Disaster recovery data center options After you have completed your BIA, the next step is to determine what type of facility is required. The three options are hot, warm and cold facilities. The difference lies in the recovery time and the cost. • Hot site: Ideal for the most critical applications, a hot site is a fully equipped data center with servers that can be online within hours. This is the most-expensive option. • Warm site: Providing basic infrastructure but requir- ing some lead time to prep servers, a warm site is a less-expensive option, but could take up to a week to bring online. • Cold site: Powered and secure location on standby with no equipment or data, cold-site equipment must be brought in and confi gured, which can take up to a month to be operational.
Historically, hospitals have preferred to build their own back-up data centers at great cost to maintain control and compliance. However, as data storage needs grow out of the capacity of existing hospital data centers, they must consider outsourcing this function to third-party data centers.
What option your organization chooses will be dependent upon the critical nature of the application and the cost/ benefi t. The right strategy will differ depending upon the system. Historically, hospitals have preferred to build their own back-up data centers at great cost to maintain control and compliance. However, as data storage needs grow out of the capacity of existing hospital data centers, they must consider outsourcing this function to third-party data centers. There are advantages to third-party data centers, which include cost savings, advanced physical security and compliance. Healthcare executives should consider the following as they evaluate data center hosting companies: • HIPAA security compliance: Of course you must ensure that the data center is compliant to the HIPAA security requirements. There are other standard audits that go beyond HIPAA and require even more controls. The SSAE 16 (Statements on Standards for Attestation Engagements No. 16) audit ensures the proper controls are in place for physical and environmental security. Another standard audit that reviews security controls is the Payment Card Industry Data Security Standard
24 May 2012
(PCI DSS). The standard was created to increase controls around cardholder data to reduce credit card fraud. Since most healthcare providers take credit card payments from patients, this is a very relevant audit that requires 12 control objectives for the securing of data. The combination of these audits will satisfy your HIPAA security compliance needs. • HIPAA-trained personnel: All operations personnel should undergo periodic training on the security and protection of ePHI. • Physical security systems: The data center should provide multiple layers of physical security such as biometrics, mantraps, video monitoring, 24/7 security, cages and private suites. Security is the number-one value proposition of data centers. • Strict access protocols: Access authorization procedures are a requirement under HIPAA. The data center must have stringent procedures for data server access. • Uptime and redundancy: Choose a data center with a high level of redundant components, back-up generators and strong network connectivity. • Location in low-risk areas: To minimize risk, the data center should be located in areas where there is low like- lihood of natural disasters. Avoid data centers in earth- quake zones or tornado-heavy areas, for example. • Flexibility: Since your data needs can change, you will require a data center that provides fl exibility in band- width, space, cooling and power. This can be important if you are planning on bringing on new applications in the future.
Regulatory, technological and environmental factors are raising the importance of a comprehensive DR strategy. Healthcare IT executives must ensure that they have identi- fi ed their critical systems and have plans in place to recover if hit with a natural disaster or a cyber attack. The consequences and risks are too great to ignore.
HEALTH MANAGEMENT TECHNOLOGY