Practicing for Disaster
I know first hand about plane disasters. When I was 11 years old, I was on a Pan Am Clipper jet from San Francisco to Honolulu when an engine on our jet caught fire, disintegrated and broke off along with a third of the wing, and debris was strewn about South San Francisco. Our pilot was an ex-military pilot who breathed aerodynamics, had flown planes under extreme conditions and had finely tuned judgment on the risk of death of the 200 plus passengers on his plane. Luck was with us and we had no fatalities. After dumping fuel in the bay, we landed safely at Travis Air Force Base 60 miles north of San Francisco. As we watched the plane that came to take us back to San Francisco land, the nose gear collapsed. It definitely was not our day to fly.
As passengers, each time we step into a plane we listen to the same safety procedures. The mantra of how to buckle and unbuckle your seat belt seems boring and unimportant because the probability of having to execute is extremely low. In a chaotic situation passengers automatically perform the motion of pushing a button to release a car seat belt instead of lifting the clasp to release. The fact that new planes are designed for evacuation in 90 seconds with only half of the exit doors operating demonstrates the gravity of getting out of the plane as fast as possible. That can only happen if everyone knows what to do, listens to the crew and does what they are told. The crew is trained to shout commands to the passengers to get their attention. With a plane on fire, seconds matter in getting to the exit and out of a plane. The crew has practiced these crash exit scenarios many times and it is ingrained in their behavior to lead the unpracticed passengers.
The most recent Asiana plane crash at San Francisco was a testament to disaster preparation. The flight crew helped passengers evacuate the plane quickly no doubt saving many lives and serious injuries. Starting with triage at the crash site for large numbers of trauma victims, hospitals then jumped into action by activating their disaster procedures. Everyone was prepared.One hospital praised the first responders saying that whomever did the triage did a superb job. With over 180 passengers sent to six hospitals, it is surprising that there wasn’t more confusion and chaos at the scene. The practiced procedures appeared to work seamlessly.
Healthcare organizations that fall under the purview of HIPAA’s security rule are required to possess a contingency plan. How compliance is accomplished is pretty vague because the priority of content as well as the type and size of organizations differs. However, there are three things that you must be able to demonstrate:
- You’ve conducted a formal analysis of the risks to your data, including an assessment of the physical access and security in addition to technical threats.
- You have produced a disaster recovery plan with policies and procedures in place that cover backup, storage, and recovery.
- Your plan adequately and reasonably addresses the risks identified in your analysis. Not all risks need to be fully resolved, but they must be acknowledged and reasons why specific risks are not going to be resolved (e.g cost, probability) must be stated.
The most important activity is that a proper risk analysis has been completed and that your organization has addressed the risks in a plan. A risk analysis should be performed periodically and any time there is a major organizational change. This includes information systems, backup procedures or storage, structural modifications, and vendor changes.
An essential aspect of successful disaster recovery is prior practice of the plan. The second most important factor in recovery is practicing the plan. As many parts of the plan as possible should be executed on a regular basis to ensure that they work. Changes in the environment, vendors, processes and procedures all affect a disaster recovery plan. Often, these kinds of changes are made without looking at the effect on the disaster recovery plan. It is imperative to practice the plan. No matter how boring and repetitive – just like the safety announcements made when an airport is taxiing for takeoff – practicing the plan will surface procedural gaps and validate assumptions.
Disaster recovery planning will allow you to resume operations amid the chaos that surrounds any disaster. With practiced recovery steps, your organization can help in a disaster instead of becoming a part of it.