Toward the end of July, dozens of hospitals across the country lost access to crucial electronic medical records for close to five hours during a major computer outage. Human error caused the computer outage, which is just one of many potential disasters that can affect hospital data. Although no hospital or physician reported any harm to patients, the length of the outage and the delay of the backup system were alarming to those involved.
This incident makes recent findings from the Acronis Global Disaster Recovery Index 2012 particularly concerning. The survey was conducted by the Ponemon Institute in September and October 2011. Over 6,000 information technology practitioners were surveyed. Here are a few key findings of the survey.
• Fifty-five percent of respondents from the healthcare sector reported low confidence in their ability to recover data following a disaster.
• One third of healthcare sector respondents (33 percent) confessed they could not recover quickly following a disaster.
• Forty-two percent of healthcare sector respondents said they would suffer substantial downtime following a disaster.
• More than 34 percent of respondents admitted to spending nothing at all on backup and disaster recovery in 2011.
It is clear from the findings that healthcare organizations are not adequately preparing for data recovery and backup. According to Blaine Raddon, general manager for Acronis Americas, a software company that develops backup and disaster recovery products, instances like the recent computer outage usually push healthcare organizations to discuss their data storage and recovery plans. However, organizations should not be waiting until another hospital has a disaster to assess their data backup plan.
Here Mr. Raddon offers five guidelines healthcare organizations should follow to develop comprehensive data recovery and disaster plans. These plans should encompass any potential data loss issue, such as an administrator accidently deleting a critical file or a natural disaster.
1. Develop individual plans for departments. A hospital’s data recovery plan needs to be tailored to each department because the critical requirements of each department will vary. The data recovery plan cannot rest solely on the shoulders of the IT department. If each department includes business and patient data needs, the plan will be more comprehensive and effective.
“Think through the plan for each department level — what data is needed and what is the importance level? Some departments cannot have any downtime. They may need instant recovery because more than a couple minutes of downtime could mean life or death,” says Mr. Raddon.
2. Prepare for the best and the worst. Start with the worst case scenario to make sure the plan can handle a disaster situation, and work backward to develop a plan that covers the hospital for everyday user-driven problems.
“At the end of the day, the cases that are most often seen are human error and machine failure — things that are more predictable and user driven. Having the backup and recovery plan for when an administrator accidently deletes a file is just as important as a plan for when the hospital’s power supply is cut. Those may not be what people think of as a disaster that threatens patient data, but that is what occurs most often,” says Mr. Raddon.
3. Include personnel in the plan. According to Mr. Raddon, it is critical that personnel are included in the data recovery plan. This includes what everyone’s role in a data loss situation would be as well as backup for experts and administrators.
“If you have one IT person and he’s the only one who knows how to repair the hospital’s dataservers, what would happen if he was not available during a disaster? You have to include the people component in the plan to guarantee there are enough employees with the right training,” says Mr. Raddon.
4. Factor in downtime. A timeframe for downtime needs to be considered in the data recovery planning process so each department knows what it can live with.
“Some departments are dealing with life and death situations. Executives need to consider whether the hospital’s plan allows departments to return in a reasonable time frame. A two-hour recovery time frame for the intensive care unit may not cut it,” says Mr. Raddon.
5. Test the plan. Many hospitals believe their plan works but it’s never tested. That is a recipe for disaster, according to Mr. Raddon.
“A plan isn’t a plan if it isn’t tested, Hospitals should document their plan, frequently test it and run unannounced spot checks, which will show how the recovery may run in a true emergency,” says Mr. Raddon.
Written by Kathleen Roney