It has been a turbulent week on the East Coast.  We have had a rare 5.9 earthquake and have been hit by a Category 1 hurricane that have left millions without power and has caused major flooding. So naturally I have been thinking about Disaster Recovery.  It really takes extreme cases like the past week to get people thinking about disasters and Disaster Recovery.  But the truth is that disasters happen every day.  There are fires and floods and explosions that impact businesses every day.

But being that large powerful eye opening events really get people thinking about disasters, I will seize the moment and use it to help get people start thinking about Disaster Recovery planning.  Disaster Recovery planning is not easy. The exercise is trying to plan for something you don’t know exists and can’t anticipate environmental, physical and human actions. But before you get discouraged, you can start planning for things that you think might happen even if you don’t know the exact chain of events.

Categories of disasters

When I look at Disaster Recovery planning I like to split the disaster into 1 of 2 categories.  The first category is a temporary disruption in a business’ ability to access their server/network infrastructure.  This could be the result of an extended power outage that shuts the servers down. Or may be the result of a flood that makes travel to the office for employees impossible but also disrupts the network communication and remote access such as a failed T1, DSL or cable modem.  Both of these scenarios leave a business and employees temporarily without access to the network, data and applications.  The second category is more serious and involves destruction of a business’ server/network infrastructure.  This could be the result of a fire, flood, explosion, earthquake, etc.  The business’ servers and network are permanently destroyed.

You will notice that splitting the disasters into 2 categories allow for planning of multiple scenarios but without having to know the exact cause of the disaster.  It makes the Disaster Recovery planning much easier.

Data replication

One of the key parts of ensuring that you have a Disaster Recovery plan is to figure out how you are going to access critical data in the event that your servers/network are either temporarily or permanently inaccessible.  In this post I go into detail on Disaster Recovery planning which includes data replication and utilizing alternate locations to run duplicate infrastructure. The details of the post will give you good insight into some of the alternatives.

Communications

But another key part of Disaster Recovery planning is much less high tech.  In fact it is probably very low tech and almost as important.  In a disaster one of the worst outcomes is that a business’ employees may not have the ability to communicate with each other.  For example if there is a widespread power outage and your business primarily relies on email to communicate, your email server may be down and this will not be an option.  Secondly as more and more people move away from landline phones (Verizon, AT&T, etc.) to voice over IP (VoIP) such as Vonage and phone service through Cable companies, FIOS, etc, power outages cause people to lose their home phone access. When the power is out, Internet and phone are also out.  The third point is that as we rely on cell phones more and more for communications we are very susceptible to a disruption in cell service.  After the recent earthquake, millions rushed to their cell phones to makes calls only to find that calls would not go through. Unfortunately the reality is our cell phone infrastructure has major problems with extremely high volumes of calls and in disasters that is exactly the amount of volume to expect.  So a business might face the scenarios where email is down and employees can’t be reached via home and cell phones. The issue is critical if you cannot communicate with employees.

Let’s take a low tech approach to communications and see if some basic planning can help.  Prior to the recent hurricane, Entegration did some basic planning to ensure that all employees could communicate in the event of a disaster.  Here are some of the steps we took:

1. Ensure that we had an up to date contact list with all home phone numbers, cell phone numbers and home addresses (yes driving to a person’s house is a viable option if there is no other way to communicate with them).
2. Every employee setup an alternate email address (via Gmail, Hotmail, Yahoo mail, etc.).  We set up the address as First Name Last Name Company Name .  For example ArtGEntegration@hotmail.com.  In the event our primary email server went down and we could not communicate via Exchange/Outlook or our smartphones, we could still communicate via alternate email providers.  These email services are free and very easy to setup. And with smartphones, tablets and wireless network ability, access to these services are very straightforward and easy even in the event of a power outage.  We ensured that our contact list as mentioned in bullet 1 had both the primary and secondary email address for each employee.

Social Networks

Other alternatives are to utilize social networks such as Facebook, Twitter, LinkedIn and Google+ to communicate.  Adding social networks to the above options increase your chances of being able to communicate.

Summary

So hopefully this will get you thinking about Disaster Recovery planning.  In summary:

1. Break disasters into categories (temporary and permanent disruptions of service).
2. Focus on communication strategies that will enable all employees to communicate in the event of a disaster.
3. Plan data replication and alternate locations to run critical business functions.

Image via Flickr posted by www.gisuser.com

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.

When I was a freshman at Penn State, I landed a summer internship at Merck & Co., Inc.  Within weeks of working there I knew I wanted to be the Chief Information Officer (CIO) of Merck.

A good definition of a CIO can be found at Answers.com.

A company executive who is responsible for the management, implementation and usability of information and computer technologies. The CIO will analyze how these technologies can benefit the company or improve an existing business process and will then integrate a system to realize that benefit or improvement.

My view of a CIO is a person that is responsible for the overall Information Technology (IT) including:

• Hardware (desktops, laptops, network, wide area network, Internet, firewalls, etc.).
• Software (customer relationship management [CRM] systems, accounting systems, manufacturing systems, etc.).
• Security (policies, procedures and technology to implement and enforce security).
• Support of the entire Information Technology.

A CIO must be involved with the selection of new technologies, the implementation of new technologies and must ensure that any new technology is secure and supportable within the company.

Most of the time a CIO is associated with a large enterprise but as the title of this article states, it is my belief that every medical practice should have a CIO.  Just like in large organizations, a medical practice has information technology needs.  As I mentioned in this article, as a practice implements an EMR the size of their network will grow rapidly.

Whether it is a small, midsize or large medical practice, the need for a CIO exists.  The CIO should understand the details, the workflow and the requirements of the practice.  If the practice is at the point of trying to select an EMR, the CIO should be involved in the selection process.  The CIO should understand what the functional requirements of the EMR should be but should also be concerned with the network, security and support requirements.  In addition, the CIO should be involved with the implementation and coordination of the multiple vendors (software, network, training, Internet Service Provider [ISP], lab vendors, digital x-ray vendors, etc.) to successfully implement the EMR.

Once the EMR has been implemented, the CIO will need to ensure that the system is supportable, secure, and reliable.  The CIO will need to be involved if any of the components of the information technology need to be upgraded or new components need to be added.  The CIO must ensure that an upgrade of one component does not negatively impact the functionality of other components.  The CIO will also need to be involved if there is a problem with one of the IT components. The CIO must resolve the unavoidable vendor finger-pointing that occurs when multiple vendors are involved.

A practice will need to ensure that they are compliant with all government regulations including HIPAA and the HITECH Act.  The CIO should be responsible for ensuring that the policies, procedures and proper technologies are implemented for the practice to be in compliance.  The CIO should also be involved with the monitoring and adherence to the security polices and procedures.

After 16 years, I left Merck and eventually co-founded Entegration, Inc.  For over 10 years I have been the CIO of my client’s medical practices.  I have to admit that it is one of the most rewarding jobs I could have hoped for.