Planning for a disaster requires the creation of a business impact analysis and a strategy for predetermined responses. Unfortunately, most IT departments ignore these first two steps and start with recovering and restoring systems, said Tom Walsh, CHS, CISSP, of Tom Walsh Consulting LLC. He spoke during a presentation called “Surviving Natural Disasters: Preparing for the Worst from Mother Nature,” on Wednesday at HIMSS06 in San Diego.
   
You also should determine your recovery time objective (RTO). This requires learning how much time you have before the organization is in trouble if systems aren’t up and running. One component of your RTO is your contingency plan or downtime procedures—how will you function during temporary outages.
   
Next is activating your disaster recovery plan. There are four steps to a good plan—planning, testing, responding, and recovering. Testing is essential, Walsh said. “If you don’t, your plan is just a document.” Plus, the more testing you do, the better you get and you speed up your recovery time, he pointed out.
   
Developing your plan with the input of other departments also is essential. “Usually, IT develops a plan without talking to anyone outside of their department.” That’s a problem because IT doesn’t necessarily know which systems are the top priority.
   
Christi Rushnell, HIT director for HealthFirst, a health system in Florida, said that emergency preparedness took center stage for the organization after Hurricane Floyd in 1999. They contracted with IBM for a hot site and spent 12 months on planning and documenting.
   
Both Walsh and Rushnell recommend using checklists. Rushnell said hers are geared to hurricanes, but flexible checklists are flexible enough for any kind of disaster. Walsh pointed out that you want to use a font large enough to read when everyone is under pressure.
   
Above all, plan for the worst case scenario. That way, if anything less severe happens, you’re covered.