When speaking with several Epic health systems over the last few weeks, it is clear to me that each organization has a different idea of cybersecurity, cyber-resiliency, and business resiliency and what solutions are available to them to achieve their vastly different goals.
So, I wanted to write this blog to help clear the air on what options are out there and when to use them.
Unfortunately, the topic that dominates the news in healthcare these days is ransomware. Every week we read about a health system whose patient records have been frozen causing severe impact, or total stoppage, to hospital operations. This may last months. Even after the system is back online, health systems may feel the effects for years after. Affected health systems struggle to recover from financial loss, loss of patient trust, increased security and insurance costs, and legal consequences.
This article from Becker’s shows the top 10 breaches from ’24 and just how many Americans are affected.
Based on that, it is no surprise that CIOs are focused on doubling down on cybersecurity in 2025, as seen here in an article from CIO.com.
To me, cybersecurity means “how am I protecting my systems from a security attack”. In other words, it is a proactive approach, which is important, no doubt, but it is not the be-all-end-all approach.
Cyber criminals are becoming more talented, and no solution to combat them is perfect. So there also needs to be a reactive approach. In other words, “how am I recovering access to my system when a security attack happens”. Both measures must be in place.
Cybersecurity and cyber-resiliency are both components in an overall business resiliency strategy. There is no other industry where a well-defined, robust business resiliency strategy is required more than healthcare. When business stops, lives may be lost. It’s the harsh reality.
However, a business resiliency strategy does not start and end with security. We need to consider hardware failures, network outages, accidental deletions, natural disasters, and anything that may cause a potential disruption to hospital operations.
Epic has an impressive history of quickly creating solutions for their customers to solve business and technical challenges as they become increasingly more common whether it is in the form of a simple Epic update, an Epic software upgrade, or an entirely new Epic module. In the past few years, as ransomware attacks have become more frequent, Epic has developed solutions to help their customers recover from these events. But it is extremely important to understand the capabilities of these solutions so that you can ensure they meet your exact needs.
First let me define what the solution is, what capabilities it provides, and, arguably most importantly, what its limitations are.
Epic’s Isolated Recovery Environment (IRE) is an up-to-date tertiary copy of your Production Epic Operational Database that runs on a separate network from your Production and Alternate Production Operational Databases. It is meant to be used as a “break glass in case of emergency” recovery instance of Epic if your organization has declared a cyber-attack, and your Production and Alternate Production Databases are not accessible.
It is meant to provide limited functionality that gives clinicians bare-bones access and information they need to run baseline hospital operations like accessing patient records, secure chat, note taking and appointment scheduling.
It is not meant to be used as a full-blown business resiliency solution, replacement for Alternate Production, nor will it provide an environment from which you can run normal day-to-day hospital operations for an extended (think weeks or months) period.
The idea is to leverage IRE to continue bare-bones hospital operations avoiding a complete stoppage, while the health system’s security and IT teams are assessing the cyber-attack, determining the severity, and rebuilding Epic environments on a separate network with clean data that will ultimately be used for an extended period of time.
It is an intermediate, short-term solution that is only used for patient records. That is to say that this solution will not magically bring up your imaging systems, document management systems, or blood banks.
Let me say that again – it is for patient records only.
Now let’s take a look at a more robust business resiliency solution that should be in place in all health systems.
Epic Alternate Production Environments are near-real-time copies of your Production environments that reside in a geographically dispersed data center that run on the same network as your Production environments. This is the traditional disaster recovery solution used across all industries. Alternate Production environments are meant to protect against failures to the Production region – data center outage, hardware failures, natural disasters etc.
In contrast to IRE, Alternate Production environments are meant to provide health systems with a full-blown business resiliency solution. When activating the Alternate Production environments, hospitals can run business as usual with full functionality.
The important distinction is that Alternate Production environments, or, more generally, a disaster recovery plan, encompass all hospital components that are deemed mission critical. So, not just the patient records. This includes imaging systems, document management systems, and blood banks.
You are probably asking yourself, “But how do I implement an IRE-like solution for my imaging systems, document management systems, and other systems outside of my patient record system because my hospital is not fully functional without those in the event of a cyber-attack”.
Unfortunately, I don’t have an answer for you. What I can tell you is that you are not the only health system thinking about this. Many are working on developing a strategy for a “clean room” solution. So, in the event of a cyber-attack, they have a defined process and infrastructure in place to recover their imaging systems, document management systems etc. in addition to recovering their patient record system via IRE.
Three years ago, the notion of IRE did not exist. Health systems were asking themselves “if I get hit with ransomware, how can I quickly and safely recover my patient records while I rebuild my production systems?”. So, it is a testament to how quickly technology changes to meet new needs.
I am confident in the coming years that more and more health systems will put in place cyber resiliency solutions that encompasses more of the hospital than just patient records and be able to share these architectures and processes with their peers.
While those solutions and processes are being developed, it is extremely important to think about these things when developing your overall business resiliency strategy:
1. What are my goals? For instance, am I protecting against ransomware or a natural disaster?
2. Are my goals aligned with my C-suite and board? Are we all driving to the same outcome?
3. What are the solutions available to me to achieve these goals? It is critical to understand what these solutions are designed for and their limitations. Do not try to extend the capabilities of these solutions to do something they are not designed to do.
4. What applications do I always need available for my hospital to run with full functionality?
5. What applications do I need available in order to run the bare minimum hospital operations to avoid diverting trauma patients and cancelling surgeries?
