Risk
9/6/2011
08:54 AM
Connect Directly
RSS
E-Mail
50%
50%

Hurricane Irene Sparks Talk Of HIT Disaster Strategy

Health IT managers are looking at the damage done and reassessing their disaster planning strategies.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
Like other natural disasters before it, Hurricane Irene disrupted hospital services in the Northeast, causing hospital IT officials to once again mull their disaster preparedness strategies.

Several recent reports in the aftermath of Irene show how damaging hurricanes can be to hospital systems. At Johnson Memorial Medical Center in Stafford Springs, Conn., 43 patients were relocated to other medical facilities when the hospital lost power and utility workers were prevented from fixing the problem because of the approaching storm.

At Staten Island University Hospital in New York City, reports surfaced that the hospital's IT department shut down its computer network, all applications, and phone systems. The hospital suffered minor damage. However, their information systems returned to full operations and, shortly after that, the facility was open for business due, in part, to what CIO Kathy Kania described as a business continuity plan that works.

Reports like these have led Pam Matthews, senior director of regional affairs at the Healthcare Information and Management Systems Society (HIMSS) to contemplate what happens to data when patients are transferred to other medical facilities.

"In Irene several hospitals were relocating patients to other hospitals. Where are these patients' digitized medical records going? How is the clinical information going to be exchanged when you're transferring patients from one hospital to another? Hurricane Irene reinforces the fact that patient care doesn't stop."

Mathews also said Hurricanes like Irene present CIOs with an opportunity to assess where they are in their disaster recovery plan.

"When we do have these natural disasters it either confirms the strategy, the plan, the dollars spent, and the resources that have already been invested by the healthcare organization's disaster recovery strategy, or it provides the opportunity for the CIO to recognize the weaknesses in their existing disaster recovery plan and improve on it," Matthews told InformationWeek Healthcare.

Over at UMass Memorial Health Care, which is the largest healthcare system in central and western Massachusetts, Rick Mohnk, associate CIO responsible for operations and member hospitals, said the hospital at its Marlborough location suffered a power outage for a few hours, and five physician practices associated with the hospital also lost power. However, by the end of the business day on the Wednesday after Irene struck, power at these five facilities was restored.

Mohnk described the hospital's disaster planning efforts as a work in progress that has been built over time and will still require change as the hospital organizes its data strategy around risk management and mitigation that meet demand and expense targets.

"Power and water are still powerful forces out there that you have to deal with," Mohnk told InformationWeek Healthcare. "Our strategy is to have a fully redundant, high availability geo-located data center structure, and Hurricane Irene taught us that we've done the right things because our member hospital in Marlborough lost power, but we had generator power and the appropriate backup and recovery planning, and our data centers continued to stay up and running."

According to Mohnk, UMass Memorial Health Care has three data centers: one at its main campus in Worcester, one in Marlborough, which is 20 miles away, and another in Pittsburgh, Pa. But Mohnk noted that as the hospital considers costs, as well as new ways to improve its clinical data management, it is migrating data from its Pittsburgh data center and will move its electronic health record and other clinical data to a Siemens cloud-based system in Malvern, Pa.

With regard to preparations for Hurricane Irene, Mohnk said the hospital had several command centers with technical teams that were dispatched when power outages occurred and he noted that the IT department made plans before the storm arrived.

"On the Thursday before Irene we literally sat down and reviewed our downtime processes. We went through a series of questions including: Where are we strong? Where are we weak? What are our risks? What are we going to do to mitigate if something does happen? ... We literally had command centers through the weekend to make sure we kept everything going," Mohnk said.

According to HIMSS' Matthews, disasters such as Irene highlight the need for disaster recovery plans, especially for smaller hospitals and medical groups that have limited resources and potentially greater vulnerability to losing patient data. She also noted that hospitals need to prioritize their data and have a contingency plan in place to deal with business continuity and redundancy planning.

"Healthcare organizations need to determine where they would like to be in terms of the robustness of their disaster recovery plan. From a business perspective how much data can they afford to lose? Where are they going to have their second or third data centers? And, what is the organization willing to spend in terms of maintaining their data?" Matthews said.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.