Peter Polack asked:
In the event of a natural disaster, your medical practice must be able to recover important information through disaster recovery efforts. You’ll also need to get back into operation as quickly as possible to maintain business continuity.
A fair number of medical practices received their first test of disaster recovery planning during the Katrina hurricane. The majority of those used paper records and are still trying to recover from the disaster. Those few that had electronic medical records (EMR) systems were able to recover their records, at least, and are now well on their way to normality.
A large New Orleans-based oncology practice averted certain financial disaster by having this type of recovery system ready. The IT admin and her team were able to back up their important records and escape with tapes and servers full of archives. They also had the forethought to bring the binders with instructions for rebuilding the systems. Before long, most of the city was under water. The practice relocated temporarily to Florida, and set up a remote network. Because ‘land line’ telephones were not functioning, they were forced to rely on cell phones for communications.
What, then, is a disaster recovery plan? A good plan needs to spell out exactly who does what, what needs to be done, where it is done, and both why and how. When a practice deals with either EMR or EPM systems, the primary focus is on the protection of electronic information.
At our practice, we do a daily backup to tape for both the ASC and the practice; this happens at the end of each work day. Copies of the backup tales are taken to the alternate location by courier, and locked in a fire-safe container. When a practice uses this sort of system, one can never lose more than a day’s worth of data. Other more sophisticated (and expensive) backup solutions can add layers on top of this. These sorts of solutions include remote backup services online. However, these solutions are often out of the price range for most small and medium-sized practices.
It is critical that backup system be tested periodically. We test our previous day’s backup by restoring it to another server used for training. If there are faults in the training database, we have a known problem with the backup system. In addition, many backup media such as tapes have a limited lifespan and must be replaced periodically. Don’t just toss out the old tapes, though – they must be erased properly and discarded in a way that will keep your practice’s information protected.
Don’t forget, your plan should comply with HIPAA regulations. We’ve all heard about laptops which went missing from the VA system and the possibilities for patient information to fall into the wrong hands. Our couriers are our own employees, and both the tape container and the room where they’re kept have separate keys.
A far more likely threat than a flood is a lightning strike or simple server failure. Are there redundant backup servers? Do you have a redundant power supply? What is your plan for business continuity? What if entrance to your practice is blocked? Will you be forced to cancel appointments, and if so, for how long?
If your practice has multiple locations, a satellite office can become a ‘hot’ site, taking over the function of another office if one is rendered inoperable. Still, you may need to set up a ‘cold’ site, using whatever office space is available to suit your changing needs. You may also want to consider a ‘sister’ office arrangement, an agreement between colleagues or friendly competitors to enter a mutually beneficial arrangement in the case of a disastrous event.
Important paper records should be stored in a water and fire-proof safe. Unfortunately, this isn’t feasible for storing patient records. Documents that can’t be replaced should be stored in a separate safe location.
Finally, consider business continuity insurance. This will help with cash flow to pay the bills until revenue is back up. This type of insurance could be the difference between financial ruin and eventual recovery after a disaster.
In the event of a natural disaster, your medical practice must be able to recover important information through disaster recovery efforts. You’ll also need to get back into operation as quickly as possible to maintain business continuity.
A fair number of medical practices received their first test of disaster recovery planning during the Katrina hurricane. The majority of those used paper records and are still trying to recover from the disaster. Those few that had electronic medical records (EMR) systems were able to recover their records, at least, and are now well on their way to normality.
A large New Orleans-based oncology practice averted certain financial disaster by having this type of recovery system ready. The IT admin and her team were able to back up their important records and escape with tapes and servers full of archives. They also had the forethought to bring the binders with instructions for rebuilding the systems. Before long, most of the city was under water. The practice relocated temporarily to Florida, and set up a remote network. Because ‘land line’ telephones were not functioning, they were forced to rely on cell phones for communications.
What, then, is a disaster recovery plan? A good plan needs to spell out exactly who does what, what needs to be done, where it is done, and both why and how. When a practice deals with either EMR or EPM systems, the primary focus is on the protection of electronic information.
At our practice, we do a daily backup to tape for both the ASC and the practice; this happens at the end of each work day. Copies of the backup tales are taken to the alternate location by courier, and locked in a fire-safe container. When a practice uses this sort of system, one can never lose more than a day’s worth of data. Other more sophisticated (and expensive) backup solutions can add layers on top of this. These sorts of solutions include remote backup services online. However, these solutions are often out of the price range for most small and medium-sized practices.
It is critical that backup system be tested periodically. We test our previous day’s backup by restoring it to another server used for training. If there are faults in the training database, we have a known problem with the backup system. In addition, many backup media such as tapes have a limited lifespan and must be replaced periodically. Don’t just toss out the old tapes, though – they must be erased properly and discarded in a way that will keep your practice’s information protected.
Don’t forget, your plan should comply with HIPAA regulations. We’ve all heard about laptops which went missing from the VA system and the possibilities for patient information to fall into the wrong hands. Our couriers are our own employees, and both the tape container and the room where they’re kept have separate keys.
A far more likely threat than a flood is a lightning strike or simple server failure. Are there redundant backup servers? Do you have a redundant power supply? What is your plan for business continuity? What if entrance to your practice is blocked? Will you be forced to cancel appointments, and if so, for how long?
If your practice has multiple locations, a satellite office can become a ‘hot’ site, taking over the function of another office if one is rendered inoperable. Still, you may need to set up a ‘cold’ site, using whatever office space is available to suit your changing needs. You may also want to consider a ‘sister’ office arrangement, an agreement between colleagues or friendly competitors to enter a mutually beneficial arrangement in the case of a disastrous event.
Important paper records should be stored in a water and fire-proof safe. Unfortunately, this isn’t feasible for storing patient records. Documents that can’t be replaced should be stored in a separate safe location.
Finally, consider business continuity insurance. This will help with cash flow to pay the bills until revenue is back up. This type of insurance could be the difference between financial ruin and eventual recovery after a disaster.
