Nav Ranajee is director of healthcare, CoreLink Data Centers. For more on CoreLink: www.rsleads.com/205ht-204
earthquakes or storms, cre- ating power outages. More concerning in the new techno- logical age are cyber threats. Sensitive data is a top target for hackers, and increased
data availability is increasing incidents of attacks. Data vulnerabilities are increasing as the healthcare industry be- comes more interconnected by sharing information amongst stakeholders utilizing technologies such as the Web, remote monitoring, telemedicine and health information exchanges (HIEs).
The consequences of lost data from a disaster are signifi - cant and may include:
• Risk of losing data required for patient care that can have life-or-death consequences. • Losing credibility and reputation. A healthcare services or software company can be at great risk of losing hos- pital/physician clients. • HIPAA penalties for non-compliance, which are greater now under HITECH. • Financial losses from lost business and costly processes to recover data.
• Litigation costs can be signifi cant if patients sue the healthcare provider or a hospital sues its service pro- viders.
Amazingly, I have had conversations with hospitals in California that have their primary and back-up data centers onsite in the same location. To say this is a risk – especially considering they are in an earthquake zone – would be an understatement.
Disaster recovery planning
The primary function of a DRP is to rebuild the IT in- frastructure in the event of a natural or manmade disaster. Disaster recovery is a subset of business continuity planning (BCP), which focuses on non-IT-related aspects such as key personnel, facilities and crisis communication, whereas the DRP focuses on the IT-related infrastructure recovery/ continuity. DRP must be a collaborative effort between the business executives and IT team. HIPAA requires a risk assessment as a part of the DRP process and reviews the assets, threats and vulnerabilities of the organization. A typical DRP process begins with a busi- ness impact analysis (BIA). The BIA is the foundation of any sound DRP, and it complements the risk assessment by utilizing the information generated during that process. The
main difference between these analyses is that the HIPAA risk assessment focuses on data security and potential adverse events, while the BIA focuses directly on the operational impacts to the business. The BIA reviews what losses will be incurred if the system goes down. The importance of each downed application is ranked highest to lowest, along with the fi nancial impact of each. The fi rst, and often most diffi cult, step in BIA is to identify which systems, applications and data are important to the op- eration, and prioritize them in descending order for recovery. This is especially challenging within a healthcare system that can have hundreds of applications running, including legacy systems, with little documentation and newer systems coming in through acquisition. Two concepts that are essential to understand prior to undergoing a BIA are recovery point objective (RPO) and recovery time objective (RTO). RPO is the time within which business functions or application systems must be restored to acceptable levels of operational capacity. How long can you operate without that application? RTO is the maximum amount of time tolerable for data loss and capture. For example, if backups process at 6 p.m. every day and your system goes down at 7 p.m. then comes back up at 7 a.m. the next day, then are you okay with losing 12 hours of data (RPO=12)? An RPO/RTO analysis must be performed for each department and business unit. Other common steps in a BIA are:
• Identify the minimal resources required to maintain business operations.
• Determine the business recovery objectives and as- sumptions.
• Establish order of priority for restoration of business functions.
• Estimate the operational, fi nancial and reputational impact due to loss of data. A healthcare provider must ask:
• What are the key patient care departments and impact on care?
• What are the IT applications that support these critical operations?
• How much downtime and loss of data can each depart- ment sustain?
• How is the data received and processed by each de- partment?
The goal of the BIA is to determine what your gaps are for current recovery capability and what your strategy will be to meet your RTO/RPO objectives.
HEALTH MANAGEMENT TECHNOLOGY May 2012 23