Posted by: Jenny Laurello
CIO, Disaster preparedness, Disaster recovery, IT planning
Guest post by: Christina Beach Thielst, FACHE
Today’s information infrastructures run some of the most critical elements of business and clinical operations in health care organizations. Communication and information technology components can be critical to the continuation of essential services, such as:
- Providing emergency, trauma, obstetrical, newborn and other inpatient and outpatient care
- Prioritizing and triaging higher acuity patients and emergency cases and coordinating services and transfers to other settings
- Creating and maintaining the integrity of health information documentation (electronic or paper based), including birth and death registration
- Ensuring the safety and well-being of patients during emergency situations, response and recovery
Health care organizations, especially hospitals, have an obligation to maintain essential services and to have plans in place related to preparedness, response and recovery during times of emergency and disaster. As we become more and more dependent upon information technologies, there is an increasing need to address the continuity of operations and disaster planning activities in the IT department.
One recent lawsuit that accused the hospital of failing to adequately prepare for such a catastrophe (Hurricane Katrina) highlights this challenge. Many observers believe that the large settlement in this case raises the legal standard by which hospitals and other health care entities may be judged and increases the risk of being sued over emergency preparedness – not being prepared for nearly every contingency.
With all of the other competing priorities, it might be easy to overlook or fail to recognize the risk. However, it is important that health care leaders approach preparation, response and recovery and go beyond the presence of redundant systems, their current disaster recovery plans and responding to periodic power outages. They should be prepared to minimize the risks and mitigate against the potential impact on patient safety when disruption to the normal routine of business and clinical workflow occurs during a system’s unavailability.
So where should a CIO or IT department start? The first step is to reach out to the emergency preparedness coordinator in your organization and discuss communications and involvement of users and other stakeholders in the planning process. Together, review your organization’s hazard vulnerability analysis and identify those scenarios of greatest risk.
Consider different impacts upon IT and communication systems and the organization’s potential ability to retrieve records and communicate. For example, earthquakes, tornados and hurricanes could present issues related to power outages, damage to equipment or the physical plant. This may require the need for restoring service, establishing alternate work sites, moving or replacing equipment, etc. In a pandemic, leaders should expect progressive increases in staff absenteeism over several weeks or months and the need to accommodate distancing measures between individuals. This type of scenario will present the need for cross-training, just-in-time training and alternate work schedules or work sites, such as the home.
Planning activities should also include the following:
1. Create an inventory of information and communication technologies and identify the essential services for your hospital or healthcare organization.
- a. Prepare a spreadsheet for the files, records and databases that are vital to each essential service and delineate the functions supported, form of the record, location, current maintenance/backup policies and procedures, current protection methods, restoration agency or vendor and restoration services provided.
- b. For each essential function identify the IT system that supports it along with the name of the vendor/maintenance support firm (including in-house), the contracted minimum response time for external vendors, the presence of restoration and recovery procedures and contact information.
2. Prioritize the systems and records for their order of recovery considering who will be impacted and the severity of risk. Make assignments to one of the following three tiers.
Mission Critical status requires an immediate effort to restoration – a catastrophic breakdown in response ability which could result in major loss of life, property and system trust breakdown.
Important indicates a severe decrease in the ability to respond to emergency needs and the possibility of excessive loss of life or property associated.
Minor indicates that full capabilities could be apparent to the public with modifications to the systems and its architecture or software.
3. Identify the location of an alternate facility and consider power, equipment, supplies and vehicles that could be needed to maintain essential functions. Create a list of these anticipated needs along with vendor/firm contact information. Also consider:
- a. Pre-emergency procurement processes/contracts
- b. mutual aid agreements with similar organizations inside and outside of the area
- c. Securing critical infrastructure priority status in the restoration plans of telephone and wireless providers
- d. Developing a relationship with critical contacts to establish procedures and identify emergency contact information for each agency before an emergency arises.
4. Anticipate responses to the different types of scenarios and create an impact assessment that includes the identification of alternative solutions and back-up restoration arrangements. Participate in training exercises and include cross training activities.
5. Plan for post incident analysis, preparation of after action reports and the updating of emergency manage plans in the recovery period.
Effective leaders will ensure that their IT staff is managing risks related to disasters and other emergency events. They know what information and systems are mission critical and support their organization’s essential services and functions. Effective IT leaders also recognize the importance of their roles in today’s health care delivery and can readily articulate the engagement of customers in the planning and preparations for any emergency situation that could arise.