Risk
9/6/2011
08:54 AM
50%
50%

Hurricane Irene Sparks Talk Of HIT Disaster Strategy

Health IT managers are looking at the damage done and reassessing their disaster planning strategies.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
Like other natural disasters before it, Hurricane Irene disrupted hospital services in the Northeast, causing hospital IT officials to once again mull their disaster preparedness strategies.

Several recent reports in the aftermath of Irene show how damaging hurricanes can be to hospital systems. At Johnson Memorial Medical Center in Stafford Springs, Conn., 43 patients were relocated to other medical facilities when the hospital lost power and utility workers were prevented from fixing the problem because of the approaching storm.

At Staten Island University Hospital in New York City, reports surfaced that the hospital's IT department shut down its computer network, all applications, and phone systems. The hospital suffered minor damage. However, their information systems returned to full operations and, shortly after that, the facility was open for business due, in part, to what CIO Kathy Kania described as a business continuity plan that works.

Reports like these have led Pam Matthews, senior director of regional affairs at the Healthcare Information and Management Systems Society (HIMSS) to contemplate what happens to data when patients are transferred to other medical facilities.

"In Irene several hospitals were relocating patients to other hospitals. Where are these patients' digitized medical records going? How is the clinical information going to be exchanged when you're transferring patients from one hospital to another? Hurricane Irene reinforces the fact that patient care doesn't stop."

Mathews also said Hurricanes like Irene present CIOs with an opportunity to assess where they are in their disaster recovery plan.

"When we do have these natural disasters it either confirms the strategy, the plan, the dollars spent, and the resources that have already been invested by the healthcare organization's disaster recovery strategy, or it provides the opportunity for the CIO to recognize the weaknesses in their existing disaster recovery plan and improve on it," Matthews told InformationWeek Healthcare.

Over at UMass Memorial Health Care, which is the largest healthcare system in central and western Massachusetts, Rick Mohnk, associate CIO responsible for operations and member hospitals, said the hospital at its Marlborough location suffered a power outage for a few hours, and five physician practices associated with the hospital also lost power. However, by the end of the business day on the Wednesday after Irene struck, power at these five facilities was restored.

Mohnk described the hospital's disaster planning efforts as a work in progress that has been built over time and will still require change as the hospital organizes its data strategy around risk management and mitigation that meet demand and expense targets.

"Power and water are still powerful forces out there that you have to deal with," Mohnk told InformationWeek Healthcare. "Our strategy is to have a fully redundant, high availability geo-located data center structure, and Hurricane Irene taught us that we've done the right things because our member hospital in Marlborough lost power, but we had generator power and the appropriate backup and recovery planning, and our data centers continued to stay up and running."

According to Mohnk, UMass Memorial Health Care has three data centers: one at its main campus in Worcester, one in Marlborough, which is 20 miles away, and another in Pittsburgh, Pa. But Mohnk noted that as the hospital considers costs, as well as new ways to improve its clinical data management, it is migrating data from its Pittsburgh data center and will move its electronic health record and other clinical data to a Siemens cloud-based system in Malvern, Pa.

With regard to preparations for Hurricane Irene, Mohnk said the hospital had several command centers with technical teams that were dispatched when power outages occurred and he noted that the IT department made plans before the storm arrived.

"On the Thursday before Irene we literally sat down and reviewed our downtime processes. We went through a series of questions including: Where are we strong? Where are we weak? What are our risks? What are we going to do to mitigate if something does happen? ... We literally had command centers through the weekend to make sure we kept everything going," Mohnk said.

According to HIMSS' Matthews, disasters such as Irene highlight the need for disaster recovery plans, especially for smaller hospitals and medical groups that have limited resources and potentially greater vulnerability to losing patient data. She also noted that hospitals need to prioritize their data and have a contingency plan in place to deal with business continuity and redundancy planning.

"Healthcare organizations need to determine where they would like to be in terms of the robustness of their disaster recovery plan. From a business perspective how much data can they afford to lose? Where are they going to have their second or third data centers? And, what is the organization willing to spend in terms of maintaining their data?" Matthews said.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.