By William M. Miaoulis, CISA, CISM; Nancy A. Miracle, RN; and Edward S. Humphrey, MT-ASCP
Many traditional information technology (IT) disaster-recovery plans (DRPs) are written to address the risks of a local disaster that covers only the loss of a data center due to a disaster such as flooding, fire or loss of power. Although this is a critical component and a HIPAA requirement, this type of plan can come up short when organizations face a region-wide disaster.
Just as computers need care (IT staff) and feeding (electricity), so do the individuals who ensure that systems are operational. During the Hurricane Katrina disaster, for example, healthcare and IT staff worked for extended days during the disaster. These people needed shelter, food, water, clothing, medications and security. Regardless of who is responsible, organizations should plan and document how to care and feed their staff. This includes:
Communications: How is the organization going to communicate with employees or vendors outside of the hospital? A couple of suggestions include: having a contact number outside the region, a Web site communications point and satellite telephones. To ensure vital communications, organizations need to forge relationships with recovery organizations and redundant communications providers. An example: Hawaii Association of Hospitals has deployed satellite phones to member hospitals statewide to assist with a region-wide disaster.
The basics (food and water): Organizations should determine the amount of food, where it will be stored and who is responsible for providing it. IT departments should understand what will be provided for support staff. Some simple, but critical questions include: Do organizations have reliable emergency water sources and are emergency restroom facilities available? Are supplies of potable and non-potable water available?
Fuel: During Katrina, one organization had planned for emergency generator fuel to provide electricity for only 72 hours. Fuel suppliers were unable to perform refueling deliveries. The need for greater storage capabilities became evident. Re-prioritizing the areas that must have electricity to conserve generator power was a critical post-Katrina lesson learned.
Security: Providing security for hospital employees and patients during a disaster is crucial. The hospital may become a shelter and home to thousands of people and pets. During Katrina, hungry and frightened refugees posed a serious threat to the safety and welfare of employees and patients. This also placed a strain on already limited supplies of food and water. Post-Katrina plans include ensuring availability of adequate security staff and clear personnel identification arm bands that restrict individuals to non-patient care areas. This is of critical importance to protecting hospital safety and security.
Logistics: During a region-wide disaster, getting personnel and supplies into the affected areas is difficult. Area clearances, identification and security processes are items for planning with regional emergency authorities. In remote locations, with potential disasters such as hurricanes or tsunamis, local hospital resources may be strained, requiring contingency plans for delivery.
A traditional DRP plan is a key component of an overall business-continuity plan. When embarking on such a plan, organizations should document two key components - application recovery time objective (RTO) and applications data recovery point objective (RPO), and understand the consequences of a region-wide disaster on those components. The Katrina experience taught organizations that a remote data center and remote data did not provide needed patient information during a disaster.
To document RTO, an organization should look at each application system they have and determine how quickly they must recover that specific application. The key component of DRP planning is having the necessary data available to treat patients.
The RPO for applications data is how much data can an organization afford to lose? Often, clinicians learn they could lose more than a day of patient information on active and discharged patients. That typical backup scheme would not provide patients' clinical values, medications, charting and other data. Solutions can include continuing to store critical information on paper, on a print server that is separate from the primary data center, or downloaded to local machines on the patient-care unit. The important factor is that key clinical information is available.
Hospital IT departments need to continually update their IT disaster-recovery plans, including non-traditional plans for communications, food, water, security and logistics. IT departments should work closely with their hospital emergency-management team and with regional disaster authorities. Traditional IT plans should focus on both providing critical clinical data to effectively continue patient care, while ensuring that the support staff's needs are met.
William M. Miaoulis, CISA, CISM; Nancy A. Miracle, RN; and Edward S. Humphrey, MT-ASCP, work at Phoenix Health Systems.
For more information on Phoenix Health Systems solutions: click here.