Long-term care facility operators shouldn’t leave themselves in the dark when it comes to protecting their data.
A tumultuous year, characterized by Hurricane Sandy, massive tornadoes in Oklahoma, raging floods in the heartland and savage wildfires in the West, should send a strong message to healthcare providers coast-to-coast that they are highly vulnerable to data destruction and should be taking steps to ensure its safety.
Losing data in one fell zap just might be the biggest threat facing healthcare organizations today and, ironically, they aren’t taking it seriously enough. This is especially true in the long-term care industry, information technology system, specialists say.
“Many think they’re prepared, but they really aren’t,” says LeRoy Boan, RN, senior sales manager at NTT DATA Long Term Solutions. “They’re aware of the issues but don’t take the steps to fully implement the measures. Some organizations have systems in place but haven’t tested them. Larger organizations may have systems at the corporate level, but not for their individual facilities.”
Chris Bingham, vice president of infrastructure for HealthMEDX, agrees preparation is not where it should be for post-acute care providers.
“Clearly, they believe it’s an important topic worthy of their time attention, but at the same time the lack of adoption of modern technology for many in the sector leads to a disconnect,” he says. “Many — if not most — don’t fully understand the connection between the concepts of generic security and risk prevention for technical systems, disaster recovery and business continuity.”
Seven years after Hurricane Katrina and one year after Sandy, the need to insulate data from ferocious storms like these should be readily apparent, says John Reeves, chief architect for healthcare solutions at EMC. Yet while “having tentacles out is a good starting point,” he says “there are excuses galore for not addressing this protection, usually around costs and not having the available skills for preparing themselves from disaster.”
Reeves recommends facility operators start by developing a risk management scenario that considers unknown possibilities and includes a risk impact analysis to help them understand their risk. It should encompass a continuous inspection process that is linked to decision making where management has a plan for business continuance and disaster recovery, he says.
“This process leads to a plan of action,” Reeves says. “The gaps help you define the values of risk, the costs associated with lost data and how well your current IT system is set up to withstand data loss.”
Safeguarding it all
When it comes to determining which data is most valuable, system vendors strongly advise taking steps to protect all data, from financial data to key resident information.
“We live in a world that is driven more and more by data,” says Kevin Staley, president and CEO of Integrated Health Systems. “For a moment, just imagine a scenario where a facility has lost all of its data from billing and accounting to care and medicinal plans. How much value would you put on a disaster recovery system at that point in time? It literally can mean the difference from being in or out of business. It’s natural to think that it can never happen to you, but when it does, the impact can be devastating.”
Bingham agrees that all data should be placed in a secure space, including billing information, clinical profiles, personal health information, interfaces and connections. There is no reason not to do it, he says.
“The technology is available to provide coverage for the complex and demanding world of post-acute care and it really is a matter of having the right mindset about risk mitigation, tolerance for loss and ultimately the cost of a good insurance plan versus the decline in care that occurs after a major system failure.”
A facility’s effort to mitigate risk cannot be overemphasized, Bingham says, though he believes in a “more is better” approach to disaster recovery.
“Providers need to understand their risk — they may lose power, they may have an employee walkout or they may have a software failure,” he says. “Once the risks are understood, the next step is finding ways to mitigate them — with backup power generators, by cross-training employees and to have a vendor that understands disaster recovery and offers distinct options.”
It also is important to look at the organization’s policies, procedures and technologies and their ability to support a risk mitigation strategy, Bingham says. This requires looking at available tools, forging a close partnership with a system vendor and a willingness to work out which pieces of disaster recovery each party owns, he says.
Ultimately, it’s about applying common sense to the problem, Bingham says. To illustrate, he offers an example of an electronic medical record solution that has seven days of data backups in chronological order, “which may make you feel good, but you have to ask if you’d be willing to go back seven days to fix a problem and the answer is that you probably don’t want to lose that much time going to a backup. On the other hand, a solution that allows you to rapidly move from a failed copy of your system to another that is updated in real time would probably be worth a lot more.”
Long-term care providers are typically paralyzed by indecision when it comes to starting a disaster preparedness program that includes extensive data backup. This is because of what Staley calls “The Three No’s” — no time, no knowledge and no resources. He refutes these by asserting that “it is important to make the time, gain the knowledge and determine the proper resources required. You may be surprised that it is not an entirely arduous ordeal.”
Louis Hyman, chief technology officer for SigmaCare, says typical misconceptions about disaster preparedness are rooted in two vastly different but common beliefs — that disasters are “trivial” to worry about and that preparing for natural disasters is just too expensive a process to fully conduct.
“However, just by taking the time to identify potential disaster situations and the related impact will lead to good planning and preparation,” Hyman says. “Most state government websites and experienced electronic health record vendors can provide plenty of guidance.”
The two biggest misconceptions Reeves sees occupy points on opposite ends of the outlook scale: “They may feel they are so far behind that they have a defeatist attitude and don’t take the next step; or they are so overconfident about being prepared that they ignore key details.”
The “too expensive” argument is most likely based on outdated costs and technology, Boan adds.
“The cost to back up using hardware has certainly decreased, whether it’s for external back-up devices, digital discs or flash drives,” he says. “The associated manpower expense is also reduced now because back-up process can be automated.”
Selecting an option
There are several directions a provider can follow in order to establish a safe, secure data back-up system and vendors say the right one depends on each provider’s circumstances and preferences.
“Using a hardware option is better than not backing up at all, but to be really secure, providers need to get their backups offsite,” Boan says. “Even taking home an external back-up device is sufficient. I’ve talked to billing staff who back up their files on a device and take it to their safe deposit box in a bank.”
A better alternative, he says, is to back up to a cloud-based system, such as the Dropbox service, which ensures that files are offsite and available anytime and anywhere. Moreover, HIPAA-protected health information is encrypted for secure storage.
“Long-term care providers know what to do to physically protect their residents and facility in case of a disaster and practice with disaster drills,” Boan says. “I’d like to see data backup included in those drills.”
EHRs built on cloud-based technology do not require costly servers at the facility because all the data is stored at remote data centers and available on Internet-enabled devices using a browser, Hyman says. “This means that the facility does not need to worry about backups or server maintenance because the EHR vendor’s data center is responsible for safeguarding the data,” he explains.
Determining the right back-up system can be a complex issue, Staley notes, because each facility has different needs and a disaster recovery system may be unique to each organization.
“Still, all devices should have redundant replacement and some systems need replicated replacement,” he says. “These may sound like ominous terms, but with proper consultation and planning, a proper strategy can be developed and communicated to staff so that everything runs smoothly.”
Averting a ‘data disaster’
Many long-term care facilities are operating under a false sense of security with regard to their ability to recover after being hit by a natural disaster or other sentinel event, information technology specialists say. Yet despite concerns about high costs and limited resources, it is in facility operators’ best interests to implement the following precautions as soon as possible, if they haven’t already:
– Conduct a risk impact analysis to understand the true elements of your facility’s vulnerability and potential loss in the case of disaster. Create a process of continuous inspection and couple it to the decision-making process for business continuance and disaster recovery.
– Complete a qualitative analysis that examines the organization’s complete workflow from the front office to the back room. Ask everyone to identify their critical information and how often it should be backed up. Testing is another important task. Someone must verify that the backups have occurred and the files are available.
– Mitigate risk by formulating a plan that considers both known and unknown contingencies.
– Consider cloud-based storage services, which are not only lower cost but also ensure that files are stored offsite and are available anytime from anywhere.
– Include data backup when practicing disaster drills.
Source: McKnight’s Long-Term Care News interviews, 2013