● Roundup: Disaster Recovery Nathan Thompson, CEO, Spectra Logic
You can count on disaster, so commit to a DR plan DR has not been high on the list of healthcare IT priorities until
pretty recently. Press from hospitals hit hard by natural disasters – Hurricane Sandy and some powerful tornados, to mention a few – remind healthcare executives how important DR planning is. Specifi cally, executives need to know how to recover if a catastrophe strikes a facility’s IT infrastructure. Also driving the need for comprehensive DR planning is the
increasingly integrated use of technology in medicine, perhaps best exemplifi ed by EHRs. Technology is now tightly integrated with, and essential to, patient care. T at means that any disruption in the technology has immediate and dramatic consequences. T e eventual goal of a healthcare DR plan is to have a back-up
system ready to take over – in seconds, if not milliseconds. Typically, a redundant system should be located far from the primary data center – hundreds of miles away, if possible. For many facilities, a private cloud may best address requirements, especially given the importance of HIPAA-mandated patient information privacy. In this context, private cloud refers to a privately maintained, well- equipped data center. Incremental steps toward such a goal include using contem-
porary digital tape (such as LTO, or linear tape-open) to store the enormous data archives used in healthcare: PACS, EHRs and large data sets, such as those for ophthalmology and pathology, with tape copies at both the primary and the cloud sites. Steps such as these support the ultimate goal of a fully redundant site.
can access it again. One item to note is that the data is not acces- sible during the disaster. It must fi rst be recovered, and the speed at which the data is recovered is solely dependent on the planning, infrastructure and processes that are set forth and tested. Recovery of data may well be the only issue that the bulk of IT managers and C-level offi cers have time to address. It’s a good start, but it’s not the whole story. You must understand the “what” and “how” in order to get your data back in operation. During that recovery planning, these same managers and offi cers will run into continuity questions. A quality recovery system (in terms of reliability, scope and scalability) greatly improves the chances of solving the continuity issues. T e more feeble and antiquated your recovery planning, the more certain a corporate failure may ensue while trying to continue business as usual during a disaster.
Paul Luehr, managing director and chief privacy offi cer, Stroz Friedberg
Best practices for a healthcare data breach: What you don’t know will cost you Hospitals and healthcare organizations should consider DR and data-protection measures that are both practical and cost ef- fective. Security needs to be of the highest priority within the entire company, not just within IT. Good security often depends more on people than on machines, so sound governance, training and daily habits are often the best bulwark against disaster. When protecting data from a natural disaster, precautions used
Jarrett Potts, STORServer
The remedy to DR: It’s all about planning A common theme in the world of data protection is DR. When it comes to protecting your data, it is important to understand that DR is all about planning. T is issue is the same if you are a mom-and-pop shop, school district, multi-national bank or major healthcare provider. According to IBM, in 2011, of the companies that had a major loss of business data, 43 percent never reopened, 51 percent closed within two years and only 6 percent will survive long-term. Data requirements for healthcare providers are well spelled
out via government regulations; however, these regulations only provide a framework of how to treat the data. DR is 99 percent planning and 1 percent execution. If a healthcare provider, or any other business, is considering DR, forethought must be 20/20. Let’s be honest. In a disaster, few people care about what happened to cause the data loss; they only care that the data is recovered quickly. T e root of DR is that data is kept in a secondary site, and plans are made on how that data will be recovered so that the business
10 May 2013
for everyday prevention (e.g., saving backups, rolling to alterna- tive locations) can serve as good roadmaps in most scenarios. If a hard drive has been compromised by nature or intentionally damaged, a computer forensics shop often can recover the data if the drive still spins. If the drive is no longer functioning at all, it may need to be submitted to a “clean room” where techs can harvest uncorrupted data manually. T e fi rst 72 hours following a data breach are critical to the out- come. An immediate and fl awless investigation is most important; one early misstep can destroy crucial evidence, delay an eff ective response and trigger government penalties or class-action lawsuits. T ere are three key steps to follow in the days after a breach: 1. Preserve data and digital evidence. Secure the premises and take an inventory of missing items. Do not investigate any machines without the help of digital forensic experts; any intervening by IT or business managers can alter or overwrite important dates or data points that are key to determining how a company was hit and when. Beyond servers and hard drives, save full log fi les and recent backups in order to preserve the best evidence possible for the breach investigation.
2. Identify the compromised data. Coordinate with IT, HR, legal and forensic experts to interview key custodians and analyze pertinent data. Determine what data was taken and how it was taken. Identify the consequential risks. If data is missing altogether, turn to the backups that you just saved in Step 1.
3. Communicate and track progress. Document your work at HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com