Best practices in healthcare disaster recovery planning
By Nav Ranajee, May 2012
The push to adopt EHRs is creating new data management challenges for healthcare IT executives.
Disaster recovery (DR) has long been the last line item for healthcare IT budgets. Budget constraints have made it difficult to invest in redundant data centers with little return on investment or direct impact on patient care. We find many healthcare clients with DR plans that are either outdated, nonexistent or fail to provide a comprehensive solution that allows them to resume business processes and recover data in the event of a disaster.
Disaster recovery planning (DRP) is quickly moving up the priority list, however, as healthcare organizations migrate into paperless environments. Medical imaging and electronic health records (EHRs) are producing unprecedented amounts of data, creating complications in storage, recovery and security. To protect their business and their patients, healthcare IT executives must reassess current risks and gaps in their DRPs.
Why disaster recovery now?
The push to adopt EHRs is creating new data management challenges for healthcare IT executives. EHRs, as well as other new applications, are creating enormous amounts of data, which must be accessed in real time across disparate sites of care. Downtime is not an option, since the data could be critical to patient outcomes. Healthcare organizations will become increasingly reliant on electronic data over the next few years.
Another significant driver is the increased enforcement of Health Insurance Portability and Accountability Act (HIPAA) security requirements. Section 164.308 requires data backup, DR and emergency-mode operations planning. The DR specifications are brief and to the point, allowing flexibility in how the specific plans are implemented. Due to the lack of enforcement over the years, healthcare organizations have tended to put in place the most basic of DR protocols, but the Health Information Technology for Economic and Clinical Health (HITECH) act plans on changing that. The HITECH Act of 2009 has raised the bar on HIPAA by increasing penalties, oversight, mandatory breach notifications and the extension of obligations to business associates. Business associates (and their subcontractors) should especially be aware of the new rules since they will be held to a higher standard than they are used to, and the risk of non-compliance is great.
Meaningful use is also proving to be a driver for DR. As providers work to meet the compliance guidelines to capture the federal incentives for EHRs, they are finding that a few items relate to DR. One requirement states that in the event of a disaster, you must be able to effectively recover your electronic patient health information (ePHI) in your hospital information system (HIS). Another requirement is to provide patients with an electronic copy of their record upon request and also enable them to access and download their record online within four business days of it being available. You can imagine the consequences if a cyber attack or power outage brought the system down. A sound disaster recovery strategy is essential to achieving meaningful use.
Finally, the risk of data breaches and cyber attacks is on the rise. At last check, there were more than 400 data breaches reported on the Department of Health and Human Services website. A Ponemon Institute study estimates that data security breaches cost the U.S. healthcare industry about $6.5 billion a year, with data breaches rising 32 percent from 2010 to 2011. This can be attributed to the rise in technology adoption. Given that EHR adoption is still fairly low, it is expected in the next few years to see a significant growth in data breaches.
The changing healthcare landscape is creating a critical need for comprehensive DRP. The days of having a DR manual sitting on the shelf gathering dust just to meet compliance obligations are over.
What is a disaster?
DR is focused on the technology infrastructure, and a disaster is any event that can compromise the proper operation of an organization’s system, data and network.
Disaster events can be large natural disasters, such as earthquakes or storms, creating power outages. More concerning in the new technological age are cyber threats. Sensitive data is a top target for hackers, and increased data availability is increasing incidents of attacks. Data vulnerabilities are increasing as the healthcare industry becomes more interconnected by sharing information amongst stakeholders utilizing technologies such as the Web, remote monitoring, telemedicine and health information exchanges (HIEs).
The consequences of lost data from a disaster are significant and may include:
- Risk of losing data required for patient care that can have life-or-death consequences.
- Losing credibility and reputation. A healthcare services or software company can be at great risk of losing hospital/physician clients.
- HIPAA penalties for non-compliance, which are greater now under HITECH.
- Financial losses from lost business and costly processes to recover data.
- Litigation costs can be significant if patients sue the healthcare provider or a hospital sues its service providers.
Amazingly, I have had conversations with hospitals in California that have their primary and back-up data centers onsite in the same location. To say this is a risk – especially considering they are in an earthquake zone – would be an understatement.
Disaster recovery planning
The primary function of a DRP is to rebuild the IT infrastructure in the event of a natural or manmade disaster. Disaster recovery is a subset of business continuity planning (BCP), which focuses on non-IT-related aspects such as key personnel, facilities and crisis communication, whereas the DRP focuses on the IT-related infrastructure recovery/continuity. DRP must be a collaborative effort between the business executives and IT team.
HIPAA requires a risk assessment as a part of the DRP process and reviews the assets, threats and vulnerabilities of the organization. A typical DRP process begins with a business impact analysis (BIA). The BIA is the foundation of any sound DRP, and it complements the risk assessment by utilizing the information generated during that process. The main difference between these analyses is that the HIPAA risk assessment focuses on data security and potential adverse events, while the BIA focuses directly on the operational impacts to the business. The BIA reviews what losses will be incurred if the system goes down. The importance of each downed application is ranked highest to lowest, along with the financial impact of each.
The first, and often most difficult, step in BIA is to identify which systems, applications and data are important to the operation, and prioritize them in descending order for recovery. This is especially challenging within a healthcare system that can have hundreds of applications running, including legacy systems, with little documentation and newer systems coming in through acquisition.
Two concepts that are essential to understand prior to undergoing a BIA are recovery point objective (RPO) and recovery time objective (RTO). RPO is the time within which business functions or application systems must be restored to acceptable levels of operational capacity. How long can you operate without that application? RTO is the maximum amount of time tolerable for data loss and capture. For example, if backups process at 6 p.m. every day and your system goes down at 7 p.m. then comes back up at 7 a.m. the next day, then are you okay with losing 12 hours of data (RPO=12)? An RPO/RTO analysis must be performed for each department and business unit.
Other common steps in a BIA are:
- Identify the minimal resources required to maintain business operations.
- Determine the business recovery objectives and assumptions.
- Establish order of priority for restoration of business functions.
- Estimate the operational, financial and reputational impact due to loss of data.
A healthcare provider must ask:
- What are the key patient care departments and impact on care?
- What are the IT applications that support these critical operations?
- How much downtime and loss of data can each department sustain?
- How is the data received and processed by each department?
The goal of the BIA is to determine what your gaps are for current recovery capability and what your strategy will be to meet your RTO/RPO objectives.
Disaster recovery data center options
After you have completed your BIA, the next step is to determine what type of facility is required. The three options are hot, warm and cold facilities. The difference lies in the recovery time and the cost.
- Hot site: Ideal for the most critical applications, a hot site is a fully equipped data center with servers that can be online within hours. This is the most-expensive option.
- Warm site: Providing basic infrastructure but requiring some lead time to prep servers, a warm site is a less-expensive option, but could take up to a week to bring online.
- Cold site: Powered and secure location on standby with no equipment or data, cold-site equipment must be brought in and configured, which can take up to a month to be operational.
Historically, hospitals have preferred to build their own back-up data centers at great cost to maintain control and compliance. However, as data storage needs grow out of the capacity of existing hospital data centers, they must consider outsourcing this function to third-party data centers.
What option your organization chooses will be dependent upon the critical nature of the application and the cost/benefit. The right strategy will differ depending upon the system. Historically, hospitals have preferred to build their own back-up data centers at great cost to maintain control and compliance. However, as data storage needs grow out of the capacity of existing hospital data centers, they must consider outsourcing this function to third-party data centers. There are advantages to third-party data centers, which include cost savings, advanced physical security and compliance.
Healthcare executives should consider the following as they evaluate data center hosting companies:
- HIPAA security compliance: Of course you must ensure that the data center is compliant to the HIPAA security requirements. There are other standard audits that go beyond HIPAA and require even more controls. The SSAE 16 (Statements on Standards for Attestation Engagements No. 16) audit ensures the proper controls are in place for physical and environmental security. Another standard audit that reviews security controls is the Payment Card Industry Data Security Standard (PCI DSS). The standard was created to increase controls around cardholder data to reduce credit card fraud. Since most healthcare providers take credit card payments from patients, this is a very relevant audit that requires 12 control objectives for the securing of data. The combination of these audits will satisfy your HIPAA security compliance needs.
- HIPAA-trained personnel: All operations personnel should undergo periodic training on the security and protection of ePHI.
- Physical security systems: The data center should provide multiple layers of physical security such as biometrics, mantraps, video monitoring, 24/7 security, cages and private suites. Security is the number-one value proposition of data centers.
- Strict access protocols: Access authorization procedures are a requirement under HIPAA. The data center must have stringent procedures for data server access.
- Uptime and redundancy: Choose a data center with a high level of redundant components, back-up generators and strong network connectivity.
- Location in low-risk areas: To minimize risk, the data center should be located in areas where there is low likelihood of natural disasters. Avoid data centers in earthquake zones or tornado-heavy areas, for example.
- Flexibility: Since your data needs can change, you will require a data center that provides flexibility in bandwidth, space, cooling and power. This can be important if you are planning on bringing on new applications in the future.
Regulatory, technological and environmental factors are raising the importance of a comprehensive DR strategy. Healthcare IT executives must ensure that they have identified their critical systems and have plans in place to recover if hit with a natural disaster or a cyber attack. The consequences and risks are too great to ignore.
About the author:
Nav Ranajee is director of healthcare, CoreLink Data Centers. For more on CoreLink, click here.