With almost complete reliance now on digitally-accessed data, healthcare entities can’t run even a few hours without access to the software and the networks that keep patient data flowing. That alone makes IT disaster recovery (DR) plans imperative.
Weather-related calamities, like tornadoes and floods, only make up one type of disaster that can affect IT components. Anything that interrupts or loses data counts as a disaster, including spilled coffee, a server burning out, or simple human error. “We knew of one practice where an IT administrator was moving a database to another server. She didn’t realize in the move, she was actually deleting the information,” says Brian Walker, CEO of InCare Technologies.
“I knew one business where a car crashed through the wall into the server room and wiped out their IT,” says Ryan McGinty, president and CEO of Oceris, makers of FlexMedical.
Though complete IT disasters may be rare, DR plans should also cover the loss of portions of data as well, which happens more frequently than practices may appreciate. “So far this year, out of our 70 to 80 clients, we have had two different incidents with complete hardware failure,” Walker says. “But incidents for recovery of accidently deleted files, probably five to ten times a day.”
In formulating a disaster recovery plan, McGinty says to look at satisfying two components. “What do you need to do to be compliant with regulations, and what’s best for your business,” he says.
“The most important question answered by a good DR plan is who to call when they lose access to their system,” McGinty says. “On recoveries I’ve worked, the practices have had the hardware in place for backups, but when they call the IT company who sold it to them, they find that maintaining the backups was not part of the service they bought.”
That’s the biggest error made by healthcare businesses in buying DR plans. “They choose the plan and think they’re done,” McGinty says. “But a recovery plan is part of your day-to-day business and needs attention. Somebody has to be sure, every day, that those backups are running, and if you’re not going to do it, pay someone to.”
DR plans should also document the details of the entire IT set up, including all the software installed, the keys for reloading it, and who has access to what data. “I can hand back the data, but if I don’t know who should have privileges, I would be opening up possibly sensitive information to the wrong employees,” Walker says.
Another common error in devising DR plans lies in the location of the backup data. “You can’t have an employee taking home a disk every night,” Walker says, even if HIPAA allowed it. “If it’s not stored off-site in a data center or the cloud, what good will it be if a physical disaster destroys the building?”.
The cost for DR plans generally depends on the amount of data being handled and how much downtime the business wants to endure. Prices can run from hundreds of dollars to set up simple, self-maintained storage to $5,000 or more per month. The higher prices can include automatic, real-time backups at off-site locations that mirror what the primary servers are doing. Then if a primary server shuts done, those backups seamlessly step in with up-to-the-minute data.
“But Health and Human Services doesn’t care if your business is backed up or not after a disaster, as long as patients can get their data,” Dorsey says. “So you can spend a lot of money on a plan if your objective is to be up and running as fast as possible. But if the objective is just to get your patient records accessible, it’s not that expensive.”
Dorsey warns that practices can too easily be scared into spending needless money on their DR plans. “Use some common sense when looking at your options. Ask what you really need that capability for in an office of your size,” he says. “Because DR plans are a personal preference. Some practices can’t be down for two hours, where others are okay being down for two weeks.”
Recovery plans, hold no value, though, unless they’re constantly ready for implementation, stresses McGinty. “Make sure it actually works. Disaster recovery plans are ongoing. So if you don’t check your backups daily — or at worst, weekly — to make sure all the pieces are working correctly, your plan is worthless.”