South Florida Hospital News
Sunday May 24, 2020

test 2

June 2014 - Volume 10 - Issue 12




Disasters Do Not Have to Be Disasterous When "Peace of Mind” Disaster Recovery and Business Continuity Plans Are in Place

Hurricane season is once again upon us, and with it comes the inevitable stream of dire warnings about just how important comprehensive Disaster Recovery and Business Continuity plans are. With each of the past seven Hurricane seasons having been relatively benign for South Florida, some organizations are becoming complacent. For a regular business, a lack of preparedness could mean the loss of clients, revenue, or even the entire business. For healthcare providers, however, it could mean a loss of life. For this reason, it is not only sensible to be prepared, it is legally required by HIPAA CFR 164.208(a)(7).
Today, technology plays a role in nearly every aspect of healthcare. Electronic Medical Records are quickly replacing their paper equivalents, clinicians are relying on mobile and handheld devices to access and review patient information, PACS and RIS systems continue to generate enormous amounts of data, and patients are becoming accustomed to interfacing with their provider via automated telephone systems and online web portals. These changes are being driven by decreasing margins for providers, increasingly tech-savvy clinicians and patients, and ever-evolving compliance requirements. Whatever the cause, the infrastructure upon which this technology is being deployed must be robust, reliable, and always-available.
In October of 2005, Hurricane Wilma rumbled across South Florida. Although just a Category 2 storm, Wilma left approximately 98% of South Florida without utility power. Some organizations waited in excess of 10 business days for their power to return. The sheer devastation that Andrew caused in 1992 is still fresh in the minds of many, and had Charley not suddenly turned east in August of 2004, it would have battered Tampa with 150 mph sustained winds. The next major storm to strike South Florida is on its way. It may or may not arrive this year, but rest assured, it will arrive.
The first step in being prepared is to either physically move healthcare information systems to a secure and weather hardened data center or migrate them to a trusted Cloud provider that is located inside of one. Keeping healthcare data within a traditional office environment is not only risky, but it can also lead to legal exposure should those systems be damaged, stolen, or compromised. Remember, CFR 165.306(a) states that Covered entities must “… protect against any reasonably anticipated threats or hazards to the security or integrity …” of electronic protected health information.
Some features to look for in a data center include 24x7 on-site security, utility power from at least two different grids, redundant generators backing each tenant power circuit, carrier neutrality to ensure you can connect using the telecom carrier(s) of your choice, and purpose-built construction. The last item is of particular importance because South Florida happens to be home to several data centers which are merely conversions of structures built for other purposes. Additional recommendations include choosing a facility that is at least 20 feet above sea level, outside of the 500-year floodplain, and unencumbered by storm “lock-down” procedures. After all, you would not want to be locked out when you most need to get in.
The next step is to review data backup procedures. The traditional nightly backup may no longer satisfy CFR 164.308(7) as the most recent backup copies of protected electronic health information may be up to 24 hours old, thus violating the requirement to “restore any loss of data.” Unfortunately, there are no specific rules on how often backups must be completed, so it is recommended to do so as often as a given platform can reasonably support.
For all but the smallest providers, replication to a second data center or Cloud provider should strongly be considered. Leveraging modern technologies, this additional layer of protection is remarkably affordable.
Finally, with data and systems adequately protected, CFR 164.308(7)(ii)(D) states that each provider must “… implement procedures for periodic testing and revision of contingency plans.” During the testing process, which should be done at least twice per year, the provider must also ensure that all required security and privacy is maintained even when running in recovery/emergency mode.
Rick Mancinelli, recently named as one of the Miami Techweek100 by eMerge Americas, is the CEO of Cloud Computing Concepts (C3), a single source provider of cloud computing, 24x7 help desk, on-site support, voice and data communications, and disaster recovery/business continuity solutions. He welcomes questions and comments at
Share |