Best practices in healthcare disaster recovery planning
The push to adopt EHRs is creating new data management challenges for healthcare IT executives. By Nav Ranajee
isaster recovery (DR) has long been the last line item for healthcare IT budgets. Budget constraints have made it diffi cult to invest in redundant data centers with little return on investment or direct impact on patient care. We fi nd many healthcare clients with DR plans that are either outdated, nonexistent or fail to provide a comprehensive solution that allows them to resume business processes and recover data in the event of a disaster.
Disaster recovery planning (DRP) is quickly moving up the priority list, however, as healthcare organizations migrate into paperless environments. Medical imaging and electronic health records (EHRs) are producing unprecedented amounts of data, creating complications in storage, recovery and secu- rity. To protect their business and their patients, healthcare IT executives must reassess current risks and gaps in their DRPs.
Why disaster recovery now?
The push to adopt EHRs is creating new data manage- ment challenges for healthcare IT executives. EHRs, as well as other new applications, are creating enormous amounts of data, which must be accessed in real time across disparate sites of care. Downtime is not an option, since the data could be critical to patient outcomes. Healthcare organizations will become increasingly reliant on electronic data over the next few years.
Another signifi cant driver is the increased enforcement of Health Insurance Portability and Accountability Act (HIPAA) security requirements. Section 164.308 requires data backup, DR and emergency-mode operations planning. The DR specifi cations are brief and to the point, allowing fl exibility in how the specifi c plans are implemented. Due to the lack of enforcement over the years, healthcare organizations have tended to put in place the most basic of DR protocols, but the Health Information Technology for Economic and Clinical Health (HITECH) act plans on changing that. The HITECH Act of 2009 has raised the bar on HIPAA by increasing penal-
22 May 2012
ties, oversight, mandatory breach notifi cations and the exten- sion of obligations to business associates. Business associates (and their subcontractors) should especially be aware of the new rules since they will be held to a higher standard than they are used to, and the risk of non-compliance is great. Meaningful use is also proving to be a driver for DR. As providers work to meet the compliance guidelines to capture the federal incentives for EHRs, they are fi nding that a few items relate to DR. One requirement states that in the event of a disaster, you must be able to effectively recover your electronic patient health information (ePHI) in your hospital information system (HIS). Another requirement is to provide patients with an electronic copy of their record upon request and also enable them to access and download their record online within four business days of it being available. You can imagine the consequences if a cyber attack or power outage brought the system down. A sound disaster recovery strategy is essential to achieving meaningful use. Finally, the risk of data breaches and cyber attacks is on the
rise. At last check, there were more than 400 data breaches reported on the Department of Health and Human Services website. A Ponemon Institute study estimates that data security breaches cost the U.S. healthcare industry about $6.5 billion a year, with data breaches rising 32 percent from 2010 to 2011. This can be attributed to the rise in technol- ogy adoption. Given that EHR adoption is still fairly low, it is expected in the next few years to see a signifi cant growth in data breaches.
The changing healthcare landscape is creating a critical need for comprehensive DRP. The days of having a DR manual sitting on the shelf gathering dust just to meet compliance obligations are over.
What is a disaster?
DR is focused on the technology infrastructure, and a di- saster is any event that can compromise the proper operation of an organization’s system, data and network. Disaster events can be large natural disasters, such as
HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com