Risk
9/6/2011
08:54 AM
50%
50%

Hurricane Irene Sparks Talk Of HIT Disaster Strategy

Health IT managers are looking at the damage done and reassessing their disaster planning strategies.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
Like other natural disasters before it, Hurricane Irene disrupted hospital services in the Northeast, causing hospital IT officials to once again mull their disaster preparedness strategies.

Several recent reports in the aftermath of Irene show how damaging hurricanes can be to hospital systems. At Johnson Memorial Medical Center in Stafford Springs, Conn., 43 patients were relocated to other medical facilities when the hospital lost power and utility workers were prevented from fixing the problem because of the approaching storm.

At Staten Island University Hospital in New York City, reports surfaced that the hospital's IT department shut down its computer network, all applications, and phone systems. The hospital suffered minor damage. However, their information systems returned to full operations and, shortly after that, the facility was open for business due, in part, to what CIO Kathy Kania described as a business continuity plan that works.

Reports like these have led Pam Matthews, senior director of regional affairs at the Healthcare Information and Management Systems Society (HIMSS) to contemplate what happens to data when patients are transferred to other medical facilities.

"In Irene several hospitals were relocating patients to other hospitals. Where are these patients' digitized medical records going? How is the clinical information going to be exchanged when you're transferring patients from one hospital to another? Hurricane Irene reinforces the fact that patient care doesn't stop."

Mathews also said Hurricanes like Irene present CIOs with an opportunity to assess where they are in their disaster recovery plan.

"When we do have these natural disasters it either confirms the strategy, the plan, the dollars spent, and the resources that have already been invested by the healthcare organization's disaster recovery strategy, or it provides the opportunity for the CIO to recognize the weaknesses in their existing disaster recovery plan and improve on it," Matthews told InformationWeek Healthcare.

Over at UMass Memorial Health Care, which is the largest healthcare system in central and western Massachusetts, Rick Mohnk, associate CIO responsible for operations and member hospitals, said the hospital at its Marlborough location suffered a power outage for a few hours, and five physician practices associated with the hospital also lost power. However, by the end of the business day on the Wednesday after Irene struck, power at these five facilities was restored.

Mohnk described the hospital's disaster planning efforts as a work in progress that has been built over time and will still require change as the hospital organizes its data strategy around risk management and mitigation that meet demand and expense targets.

"Power and water are still powerful forces out there that you have to deal with," Mohnk told InformationWeek Healthcare. "Our strategy is to have a fully redundant, high availability geo-located data center structure, and Hurricane Irene taught us that we've done the right things because our member hospital in Marlborough lost power, but we had generator power and the appropriate backup and recovery planning, and our data centers continued to stay up and running."

According to Mohnk, UMass Memorial Health Care has three data centers: one at its main campus in Worcester, one in Marlborough, which is 20 miles away, and another in Pittsburgh, Pa. But Mohnk noted that as the hospital considers costs, as well as new ways to improve its clinical data management, it is migrating data from its Pittsburgh data center and will move its electronic health record and other clinical data to a Siemens cloud-based system in Malvern, Pa.

With regard to preparations for Hurricane Irene, Mohnk said the hospital had several command centers with technical teams that were dispatched when power outages occurred and he noted that the IT department made plans before the storm arrived.

"On the Thursday before Irene we literally sat down and reviewed our downtime processes. We went through a series of questions including: Where are we strong? Where are we weak? What are our risks? What are we going to do to mitigate if something does happen? ... We literally had command centers through the weekend to make sure we kept everything going," Mohnk said.

According to HIMSS' Matthews, disasters such as Irene highlight the need for disaster recovery plans, especially for smaller hospitals and medical groups that have limited resources and potentially greater vulnerability to losing patient data. She also noted that hospitals need to prioritize their data and have a contingency plan in place to deal with business continuity and redundancy planning.

"Healthcare organizations need to determine where they would like to be in terms of the robustness of their disaster recovery plan. From a business perspective how much data can they afford to lose? Where are they going to have their second or third data centers? And, what is the organization willing to spend in terms of maintaining their data?" Matthews said.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4692
Published: 2015-07-27
The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.

CVE-2015-1840
Published: 2015-07-26
jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space cha...

CVE-2015-1872
Published: 2015-07-26
The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via craft...

CVE-2015-2847
Published: 2015-07-26
Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream.

CVE-2015-2848
Published: 2015-07-26
Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!