Last month is the fourth anniversary of Hurricane Sandy, which formed on October 22, 2012. We're also only a few weeks removed from destruction brought by Hurricane Matthew from the Caribbean to the U.S.The reality is that disaster can strike an ASC at any time. Effective disaster preparation should include development of an information technology (IT) disaster recovery plan.
This plan can help an ASC protect the data that is critical to its operations and have the ability to restore normal operations following a disaster as quickly as possible.To assist with developing a disaster recovery plan, or making sure your existing plan will meet your needs when the time to execute it comes, we've discussed eight steps ASCs should take.
Note: This is not intended to be a comprehensive list. Make sure to discuss your plan with your IT department and/or managed services provider, as well as your IT vendors, to identify additional considerations for your plan.
1. Put together a team
Development of the IT response plan should not be a one-person project as that will increase the likelihood of an oversight. ASC staff members to consider for the team include the administrator, business office manager, director of nursing, IT director, technology superusers and any third-party technology consultants with which your ASC contracts.
It is also worthwhile to involve your IT vendor reps in development of the plan to ensure you accurately include how to address issues that could arise with their specific systems.
2. Designate response leaders
In the event of a disaster, every second counts. Your ASC should designate IT "disaster authorities" — expert team members who are responsible for executing your DR plan. This would include coordinating employee response as well as support and recovery efforts provided by IT vendors.
3. Understand your technology
An effective plan will include the steps your ASC needs to take to restore its technology. This makes it essential to gain an understanding of the critical technology your ASC uses and how it processes your data.
A technology assessment should look not only at your hardware, such as desktops and servers that are located on site, but also the software you use (in the event that it needs to be reinstalled) and any offsite technologies you rely upon, such as cloud storage and backup solutions.
4. Identify your threats and build a plan around them
How is your technology most likely to be affected by a disaster? To answer that question, you need to understand what types of disasters you are most likely to face. Depending upon your location, that can vary greatly.
Any disaster has the potential to wreak a wide range of havoc on an ASC. For example, a bad snowstorm may make it difficult for some team members to make it to the facility for a few days. Will your disaster plan identify a way to allow staff stuck offsite for an extended period of time to perform their jobs remotely? If a leaky roof forces you to close off part of your ASC, do you have the means to relocate affected areas and still keep your operation running smoothly?
A flood could damage equipment sitting on the floor. Is your critical technology elevated and protected?
An earthquake could knock out power and/or phone lines. Does your ASC have a strong enough backup generator to allow you to remain open, even with reduced operations? Do you have a way to redirect landline phone calls to a HIPAA-compliant answering service or dedicated ASC cell phone?
A hurricane could destroy your entire building. How will you get your technology up and running once you have relocated?
These are just a few of the questions you will want to consider, factoring in the potential damage various disasters can inflict on your ASC. How you will answer these questions — and any others concerning possible ways your ASC could be affected — should be spelled out in detail in your plan.
5. Keep it current
An IT disaster response plan should be a living document. When there are changes in an ASC that affects the plan, it should be updated accordingly. Examples include changes to staff, technology (both hardware and software) and IT vendors.
Make sure to review the plan regularly to help catch when new information is accidentally omitted and ensure the plan accurately reflects your ASC's current operations.
6. Don't neglect training
Disasters rarely hit most ASCs. This can create a false sense of security, which will leave an ASC vulnerable. Surgery centers need to take disaster response seriously, and train their staff accordingly.
New staff should receive training on their role in disaster response during orientation. Existing staff should undergo regular re-training on the plan in place.
7. Test the plan
Training should include mock drills that test your ASC's response to a disaster. While most ASCs perform such mock disaster drills annually, sometimes the technology component of response is overlooked.
Staff can be drilled on how they would respond to a small technology disaster, such as an electronic medical records system or phone line going down, or large disaster, such as a complete, extended power outage or destruction of hardware.
The more opportunities staff have to practice their response to varying degrees of technology disasters, the better prepared they will be when a disaster actually hits.
8. Test backup systems
Most ASCs have some form of a data backup system. There is only one true way to know if the system will do what it is supposed to when needed: test it.
Work with your technology team and vendors to simulate data loss and the restore process. If you find the restore process to be too slow, discuss ways to increase speed. Note: A faster restore will likely carry with it a greater investment, so you will need to determine how quickly you need data restoration versus what you would like (if there is a difference).
Also, make sure to conduct regular checks of your backup systems. You should ensure you have a redundant backup solution. Unforeseen problems with backup systems can make data recovery difficult or even impossible. The last thing you will want is to experience a data loss and the find your data backup system has failed as well.
Be Prepared Today for the Unforeseen Tomorrow
Every ASC hopes it will never need to execute a disaster response plan. And if you are lucky, that will be true for your ASC. But for the life of the business and the patients who count on your ASC for their care, it is important not to test fate.
By developing a comprehensive IT disaster response plan, and giving it the attention it requires through updating and training, your ASC will put itself in the best position possible to weather the storm and reduce the short- and long-term negative impact of a disaster.
