Risk
9/6/2011
08:54 AM
Connect Directly
RSS
E-Mail
50%
50%

Hurricane Irene Sparks Talk Of HIT Disaster Strategy

Health IT managers are looking at the damage done and reassessing their disaster planning strategies.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
Like other natural disasters before it, Hurricane Irene disrupted hospital services in the Northeast, causing hospital IT officials to once again mull their disaster preparedness strategies.

Several recent reports in the aftermath of Irene show how damaging hurricanes can be to hospital systems. At Johnson Memorial Medical Center in Stafford Springs, Conn., 43 patients were relocated to other medical facilities when the hospital lost power and utility workers were prevented from fixing the problem because of the approaching storm.

At Staten Island University Hospital in New York City, reports surfaced that the hospital's IT department shut down its computer network, all applications, and phone systems. The hospital suffered minor damage. However, their information systems returned to full operations and, shortly after that, the facility was open for business due, in part, to what CIO Kathy Kania described as a business continuity plan that works.

Reports like these have led Pam Matthews, senior director of regional affairs at the Healthcare Information and Management Systems Society (HIMSS) to contemplate what happens to data when patients are transferred to other medical facilities.

"In Irene several hospitals were relocating patients to other hospitals. Where are these patients' digitized medical records going? How is the clinical information going to be exchanged when you're transferring patients from one hospital to another? Hurricane Irene reinforces the fact that patient care doesn't stop."

Mathews also said Hurricanes like Irene present CIOs with an opportunity to assess where they are in their disaster recovery plan.

"When we do have these natural disasters it either confirms the strategy, the plan, the dollars spent, and the resources that have already been invested by the healthcare organization's disaster recovery strategy, or it provides the opportunity for the CIO to recognize the weaknesses in their existing disaster recovery plan and improve on it," Matthews told InformationWeek Healthcare.

Over at UMass Memorial Health Care, which is the largest healthcare system in central and western Massachusetts, Rick Mohnk, associate CIO responsible for operations and member hospitals, said the hospital at its Marlborough location suffered a power outage for a few hours, and five physician practices associated with the hospital also lost power. However, by the end of the business day on the Wednesday after Irene struck, power at these five facilities was restored.

Mohnk described the hospital's disaster planning efforts as a work in progress that has been built over time and will still require change as the hospital organizes its data strategy around risk management and mitigation that meet demand and expense targets.

"Power and water are still powerful forces out there that you have to deal with," Mohnk told InformationWeek Healthcare. "Our strategy is to have a fully redundant, high availability geo-located data center structure, and Hurricane Irene taught us that we've done the right things because our member hospital in Marlborough lost power, but we had generator power and the appropriate backup and recovery planning, and our data centers continued to stay up and running."

According to Mohnk, UMass Memorial Health Care has three data centers: one at its main campus in Worcester, one in Marlborough, which is 20 miles away, and another in Pittsburgh, Pa. But Mohnk noted that as the hospital considers costs, as well as new ways to improve its clinical data management, it is migrating data from its Pittsburgh data center and will move its electronic health record and other clinical data to a Siemens cloud-based system in Malvern, Pa.

With regard to preparations for Hurricane Irene, Mohnk said the hospital had several command centers with technical teams that were dispatched when power outages occurred and he noted that the IT department made plans before the storm arrived.

"On the Thursday before Irene we literally sat down and reviewed our downtime processes. We went through a series of questions including: Where are we strong? Where are we weak? What are our risks? What are we going to do to mitigate if something does happen? ... We literally had command centers through the weekend to make sure we kept everything going," Mohnk said.

According to HIMSS' Matthews, disasters such as Irene highlight the need for disaster recovery plans, especially for smaller hospitals and medical groups that have limited resources and potentially greater vulnerability to losing patient data. She also noted that hospitals need to prioritize their data and have a contingency plan in place to deal with business continuity and redundancy planning.

"Healthcare organizations need to determine where they would like to be in terms of the robustness of their disaster recovery plan. From a business perspective how much data can they afford to lose? Where are they going to have their second or third data centers? And, what is the organization willing to spend in terms of maintaining their data?" Matthews said.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.