What Should a Business Continuity Plan Include for Senior Living Communities?

Power outages, cyber-attacks, and hardware failures rarely arrive with warning. When they hit a senior living community, the impact goes far beyond inconvenience. Nurses cannot access electronic Medication Administration Records (eMARs). Families cannot video call their loved ones. And if a Colorado Department of Public Health and Environment (CDPHE) survey team walks in during an outage, the questions they ask will not be easy to answer.

Backups Are Not Enough

Most operators assume that if their IT provider is running backups, they are protected. That assumption is wrong. Backups restore data. Business continuity keeps you operational. These are fundamentally different outcomes.

A backup can recover your files after a disaster, but it cannot keep your clinical systems running while the recovery happens. If your community loses its server and your only protection is a nightly backup, you could be looking at hours or days of downtime while hardware is replaced, software is reinstalled, and data is restored. During that window, your staff is operating blind.

The distinction matters operationally. A backup answers the question "Can we get our data back?" Business continuity answers the question "Can we keep delivering care while we get our data back?" For a senior living community where medication administration, fall response, and emergency communication depend on functioning technology, only the second question matters during a crisis.

What Is the Cost of Downtime for a Senior Living Community?

Downtime costs are not abstract. A 2024 study by ITIC found that over 90 percent of mid-size and large organizations report a single hour of IT downtime costs more than $300,000. For smaller organizations, including senior living communities, estimates range from $25,000 to $100,000 per hour when you account for lost productivity, staff idle time, and recovery labor.

But the financial calculation for senior living is different from a typical small business. When clinical systems go offline, the costs extend beyond lost revenue.

• Staff revert to paper processes. Nurses who normally document in an eMAR system must switch to handwritten medication logs. When systems come back online, every paper entry must be reconciled and re-entered. That reconciliation process alone can consume dozens of staff hours.
• Medication errors increase. Paper-based medication administration lacks the automated safety checks built into eMAR systems. Duplicate doses, missed doses, and drug interaction warnings that would normally be caught by software go undetected during an outage.
• Family communication breaks down. Families expect to reach your community by phone, email, and video. When those systems are down, unanswered calls generate anxiety, complaints, and in some cases, calls to the state ombudsman.
• Regulatory exposure compounds. If a state survey occurs during or shortly after a downtime event and your community cannot produce current documentation, the survey findings will reflect that gap. There is no grace period for technology failures.

The Change Healthcare ransomware attack in February 2024 disrupted claims processing for healthcare organizations across the country for weeks. The Ascension Health ransomware attack in spring 2024 exposed data belonging to 5.6 million people. These are large-scale examples, but the operational impact at a single senior living community can be just as devastating relative to its size.

What a Business Continuity Plan Actually Includes

• Encrypted off-site immutable backups. Immutable means the backups cannot be altered or deleted by ransomware. Off-site means a local disaster does not destroy both your systems and your recovery data.
• Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). RTO is how long it takes to restore operations. RPO is how much data you can afford to lose. A 24-hour RPO means you lose a full day of records if a disaster strikes. For clinical systems, that is unacceptable.
• Remote work readiness. If your physical location is compromised, can administrative staff continue working from another location? Can clinical staff access the systems they need from a temporary site?
• Redundant systems for critical infrastructure. Internet failover, backup power, and secondary communication channels ensure that a single point of failure does not bring your entire community offline.
• Regular disaster simulation. A plan that has never been tested is a plan that will fail. Quarterly tabletop exercises and annual recovery drills validate that the plan works under real conditions.

This Is Not Hypothetical

Florida communities face hurricane season every year. When a Category 4 storm takes out power for a week, the communities that stay operational are the ones with tested continuity plans, not just backup drives in a closet.

Colorado operators have dealt with wildfires and bomb cyclone events that disrupted power and internet for days. North Carolina communities faced catastrophic flooding in 2024. California wildfires forced evacuations with hours of notice. In every case, the organizations that recovered fastest had continuity infrastructure in place before the event.

Ransomware is the disaster that gets the most attention, and for good reason. When an attacker encrypts your systems and your backups are connected to the same network, those backups get encrypted too. Immutable, air-gapped backups are the only reliable defense against ransomware that targets backup infrastructure.

Five Questions to Ask Your IT Provider

1. What is our Recovery Time Objective for clinical systems? Can you demonstrate it with a recent test? Your provider should be able to name a specific number, such as four hours for life-safety and clinical systems or eight hours for email and file access. If they cannot provide a documented RTO with test results to back it up, the number is theoretical.
2. Are our backups immutable and stored off-site? Could ransomware reach and encrypt them? Immutable means the backup data cannot be altered or deleted, even by an administrator account. If your backups are on the same network as your production systems, a ransomware attack can encrypt both simultaneously. Your provider should be able to explain exactly where backups are stored, how they are protected, and what isolation exists between production and backup environments.
3. Do we have internet and power failover at our community? What happens when the primary connection goes down? A single internet connection is a single point of failure. Cellular failover or a secondary ISP connection ensures that clinical systems, phone service, and nurse call integrations remain operational during an outage. Your provider should also confirm that UPS (Uninterruptible Power Supply) units protect network equipment with at least 30 minutes of battery runtime.
4. When was the last time you ran a disaster recovery drill? What were the results? A plan that has never been tested under realistic conditions will fail under real conditions. Your provider should be able to produce documentation from the most recent drill, including what was tested, how long recovery took, and what gaps were identified.
5. If our server failed right now, how long before staff can access eMARs, email, and clinical systems? This is the practical version of the RTO question. If the answer involves ordering replacement hardware, shipping time, and multi-day rebuilds, your community does not have continuity infrastructure. It has a rebuild plan.

If your IT provider cannot answer these questions with specifics, you do not have a business continuity plan. You have a hope-for-the-best strategy.

How Often Should You Test Your Business Continuity Plan?

A business continuity plan that sits in a binder or a shared drive without regular testing is a liability, not a safeguard. Industry best practice calls for a tiered testing approach throughout the year.

• Quarterly tabletop exercises. Gather your leadership team and walk through a disaster scenario on paper. What happens if your server room floods? What if a ransomware attack encrypts your clinical systems on a Friday evening? Tabletop exercises expose gaps in communication, decision-making, and role clarity without requiring any actual system disruption.
• Semi-annual functional tests. Test specific recovery procedures in a controlled environment. Restore a backup to confirm the data is intact and the process works within your stated RTO. Fail over to your secondary internet connection and confirm that clinical systems remain accessible. These tests validate that individual components of your plan work as documented.
• Annual full-scale recovery drill. Simulate a complete system failure and execute the full recovery plan from start to finish. Time the recovery. Document every step. Identify every point where the plan deviated from expectations. This is the only way to confirm that your stated RTOs are achievable under real conditions.

Healthcare organizations are held to a higher standard than most industries. The Joint Commission, CMS Conditions of Participation, and state licensing agencies expect documented evidence that emergency preparedness plans, including IT disaster recovery, are tested and updated regularly. Your IT provider should be driving this testing cadence proactively, not waiting for you to ask.

Related Reading

• Business Continuity for Senior Living Communities: The Complete Guide -- The full framework for CMS emergency preparedness, recovery time objectives, and disaster recovery planning.
• Nurse Call Systems Are the Next Attack Surface. -- When life-safety systems go down, business continuity planning is the only thing between your community and a resident safety event.
• A Senior Living Operator Was Breached in March. -- What happens when disaster recovery and business continuity plans are not in place.