4 Tips to Strengthen Hospital Data Recovery Plans for Natural Disasters

Although hospitals work to prepare for possible data and power threats from natural disasters, it can be hard to predict what arrangements will safeguard data the best. Many hospitals IT departments struggle with this as demonstrated in survey results from the Acronis Global Disaster Recovery Index 2012. According to the survey, 55 percent of technology practitioners from the healthcare sector reported low confidence in their ability to recover data following a disaster. Sadly, Hurricane Sandy and its impact on hospitals in New York City and the surrounding area further demonstrated this issue.

For instance, early Monday morning, New York City-based NYU Langone Medical Center's basement, lower floors and elevator shafts filled with 10 to 12 feet of water. The hospital also lost its power. While emergency generators kicked in, after about two hours, 90 percent of that power had drained. This prompted the hospital to evacuate 215 patients in the midst of Hurricane Sandy's surge. The event has triggered questions over what hospitals must do when disaster precautions and planning go askew. In addition, it is also causing industry professionals to think of best practices for power and data recovery plans.

Here, Bob Dupuis, practice director of infrastructure and security at Arcadia Solutions, a healthcare consulting company, offers four ways hospitals can their strengthen data recovery processes.

1. Validate third-party data recovery services. It is not enough to cover data recovery plans and services in a contract with third-party providers. It is increasingly important for hospitals to validate the plans and services of their vendors. "They need more validation of what the data recovery plans are. They need to make sure the DR plan is tested periodically and more than once every five years," says Mr. Dupuis. "Validating that the right processes are in place is important not only from a DR planning standpoint but also for information security."

In order to validate a third-party's data recovery, Mr. Dupuis recommends hospitals ask to see results from recent data recovery, business continuity and data restoration tests. "It is not good enough just to look at the plan. Ask to see how the vendor arrived at its data recovery plan and the test results that led them there," says Mr. Dupuis. He also recommends auditing the DR plan to test that controls work the way they are intended.

2. Backup data in a safe-place offsite. From a best practices perspective, backing up hospital data in a redundant site is key, says Mr. Dupuis. However, many hospitals do not choose a redundant site in a different geographical area, which is very important when a natural disaster threatens a hospital's power and data.

"It is not a great idea to have a data recovery site in the same geographical area. You do not want the backup that close. [In order to have geographical options], the hospital may need to consider multiple vendors. One that provides services at a primary site and one that provides a backup site. If one vendor has issues, the second may not and the hospital can access its data," says Mr. Dupuis.

3. If possible, prepare and practice with paper-based options. Hospitals with a cloud solution for data should have a paper-based back up process prepared at all times. According to Mr. Dupuis, if the hospital knows that a natural disaster could be on its way, such as a hurricane, it is a good idea to prepare to practice with paper for up to a week.

"Fewer organizations and staff know the paper based processes. It is important to be sure staff know the process and is prepared to work without access to key IT systems," says Mr. Dupuis.

4. Validate your backup power.
All hospitals will have backup battery power in the case of a power outage; however, constantly validating that power redundancy is critical. According to Mr. Dupuis, a smaller hospital should have battery backups and generators, and the hospital should test those backups to ensure that if power does go down, the hospital can transition without losing information.

"A larger organization should have battery backup for the short term, and for its long-term needs, it should have multiple generators. Those should be tested monthly to make sure the transition is seamless. The hospital should even test redundant generators," says Mr. Dupuis. "NYU Langone admitted that they had older equipment and older generators. This is why validating the back up is important. Older generators may have supported power needs five years ago, but can they meet power needs now? It is important to test."

Ultimately, hospitals need to prepare for a variety of risk scenarios. As Hurricane Sandy demonstrated, it is not always possible to predict how data and power supplies will be threatened. "Hospitals should review all possible disaster scenarios and make decisions based on that review. Perhaps the data center and critical equipment is 15 to 16 floors up, but the fuel source for the generators is closer to the ground. If flood waters compromise key power support systems (e.g., fuel and fuel pumps) then it doesn't matter that the data source is secure. Hospitals need to think through those scenarios," says Mr. Dupuis.  

More Articles on Data Recovery Plans:

5 Guidelines for Hospital Data Recovery Plans
Risk Assessments – What's the Big Deal? Your Responsibilities If You Adopt Electronic Health Records

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months