Backups are important. However, when things really go wrong, they alone are not enough. “Disaster” may sound overly dramatic, but, in fact, catastrophic data losses are not rare. Depending on where you live, floods, tornados, hurricanes or earthquakes are a fact of life. Of course, man-made misery (e.g., viruses, tampering, sabotage) accounts for its share of troubles, too. Backups are enough when the only victim is information, but what if computer equipment and offices are affected? Being prepared for the times when everything goes wrong is what disaster recovery and business continuity planning are all about.
Disaster recovery and business continuity planning are not just good business practices; they are also a requirement for HIPAA. The HIPPA Security Rule section 164.308(a)(7) lists contingency planning as an administrative safeguard with five implementation specifications. For those who find reading legalese mind-numbing, the CMS Document, Security Standards: Administrative Safeguards, provides a more approachable discussion of this topic. The following text appears on page 19 under the heading of “Contingency Plan”:
The purpose of contingency planning is to establish strategies for recovering access to EPHI should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations. The goal is to ensure that organizations have their EPHI available when it is needed.
The Contingency Plan standard requires that covered entities:
“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”
Three implementation specifications are required for all covered entities: data backup plan, disaster recovery plan, and emergency mode operation plan.
Data Backup Plan
Backing up data is a no-brainer. The problem is figuring out the optimal means for a particular situation. Even in a typical small practice of three or fewer clinicians, there are a variety of options to consider. First, there is the matter of how often to do backups. The obvious answer of once each evening only seems like a good idea until something happens to your server at 5:00 pm and the most recent backup is from the previous day. How many patient records would be affected in your practice’s EHR if an entire day’s transactions were to be lost?
Backup storage should be considered carefully. Storing backups in the same place as the server is obviously a bad idea– as are car trunks, desk drawers, and the den. When it comes to data protection, I am paranoid by nature and prefer real-time offsite backup options. Real-time backups replicate data to an offsite server (ideally to someplace with weather different from its originating location). Obviously, these options are more expensive than a local, daily backup, but it is safer for critical information.
Disaster recovery plan
Backups are reasonable and workable solutions for protecting information. However, there isn’t much one can do with data alone. The infrastructure to utilize the data must be in place as well. If a server is destroyed or damaged, having a copy of your data alone will not get things back to normal. A new server and copies of the applications that use the data are also required. This means buying and configuring a new server, which may take days depending on your support contract. A damaged sever with version 3.0 of an EHR product that is now at version 6.0, may require a software upgrade along with replacement of the server. Being sure that one can recover from a disaster requires plans for restoring everything — applications, hardware, workspace, and data.
Emergency operations and business continuity
Fires and natural disasters may damage your place of business as well as computing resources. Emergency operations/business continuity may require anything from new computing resources to power generators, new furnishings, or even a new business location. Replacing a server is a major headache; restoring every computing device in a practice is a nightmare. The key issue in these situations is time. Planning is the key to recovering as quickly as possible.
Review your service contracts and insurance policies–the fine print matters! How specific are the terms for replacing damaged computers and software? How many companies must be coordinated in order to return your technical infrastructure to normal? What process is in place to conduct and test backups for reliability? What will your insurance replace at current market rates? How large are the deductibles?
Disasters happen all the time; surviving requires planning and preparation. No one wants to be in a disaster, but if one occurs, the recovery process should be as simple and predictable as possible.