Here, Bob Dupuis, practice director of infrastructure and security at Arcadia Solutions, a healthcare consulting company, offers four ways hospitals can their strengthen data recovery processes.
1. Validate third-party data recovery services. It is not enough to cover data recovery plans and services in a contract with third-party providers. It is increasingly important for hospitals to validate the plans and services of their vendors. "They need more validation of what the data recovery plans are. They need to make sure the DR plan is tested periodically and more than once every five years," says Mr. Dupuis. "Validating that the right processes are in place is important not only from a DR planning standpoint but also for information security."
In order to validate a third-party's data recovery, Mr. Dupuis recommends hospitals ask to see results from recent data recovery, business continuity and data restoration tests. "It is not good enough just to look at the plan. Ask to see how the vendor arrived at its data recovery plan and the test results that led them there," says Mr. Dupuis. He also recommends auditing the DR plan to test that controls work the way they are intended.
2. Backup data in a safe-place offsite. From a best practices perspective, backing up hospital data in a redundant site is key, says Mr. Dupuis. However, many hospitals do not choose a redundant site in a different geographical area, which is very important when a natural disaster threatens a hospital's power and data.
"It is not a great idea to have a data recovery site in the same geographical area. You do not want the backup that close. [In order to have geographical options], the hospital may need to consider multiple vendors. One that provides services at a primary site and one that provides a backup site. If one vendor has issues, the second may not and the hospital can access its data," says Mr. Dupuis.
3. If possible, prepare and practice with paper-based options. Hospitals with a cloud solution for data should have a paper-based back up process prepared at all times. According to Mr. Dupuis, if the hospital knows that a natural disaster could be on its way, such as a hurricane, it is a good idea to prepare to practice with paper for up to a week.
"Fewer organizations and staff know the paper based processes. It is important to be sure staff know the process and is prepared to work without access to key IT systems," says Mr. Dupuis.
4. Validate your backup power. All hospitals will have backup battery power in the case of a power outage; however, constantly validating that power redundancy is critical. According to Mr. Dupuis, a smaller hospital should have battery backups and generators, and the hospital should test those backups to ensure that if power does go down, the hospital can transition without losing information.
"A larger organization should have battery backup for the short term, and for its long-term needs, it should have multiple generators. Those should be tested monthly to make sure the transition is seamless. The hospital should even test redundant generators," says Mr. Dupuis. "NYU Langone admitted that they had older equipment and older generators. This is why validating the back up is important. Older generators may have supported power needs five years ago, but can they meet power needs now? It is important to test."
Ultimately, hospitals need to prepare for a variety of risk scenarios. As Hurricane Sandy demonstrated, it is not always possible to predict how data and power supplies will be threatened. "Hospitals should review all possible disaster scenarios and make decisions based on that review. Perhaps the data center and critical equipment is 15 to 16 floors up, but the fuel source for the generators is closer to the ground. If flood waters compromise key power support systems (e.g., fuel and fuel pumps) then it doesn't matter that the data source is secure. Hospitals need to think through those scenarios," says Mr. Dupuis.
More Articles on Data Recovery Plans:5 Guidelines for Hospital Data Recovery Plans
Risk Assessments – What's the Big Deal? Your Responsibilities If You Adopt Electronic Health Records