- In a recent blog post, ONC officials emphasized the importance of planning when it comes to HIT backup and disaster recovery.
“Unfortunately, the reality that an organization’s health IT systems will become unavailable or compromised is a matter of when, not if,” explained blog post authors Andrew Gettinger, M.D., and Justin Cross, M.D.
“In some cases this may be due to natural disasters that extend the loss of electrical power, or massive flooding that takes essential servers offline. In other cases the downtime may be due to a bad actor such as a malicious attack. Sometimes it’s simply a hardware failure that causes a chain reaction of failures. Regardless of the reason, the needs of patient care must continue.”
The increasing dependence patients and clinicians have on digital tools makes data backup and the fast recovery of health systems critical to patient safety and the ability of clinicians to treat patients effectively. Backing up data and achieving fast recovery times also impacts hospitals as businesses.
Developing a plan is vital for organizations purchasing new recovery solutions or updating legacy solutions.
“Where backup and recovery is particularly stark is when being down directly impacts the business,” Zetta CEO Mike Grossman told HITInfrastructure.com.
“It’s a significant issue in the context of healthcare where people’s lives are involved. The real issue is, what happens when something goes wrong, what do you do to recover the data, and how quickly can you be up and running again?”
Many organizations opt for a phased approach with their backup and recovery systems, starting with data backup before moving to data recovery.
Organizations benefit greatly from keeping a copy of their data beyond the physical confines of their own facility.
The general rule for backing up data is to have at least three different copies of the backup stored on two different types of media with at least one of the backups held offsite. This makes cloud backup a popular option. Organizations storing their backed-up data in the cloud can cut costs because they aren’t investing in hardware and maintenance. Backing up data to the cloud also protects it from natural disasters or events that physically affect the organization.
In addition to planning, the most important step organizations need to regularly carry out for data backup and recovery is testing.
“The most important thing that an organization can do to mitigate the potential impact to patient care and normal workflows is to practice what to do if such an event occurs,” said the blog post. “Drills, preparedness exercises, and training that focus on how the organization will continue to provide patient care during health IT downtime (likely using electronic or paper-based backup workflows) should be practiced. The organization should also drill how to resume normal health IT-based operations once the downtime passes, and how to integrate all data orders generated during the downtime.”
Testing data recovery solutions regularly will not only ensure that data and applications can be recovered with almost no latency but will also give IT staff the confidence to switch over to the recovered environment at the first sign of a problem.
However, simply testing the recovery solutions from behind the scenes can still leave gaps, leading to incomplete tools and information.
“Healthcare IT departments have to manage 30 to 40 departments including radiology PACS, and MRI systems among others,” Webair CTO Sagi Brody explained to HITInfrastructure.com. “They aren’t exactly the best source to tell if things are working properly at the recovery site because they’re not the ones who use the apps and tools every day.”
End-users should be involved in the data recovery testing process. Organizations can seek solutions that allow app users to test their own apps. The IT department can put users on a schedule to test their recovery apps once a month and report any inconsistencies or errors.
The blog post suggests that healthcare organizations use tools and resources made available by the ONC and OCR to ensure that backup and recovery solutions are HIPAA compliant. The agencies created the HIPAA security risk assessment tool made up of a series of questions organizations can ask themselves to assess how prepared they are for an event that causes data access downtime.
“It is critical that healthcare facilities and institutions have a system downtime plan and a backup and recovery plan for their health IT systems,” blog authors concluded. “Healthcare facilities must regularly practice operations in a simulated downtime environment to be ready when a situation occurs.”
“While it is likely that an organization will face one or a combination of the challenges described, planning, communication, and adequate practice and training can lessen the impact and allow the organization to continue its mission of providing care for those that need it.”