March 26, 2012
By David Yeager
For The Record
Vol. 24 No. 6 P. 20
In the event of data loss, business continuity and disaster recovery plans are indispensable ingredients of effective facility management.
Access to data is crucial for many businesses, but for healthcare institutions, an IT system failure can be particularly damaging. Although natural disasters grab most of the headlines, localized power outages are also a significant concern. Because care must be provided under almost any condition, minimizing disruptions to critical systems is essential. Having solid business continuity and disaster recovery plans in place can significantly reduce downtime and save an institution’s reputation.
Although people sometimes confuse business continuity with disaster recovery, the former is actually the overarching plan, while the latter is geared toward protecting the institution’s physical aspects, such as servers and equipment, that can be damaged by catastrophic events. Business continuity encompasses disaster recovery, but it’s focused on the broader goal of maintaining services with the least amount of interruption. For this reason, it should play a prominent role in any medical enterprise.
“When you are creating the business continuity plan, it’s not something that you just do in case of disaster,” says Julie A. Dooling, RHIT, director of professional practice for AHIMA. “It really is about protecting all of your assets, on and off site, whether they’re facility owned or [accessed through] a third-party vendor. And it’s an iterative process that needs a lot of attention.”
What Have You Got to Lose?
It’s wise to have a business continuity plan in place long before it’s needed because it eventually will be needed. The starting point for the process is a business impact analysis. Rob Drewniak, vice president of strategic and advisory services for Hayes Management Consulting, says facilities need to examine their business activities and determine how those activities could be affected by various types of problems, such as localized power outages, data breaches, and natural disasters, or any disruption to normal operations.
Once potential problems and possible causes are identified, the facility needs to develop step-by-step emergency response strategies for each. The strategies need to be specific regarding which types of outages require action, who’s responsible for implementing the strategies, and how an incident command center will be established if the problem reaches that scale. They should also include protocols to be followed during and after an event as well as detailed recovery procedures.
“You’ve got to have a solid plan called ‘Business Continuity’ and, under that, all the steps required from a technical perspective as well as an operational perspective need to be incorporated,” says Drewniak. “What is it that that facility is going to do while the system is not available and then how is it going to recover? How is the root cause going to be identified? How is that process going to be communicated?”
Drewniak says communication and testing of the plan are the keys to success. He recommends organizations institute awareness programs that explain for everyone from the board members to the rank and file how to handle significant data interruptions. Every level of the organization needs to be involved, and the plan should be tested on a regular basis. He says it’s also important to cross-train people throughout the organization because they may need to fill more than one role in an emergency.
To ensure organizational awareness, Dooling says it’s vital for senior management to buy into and promote the plan. She says an effective approach is to designate a business continuity coordinator, someone who’s highly familiar with the plan. The coordinator then creates a charter and a plan and is allowed time within his or her other duties to oversee the plan. She adds that stakeholders from various departments need to be involved so that all of the facility’s functions are adequately accounted for. She recommends practicing the plan until it fails and then practicing again after the failures have been addressed.
Dooling says there are four aspects of a business continuity plan. The first is a contingency plan for downtime that covers short interruptions affecting a floor or a department but not the entire enterprise. The second is a disaster recovery plan for major disasters, such as tornadoes, earthquakes, or nuclear reactor meltdowns, geared toward recovering physical assets such as medical equipment and machines. The third is a data backup plan that spells out how the facility’s systems are backed up and how data are retrieved. Finally, there is an emergency mode operation plan that governs how a facility functions during a disaster situation and focuses on crisis management until the facility returns to its precrisis operational status.
Although disaster recovery is not the whole of business continuity, it is a crucial consideration. Drewniak says the business impact analysis should cover anything that could potentially interrupt a facility’s normal operations, including electrical problems, flooding, building maintenance, fire, riot, and any natural occurrences specific to the region where the facility is located. Even something such as a major snowfall, although not a disaster, can significantly disrupt operations.
Dooling recommends working with all of the facility’s business associates to determine how they will respond to a disaster. In the event of a disaster, the facility will likely need replacement equipment such as PCs, generators, and batteries to get up and running again. All necessary equipment should be evaluated, and contingency plans should be developed. It’s also important to make sure that retrieval and recovery processes, such as cleaning, freeze drying, and mold elimination, are included in the vendor contracts. Even cell phone service may be interrupted, so it’s important to know which employees’ phones are on which networks. This may allow workarounds to be established. Dooling says facilities should also find out how much and what type of data recovery is covered by their insurance.
In addition to physical considerations, it is important for organizations to take stock of their data and decide what is necessary for their business operations. Like any business, healthcare organizations need to protect financial, human resources, and facility/operational data and records, but they’re also responsible for patient files, which can be voluminous. Mark Emery, global director of consulting services for Recall, a records management provider, says healthcare organizations need to think about which files are truly necessary for their operations. Too often, essential records are obscured by nonessential ones, he says.
“Oftentimes what we see in the marketplace is just a [mindset for] blanket coverage of all the records and information [that a facility has], and they want to scan it all to a digital or electronic format. And what you want to do is take a step back from that,” says Emery. “In almost 60% of the failures we see in business continuity and disaster recovery, the clients can’t find the specific information that they’re looking for. They have it backed up, but they don’t know where it is.”
Emery recommends healthcare organizations carefully note their record types, and where and how records are stored. This is important not only for regulatory reasons but also because data migrations can be extremely expensive. Records that aren’t required for maintaining business operations or regulatory compliance should not be part of a business continuity plan.
Something Old, Something New
Disaster data recovery models have been in use for decades, mainly because they still work. Essentially, if a facility sustains extensive physical damage, off-site data storage is the surest way to protect its data. The nature and type of off-site storage, though, depends on the organization’s needs. Often, the limiting factors are time and cost.
“In today’s world, as we have migrated to more of an electronic environment, our systems have to be up 99.9999% of the time. So anytime that goes down, it affects the delivery of healthcare,” says Drewniak. “The biggest challenge with healthcare is its enormous amount of data. So when you look at it, it’s not so much just storing it, it’s transmitting it, it’s the infrastructure, it’s the network. So a lot has to be incorporated into the thought process, into the planning, to make sure that you do have a plan in place.”
Because time is such an important factor, some organizations opt for a hot site. In this model, the facility contracts with a vendor to maintain an identical data site in a different location, typically far from the main site. The data can be backed up in real time. In other words, a hot site is basically an exact replica of the facility site. While this option is very safe and allows operations to resume in seconds if the main data site is knocked out, it is very expensive.
A cold site is less expensive. It doesn’t run all the time, and backup tapes are transmitted daily. The biggest drawback with this option is that it can take four or five hours to resume operations.
Over the past few years, some vendors have begun offering cloud archiving. Rather than storing all the data in a single place, the information is spread over multiple servers, which has the potential to reduce storage costs, eliminate bottlenecks and, theoretically, provide instant access to necessary data. While this method may prove useful for recovering data after a disaster and for small-scale outages, there are questions about whether it can handle emergency mode operation functions for an entire facility.
R. L. “Skip” Kennedy, MSc, CIIP, technical director of imaging informatics for Kaiser Permanente medical centers in northern California, says this is an important concern, not only for maintaining operations during an emergency, but because the organization, not the vendor, is responsible for any data that may be lost as a result of an outage. He says healthcare organizations should proceed with caution when considering a backup cloud solution and should look very carefully at the service level agreements and the vendor’s infrastructure capability before making a decision. Although the solution may work quite well with a specified amount of data, a sudden increase in volume, such as a disaster situation, could be problematic.
“That’s a different use case. Now you’ve got a bunch of people doing hospital rounds because of a natural disaster with a great deal of trauma involved, and they’re all looking for portable X-ray images at the same time. Now you’ve got huge boluses [of data],” says Kennedy. “Can you call the vendor up and say, ‘I need you to dial in three more DS3 lines because now I need them. I don’t want to pay for them all the time, but I need them now because now I’ve got a crisis, and I’ll pay you for the additional service model agreement’? Do they have the infrastructure to actually ramp up that kind of access? Maybe. The big providers probably do. The smaller providers, who may be dealing with a cohosted environment themselves, they [most likely] don’t have that kind of control.”
Whichever backup method is chosen, the most important concern is to make sure that it fits seamlessly into the organization’s overall plan. Vendors can help by providing technical support and sharing best practices that they’ve learned from working with other clients. In addition, Dooling says healthcare organizations need to work with all their technology vendors, such as document management, EHR, and PACS vendors, to ensure the least amount of interruption throughout the enterprise. Many vendors will help facilities test their plans, and those plans should be tested at least once per year and possibly more frequently depending on the facility’s needs. She says facilities that aren’t partnering with their vendors to shape business continuity plans need to start now.
“We have a lot more of our systems being handled by vendors than ever before, and it is important to set expectations and make sure your contract includes the language for disaster recovery,” says Dooling. “We’re so used to having real-time access these days to our records that we need to take into consideration what [business continuity is] going to look like.”
— David Yeager is a freelance writer and editor based in Royersford, Pennsylvania.
Into The Breach
Although a data breach isn’t the same as a flood or a fire, it can be a disaster. Healthcare organizations are in a particularly delicate position when it comes to breaches because, in addition to financial records, they also maintain patients’ medical records. With HIPAA regulations to contend with and potential damage to an organization’s reputation looming, organizations need to address data breaches in a business continuity plan.
For this reason, it’s important for organizations to have a breach notification plan in place. The Breach Notification Letter was called for in the ARRA and issued by Health and Human Services. The final rule, “Breach Notification for Unsecured Protected Health Information,” is parts 160 and 164 of Title 45 of the Code of Federal Regulations. As part of the plan, says Julie A. Dooling, RHIT, director of professional practice for AHIMA, notification should be given to the Office of Civil Rights, The Joint Commission, and other accrediting agencies, as well as business partners.
“In a natural disaster, you’re trying to recover and get to a place where you can get your business back up and running and operational,” says Mark Emery, global director of consulting services for Recall. “When you get into something like a breach, normally that’s an opportunity where there’s information that’s been breached or been discovered, where you’re more in a protection mode of trying to protect what you think was breached or what or who was violated in that breach.”
Because a breach may not be immediately detected, it’s important for the organization to first determine its extent. Emery says the key considerations are to find out what was violated, such as patient files or business files; what type of damage was potentially done, such as whether information was deleted, corrupted, or extracted from the system; initiate a recovery process; protect the organization’s reputation; and protect the reputation of others who may be affected by the breach. Most importantly, the organization needs to communicate the plan to its employees, all members of the organization need to understand what to do if a breach occurs, and everyone needs to stick to the plan.