From The Editor | May 21, 2014

Making Health Data Hurricane-Proof

Ken Congdon, Editor In Chief of Health IT Outcomes

While traveling to New Jersey for a recent conference, I drove through several areas that still bore scars from physical damage sustained during Hurricane Sandy in 2012. These visual reminders of the disaster immediately brought back memories of the health data problems several hospitals in the region encountered as a result of the power outages and flooding caused by “Frankenstorm.”

Hurricane Sandy revealed the glaring disaster recovery (DR) weaknesses prevalent in the healthcare industry. Unfortunately, it seems few providers have done much to enhance their business continuity plans since. In fact, according to a 2014 MeriTalk study, 82 percent of healthcare providers surveyed admit their technology infrastructure is still not fully prepared for a disaster recovery incident.    

The 2014 Atlantic hurricane season is nearly upon us (it officially runs June 1st through November 30th), and if the weather so far this year is any indication, there could be a monster storm or two on the horizon. Now is the time to prepare yourself for the worst — for the sake of your reputation and your patients. Here are a few tips on how to build a DR solution that can weather any storm.

  1. Start With A Business Impact Analysis (BIA) — A BIA is an essential component of any organization’s business continuance plan. It includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risk. As part of a DR plan, a BIA is likely to identify costs linked with failures, such as loss of cash flow, replacement of equipment, salaries paid to catch up with backlog of work, and so on.1

    If you don’t have a BIA report, create one. If already have a BIA report in place, dust it off, carefully review the business functions contained in the analysis, and cross-reference these functions with your IT leaders. It’s important that IT, organizational, and clinical leadership are all in lock-step to identify system interdependencies so that recovery time objectives can be accurately established and agreed upon.
  2. Validate Your Assumptions — Many healthcare providers likely have a BIA. However, few do the testing necessary to validate the assumptions contained in these reports. Health providers need to take the BIA a step further by selectively testing a few of the most critical entries in the report to ensure what is written down actually plays out as planned. Too many providers currently take a “wait-and-see” approach, and hope that their DR strategies actually work. You don’t want to wait until a disaster actually strikes to prove out your DR policy.
  3. Don’t Over-Test — While testing is an important step to validating any DR plan, Brandon Tanner, senior manager at Rentsys Recovery Services (a DR solution provider), warns that you should be careful not to take your DR testing too far. “Don’t attempt to conduct a full DR test,” he says. “In other words, don’t attempt to test losing all of your systems at once. You will fail miserably, particularly if you aren’t experienced at performing DR tests at any level. The best approach is to select a few important systems that you know will be critical during a disaster and test those to flex your DR muscles.”
  4. Take Geography Into Account — One of the ways hurricanes are different from other natural disasters like tornadoes and earthquakes is the fact that they are typically very widespread from a geographic perspective. Because of this, it is risky to only build out your resiliency locally. Your primary and backup data centers can’t be located too close to one another. They should be geographically dispersed to ensure both aren’t compromised during a hurricane. Cloud DR solutions can be attractive for these types of scenarios because they take many of the complexities involved with managing data centers that are in different states or time zones out of the equation.
  5. Don’t Forget The Human Element — According to Tanner, redundancy and resiliency shouldn’t be reserved for only data and operations centers — you should ensure you have backup personnel in the wings as well. “When disaster strikes, many of the folks you count on locally to keep your systems up and running may be more worried about taking care of their families than they are about the organization’s business continuity,” he says. “You need to make sure you have backup expertise that is out of harm’s way ready to assist in your DR efforts.”

1Definition provided by, a TechTarget website.