Home » Media Coverage

Protect Your Data from Disaster

Data Recovery Article: Advance For Health Professionals – May 27, 2002

“In every case, an organization is only as good as its data. Without the data you’ve got to ask yourself, ‘How will my business go on?”

Floods happen. Fires happen. And to borrow a phrase from Bill Margeson, president of CBL Data Recovery Technologies in Armonk, NY, “IT happens.” The truth is, awareness of the vulnerabilities of data has grown since September 11, and many health care facilities are questioning how they would fare if crippled by disaster. Consequently, data management / recovery companies have marketed everything from offsite storage to fireproof safes to protect the precious data so integral to a facility’s operations. But for the decision makers, it comes down to balancing the warnings of soothsaying alarmists with budget-conscious administrators who may be ignoring potential risks and compromising future continuation of business.

A Heightened Awareness
In his business, Gene Guertin, chief information officer at SMART Corp., a national data management outsourcing company located in Alpharetta, GA, has seen what he describes as a “heightened awareness.” SMART’s initial concentration has been on servicing its release of information clients, but because of its practice of digitizing information for the purpose of electronic transmission, meeting the needs of clients wishing to protect their data was a natural progression for them.

“What we’ve seen in the past few months is a lot of interest in digitizing information,” said Guertin. To respond to this interest, “We’ve got more than 1,500 people deployed across the country with scanners and some pretty good technology on laptops and systems.” And Guertin’s company isn’t just digitizing health-related records. They have expanded their operations to accommodate business critical information” that any organization/facility relies on to run its business. Not surprisingly, the collective movement is one away from paper-based documents.

The Paper Chase-Away
From Guertin’s perspective, the trend in data protection seems to be digitizing data and keeping it (or at least a backup) offsite, given how vulnerable paper is. It’s certainly what companies like EDCO-The Document People are doing, according to Dona Elkins, the company president.

“Paper records are the basis of our business—specifically medical records,” said Elkins. “We receive and process 300 million pieces of paper a year.” As she explained, the majority of these records are converted to what they call “Intelli-Film” and matched to the hospital’s master patient index (MPI). “The more current and active records are delivered via our SecureDisk, which is an electronic record with film backup,” Elkins added, describing this as “a security measure in itself.”

It might be obvious why relying exclusively on a paper-based system is risky, but even in this high-tech world, many hospitals or smaller health care facilities have file cabinets and folders filled with important data, a practice discouraged by document management companies like EDCO.

“Paper is the most vulnerable because it’s hard to track and difficult to duplicate and store,” said Elkins. “Film-based imaging becomes the permanent archive,” and “duplicate rolls stored off-site or scanning of the filmed pertinents becomes a good risk management strategy.”

When IT Happens
Health information comes in many forms, of course. There’s paper medical records, electronic medical records, X-ray images, billing systems—the list is ad infinitum. But in terms of data recovery, if you think getting rid of the paper-based system gets rid of the risk factor, talk to Bill Margeson at CBL Data Recovery Technologies, who is thinking about changing his company name to “Worst Case Scenarios R Us.”

We recover data when the experts fail,” said Margeson. “Our motto this year is, ‘IT happens.” Don’t ask Margeson what’s going right in the world of data recovery, because it’s his job to think the worst. But his experiences offer a lesson to other health care facilities falsely comforted by the fact that “everything’s backed up.”

“Just two months ago we had a major hospital that brought in their server. They had 120 gigs of data—their day-to-day operations,” said Margeson. As he tells the story, first the server failed, then experts were called in, then the manufacturer was called. Margeson recalled, “Two gentlemen came in. They were there for about 15 minutes. Then they went upstairs and resigned—not a good sign.”

In Margeson’s scenario, the initial problem was a failed disk drive. “This particular server had 12 disk drives in what’s called a RAID Array, a redundant array of independent devices,” he explained. These independent devices are designed as a safeguard, to protect in the case of a single drive failure, but this facility was hit with what Margeson calls a “double whammy.” As he put it, “It was like lightening striking twice, but the error in judgment came when they tried to repair things themselves.” Miraculously, Margeson’s company was able to retrieve the data, but it was a close call for the facility, as well as a lesson to IT departments that no system is foolproof.

Guarding Against the Elements
Margeson’s story had much to do with the human factor of IT, but computer equipment is just as vulnerable to the elements as a paper system. “Common sense should prevail when storing filmed records in the department,” said Elkins. “They should be kept in secure cabinets.” It may sound like document management 101, but as Elkins stressed, “You shouldn’t put your film in boxes on the floor or on top of cabinets under water pipes.” Her staff has been part of such cleanup operations, and Elkins knows the value in an ounce of prevention.

Just consider the situation at Memorial Hermann Hospital, the health care system hit by Tropical Storm Allison last year. Although several buildings in the hospital system were out of commission for several days following Allison’s deluge, the system did not suffer any loss of critical data. David Bradshaw, chief information officer of Memorial Hermann, told the Houston Business Journal that the system had a disaster plan in effect for some time, and had even raised the floor of its basement data center a few years ago (see “Unwiring America: A New Era in Communications,” Dec. 21, 2001).

Make a New Plan, Stan
“Regardless of the storage medium (paper, film, data) planning ahead is key,” stressed Elkins. And if you don’t know where to begin, she suggested, consider your priorities. Ask yourself, “What could be recovered and what could not, given a disaster?” Frank Nosalek, senior consultant for Beacon Partners, Norwell, MA, has the same advice:”[Disaster recovery planning] begins with an assessment of the needs of the organization prior to finalizing the scope of the plan, with HIPAA-compliance needs an integral part of the assessment,” he notes (see “Disaster Recovery Planning,” ADVANCE for Health Information Executives, April 2002). According to Nosalek, a plan provides what he calls a “roadmap” for specific preparations prior to a disaster, as well as “the emergency procedures to be followed immediately after a disaster.” In addition, he suggested that key staff receive a copy of the plan. “An important benefit of distributing your plan is that you foster a greater awareness of the organization’s efforts to be prepared for an emergency.”

Protect That Data, or Else
In terms of budgeting for a disaster and devising a recovery plan, it may actually fall under a facility’s HIPAA budget, given the proposed security regulation requirement for safeguarding electronic data from vulnerabiIities. As Nosalek suggested, “Vulnerabilities must be identified, data analyzed and recommendations made to minimize or eliminate the risks.”

Finally, as Mark Hays pointed out in the American Health Information Management Association’s In Confidence newsletter, the Gramm-Leach-Bliley (GLB) Act may address health care facilities’ responsibilities to protect specific data against hazards as well “GLB and Healthcare: The Other Privacy Regulation” November/December 2001). GLB, commonly thought to affect banks and credit card companies, contains provisions for protection against “any anticipated threats or hazards to private data,” according to Hays. In fact, “This GLB requirement goes beyond the existing requirements of HIPPA, which do not speak directly to anticipated threats, databases and infra-structure—and will impact every health care information system that processes or stores private data.”

But before facilities invest time and money protecting their data from the unknown disasters, SMART’s Guertin cautions that precaution is relative. “Even before September 11 each business has had to look at its situation,” he said, stressing that if an organization believes it has all of its bases covered—and has tested out its backup plan, they may not require outside assistance. The protective measures a facility takes will vary based on size, but in every case, an organization is only as good as its data. Without the data, Guertin said, You’ve got to ask yourself, ‘How will my business go on?”