Business Interrupted: The Unexpected Disaster Your IT Provider Should Be Planning For

Power outages, cyber-attacks, and hardware failures rarely arrive with warning. When they hit a senior living community, the impact goes far beyond inconvenience. Nurses cannot access electronic Medication Administration Records (eMARs). Families cannot video call their loved ones. And if a Colorado Department of Public Health and Environment (CDPHE) survey team walks in during an outage, the questions they ask will not be easy to answer.

Backups Are Not Enough

Most operators assume that if their IT provider is running backups, they are protected. That assumption is wrong. Backups restore data. Business continuity keeps you operational. These are fundamentally different outcomes.

A backup can recover your files after a disaster, but it cannot keep your clinical systems running while the recovery happens. If your community loses its server and your only protection is a nightly backup, you could be looking at hours or days of downtime while hardware is replaced, software is reinstalled, and data is restored. During that window, your staff is operating blind.

What a Business Continuity Plan Actually Includes

• Encrypted off-site immutable backups. Immutable means the backups cannot be altered or deleted by ransomware. Off-site means a local disaster does not destroy both your systems and your recovery data.
• Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). RTO is how long it takes to restore operations. RPO is how much data you can afford to lose. A 24-hour RPO means you lose a full day of records if a disaster strikes. For clinical systems, that is unacceptable.
• Remote work readiness. If your physical location is compromised, can administrative staff continue working from another location? Can clinical staff access the systems they need from a temporary site?
• Redundant systems for critical infrastructure. Internet failover, backup power, and secondary communication channels ensure that a single point of failure does not bring your entire community offline.
• Regular disaster simulation. A plan that has never been tested is a plan that will fail. Quarterly tabletop exercises and annual recovery drills validate that the plan works under real conditions.

This Is Not Hypothetical

Florida communities face hurricane season every year. When a Category 4 storm takes out power for a week, the communities that stay operational are the ones with tested continuity plans, not just backup drives in a closet.

Colorado operators have dealt with wildfires and bomb cyclone events that disrupted power and internet for days. North Carolina communities faced catastrophic flooding in 2024. California wildfires forced evacuations with hours of notice. In every case, the organizations that recovered fastest had continuity infrastructure in place before the event.

Ransomware is the disaster that gets the most attention, and for good reason. When an attacker encrypts your systems and your backups are connected to the same network, those backups get encrypted too. Immutable, air-gapped backups are the only reliable defense against ransomware that targets backup infrastructure.

Five Questions to Ask Your IT Provider

1. What is our Recovery Time Objective for clinical systems? Can you demonstrate it with a recent test?
2. Are our backups immutable and stored off-site? Could ransomware reach and encrypt them?
3. Do we have internet and power failover at our community? What happens when the primary connection goes down?
4. When was the last time you ran a disaster recovery drill? What were the results?
5. If our server failed right now, how long before staff can access eMARs, email, and clinical systems?

If your IT provider cannot answer these questions with specifics, you do not have a business continuity plan. You have a hope-for-the-best strategy.