The vital importance of developing a disaster recovery plan – and testing it regularly.
Not that long ago, to prepare for an IT disaster (either manmade or natural), hospitals and other healthcare facilities cared only about having some sort of back-up system in place. They still kept patient information on paper charts along with medicine prescriptions should their IT system collapse.
Then the concept of “disaster recovery” emerged. Hospitals became more sophisticated, relying on computerized storage. Today, it’s the high availability of IT that matters, not disaster recovery. The new motto is: “Let’s make sure we don’t have to recover.”
Health information is duplicated, ready for it to flow to the back-up facility and never miss a beat should an adversity occur. Yet the reliability of this real-time system must always get better to ensure the facility never has to truly recover. That’s where today’s challenges lie.
Healthcare facilities must shut down operations if the emergency disaster recovery system fails. That’s because liability issues arise if doctors can’t see a patient’s history or prescription. During Hurricane Sandy and recent tornadoes, physicians simply couldn’t practice because verifications of patient medical procedures or prescriptions weren’t available.
So what’s a healthcare facility to do?
Healthcare facilities must ensure they back up their critical data and regulated information to develop “fail-safe” redundancy. Even more critical, they must test their IT systems regularly. If they don’t, they could face hefty HIPAA fines in certain situations.
In testing its IT information system, a healthcare facility should start by using the worst-case scenario. In a disaster, it’s the worst-case situations that usually arise. It then becomes all about the IT interface, how the facility connects back to the data center and how it deals with the array of issues that may prove hazardous.
What exactly does planning involve?
Planning is an iterative process. The four most common disaster recovery scenarios include the loss of the healthcare facility, IT or tech services, personnel and/or third-party vendors or partners. IT system security also must be evaluated to gauge vulnerability to cyber attacks or physical intrusions.
The initial approach invariably involves a tabletop exercise where everyone involved in the testing process role plays what they would do in particular situations. They then write out their disaster recovery plans on paper and deal with the deficiencies they discover.
They then move to more sophisticated interchanges. The test facilitators might take certain technology away, such as the phone system or a specific computer interface. Employees work through these imaginary scenarios and then gradually move to conduct an exercise closer to real-life situations. They may role play on disaster recovery equipment or do it live in the facility itself.
Most health facilities possess a live IT system and a test system, which should be vetted since testing exercises are conducted using it. The mission: Ensure all participants know what they’re doing as well as those who interact with them. An independent third party should observe the exercise to comment on who understands their roles and who doesn’t. But the testing program is only as good as the level of participation.
What the best IT back-up systems have in common
The best IT back-up systems often have several features in common. They place the IT back-up system in another geographical area. This can prove difficult because HIPAA laws discourage placing systems out of state. But it’s still possible, especially if a state is large geographically.
Facilities also are employing the cloud more for backing up their email and other systems. Larger hospitals are using two giant storage networks. Rather than backing up information nightly, they shoot data to the back-up system all the time so recovery is much quicker if a problem develops.
Experts recommend that IT systems be tested quarterly. If facilities schedule a full-scale switchover test of the back-up system, they typically will do that once a year.
In today’s uncertain environment, testing proves critical.
About the author
Lee Fleming is a senior manager at SunGard Availability Services. Learn more about SunGard at www.sungardas.com.