Disaster recovery planning may not be the first thing hospital IT managers think about when they wake up in the morning. But a CIO ignores disaster planning at his or her own peril. As recent events reminded the health care community, large-scale disasters can strike anywhere, and hospitals that have not developed effective plans for responding to these crises may face compliance issues and see their ability to deliver care greatly diminished.
When Hurricane Sandy struck the East Coast on October 29, many hospitals were affected. New York University Langone Medical Center had to shut down operations and send patients to nearby Mount Sinai Hospital due to a power outage and the failure of backup generators. New York City's Bellevue Hospital also experienced power failure and had to evacuate patients.
The problems weren't limited to hospitals in the Northeast. Children's of (Birmingham) Alabama experienced a temporary disruption of some of its information systems because its offsite data center, located in New Jersey, went down after the storm hit. The hospital did not experience any interruption in care, as it set in action its backup plan, which launched processes that compensated for the loss of the data center.
Christopher Scanzeravice president and CIO, AtlantiCare
Health Insurance Portability and Accountability Act (HIPAA) regulations require organizations to maintain up-to-date disaster recovery plans that detail how the provider will protect and restore access to electronic information during and after unforeseen circumstances. But planning is more than just a compliance issue. IT professionals say that maintaining a clear and effective plan is key to an organization's ability to continue delivering quality care during and after an emergency.
What's at stake in disaster recovery planning?
AtlantiCare, an integrated care network in New Jersey that includes a large regional medical center and 70 other locations throughout the state, made it through Hurricane Sandy relatively unscathed, despite having offices located in some of the hardest-hit areas of the state. Two satellite locations lost data connections for about two days, but the network's largest centers remained operational throughout the storm.
Christopher Scanzera, AtlantiCare's vice president and CIO, said most of the work of making it through a disaster like Sandy is done well in advance of a storm. Having a solid plan in place allowed the network to monitor the situation to make sure recovery response was going smoothly, rather than having to react separately to each new problem that arose. Responses to disasters are typically more effective when hospitals have anticipated potential problems and run live drills to test staff's ability to respond and act on the plan.
"You don't want to be in a position where the first time you experience [the disaster recovery plan] you have to use it," Scanzera said. "You want to have it well-documented and planned out so that execution almost becomes second nature."
Where to start in disaster recovery planning
For organizations that are developing or updating their disaster recovery plan, prioritizing services should be one of the first steps. Ray Lucchesi, a disaster recovery specialist with Silverton Consulting, said some IT operations do not necessarily need to continue during an emergency. These may include marketing and social media efforts, human resource projects and possibly payroll operations, depending on the length of the disaster. Organizations should plan to put these IT services on the back burner to make sure that access to medical records and laboratory data can be maintained.
"Some of that needs to be maintained across a disaster and some [of it] potentially may not," Lucchesi said. "So the key is to identify some of the critical services that have to be there, regardless of what's going on with the information technology."
The best way to ensure access to critical data and services during a disaster is to duplicate them at an offsite data center. The more redundancies the better, Lucchesi said. Most hospitals already store some records and applications offsite, but not all replicate their entire information system because it can be a costly, time-consuming process. Lucchesi said the quality of an organization's data recovery plan comes down to how much they want to invest in it.