor, will the institution be notified of
any changes to that plan?
g. Does the institution have the negotiating
leverage necessary to require its consent
to any changes in the vendor's disaster-
recovery plan? Does the institution have the
expertise to exercise effectively its consent
over a remote vendor's disaster-recovery
plan, or is it better to rely on the vendor's
expertise in the particular instance?
perspective of safety, cost, and other rele-
vant considerations? (In other words, what
is the organization's risk threshold for
various IT functions?)
b. Does the facility's emergency plan
currently address maintaining continuity of
IT services and recovery of IT services?
c. For IT services provided in-house (if any),
what type of backup systems does the
facility have in place (e.g., redundant or
“fail over” systems, personnel, skill sets;
off-site data storage; off-site backup oper-
ations)?
d. Has the facility identified potential failures
in its IT operations?
e. Has the facility developed detailed proce-
dures for mitigating each of the potential
failures?
f. What plans does the facility have in place
for ensuring that necessary IT personnel
are available during and following emer-
gencies?
g. Has the facility established plans for
communicating with key IT personnel
(including vendor personnel) in case of an
emergency, and for ensuring that they can
communicate with each other?
h. Has the facility tested its emergency plans
and mitigation procedures at least annu-
ally?
i. Have the vendor's personnel participated
in the emergency planning, mitigation
procedures, and drills?
2. For outsourced IT services, what additional
issues require consideration by healthcare
organizations?
a. What IT issues can/will the facility handle
in the event of an emergency?
b. What issues does the organization expect
its IT vendor(s) to handle?
c. Do the facility's IT vendor(s) have emer-
gency plans in place?
d. Do these plans specifically ensure that the
facility's IT services will be maintained
during an emergency?
C. Developing Emergency Plans for IT
Services
In preparing for emergencies, an organization's
goal should be to maintain continuity of critical
IT services during and following the emergency,
and to have in place a disaster-recovery plan that
allows IT services to be re-established as quickly
as possible.
1. What
are
the organization's
critical
IT
services?
a. How long can the organization afford to
be without such IT services from the
