A healthcare provider carried patient records and clinical systems that could not be unavailable for long without putting care at risk, yet its disaster recovery plan was a document describing a manual rebuild that had never been tested end to end. Regulatory pressure and a near miss outage forced the question that every critical estate must eventually answer: if the primary region is lost, how quickly and how reliably can we recover? This case describes the cross region disaster recovery the provider built on Oracle Cloud Infrastructure and the tested recovery time it achieved.
It belongs to our OCI case studies and benchmarks cluster, and it shows the resilience principles from our bank uptime case applied to the harder problem of surviving the loss of an entire region. The client is anonymised by sector.
The situation
The provider ran its clinical and records systems in a single region, with backups that were copied off site but had never been restored under realistic conditions. The recovery plan assumed a manual rebuild measured in many hours, possibly days, which for systems clinicians depend on was unacceptable. A brief outage had already shown how exposed the organisation was, and regulators expected a tested recovery capability rather than a paper plan.
The requirement that emerged was specific. The organisation set a recovery time objective of fifteen minutes for its most critical systems, and a recovery point objective measured in minutes so that almost no data would be lost in a failover. Those numbers, not a vague aspiration to resilience, drove every design decision that followed, because a recovery target is only meaningful when it is a number you can test against.
What we did
The design placed a standby environment in a second OCI region, kept continuously ready rather than built on demand, because a recovery measured in minutes leaves no time to provision infrastructure during a disaster. The databases used continuous replication to the standby region so that the recovery point stayed within the required minutes, and the application tier in the second region was defined as code and kept in step with the primary.
Crucially, the failover was made an exercised procedure rather than a theoretical one. A documented, automated runbook performed the failover, and that runbook was tested on a regular schedule against the actual recovery targets. Each test proved that the provider could lose its primary region and bring the critical systems live in the second region inside the fifteen minute objective, and each test refined the procedure further.
The OCI architecture used
The architecture spanned two OCI regions. The primary region ran the live estate; the secondary held a standby that was continuously replicated and ready to take over. Database replication kept the standby current within the recovery point objective, and the network and routing were designed so that traffic could be redirected to the second region cleanly when failover was invoked. The whole secondary environment was infrastructure as code, so it could be kept identical to the primary and rebuilt if needed.
This cross region design follows the patterns in our disaster recovery and HA solution, where the recovery objectives set the architecture rather than the other way round. The standby was sized to carry the critical workload, the replication was monitored continuously, and the failover path was the rehearsed centre of the design rather than an untested appendix.
| Requirement | Design choice | Outcome |
|---|---|---|
| RTO 15 minutes | Warm standby in second region | Tested failover inside target |
| RPO minutes | Continuous database replication | Near zero data loss on failover |
| Region loss | Full standby estate, second region | Survives loss of primary region |
| Trust in the plan | Scheduled failover rehearsal | Proven, not assumed, recovery |
The measurable result
The provider achieved a tested recovery time of fifteen minutes for its critical systems, with a recovery point measured in minutes, both confirmed by repeated rehearsals rather than asserted on paper. The organisation moved from a disaster recovery plan it could not trust to a capability it had proven worked, which satisfied regulators and, more importantly, gave clinical leaders confidence that a regional failure would not interrupt care for long.
The value was as much organisational as technical. A tested recovery capability changes how an organisation behaves, because the fear of a catastrophic outage recedes once the team has watched the failover succeed under realistic conditions. The fifteen minute figure sits within the range our uptime benchmarks document for well designed estates, and the cross region pattern complements the single region resilience of the bank uptime case.
Keeping recovery real over time
A disaster recovery capability decays if it is not maintained, because estates change, replication can silently fall behind, and a runbook that worked last quarter can break as systems evolve. The provider therefore moved the rehearsal and monitoring of its recovery capability into an ongoing operation, so that the fifteen minute number stayed true rather than becoming a one time achievement that quietly rotted.
That continuous attention is the work of our managed services, because resilience is sustained, not bought once. The lesson runs through our case studies pillar: a recovery target is only as good as the last time you tested it, and the organisations that survive regional failures are the ones that rehearse for them on a schedule.
Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.