In the wake of Hurricane Harvey and Hurricane Irma expected to hit the Florida coast this weekend, we thought it would be a good idea to reissue this post from last year.
The reality is that disaster can strike an ASC at any time. Effective disaster preparation should include development of an information technology (IT) disaster recovery plan. This plan can help an ASC protect the data that is critical to its operations and can restore normal operations following a disaster as quickly as possible.
To assist with developing a disaster recovery plan, or making sure your existing plan will meet your needs when the time to execute it comes, we’ve discussed eight steps ASCs should take.
Note: This is not intended to be a comprehensive list. Make sure to discuss your plan with your IT department and/or managed services provider, as well as your IT vendors, to identify additional considerations for your plan.
- Put together a team.
Development of the IT response plan should not be a one-person project as that will increase the likelihood of an oversight. ASC staff members to consider for the team include the administrator, business office manager, director of nursing, IT director, technology super-users and any third-party technology consultants with which your ASC contracts.
It is also worthwhile to involve your IT vendor reps in development of the plan to ensure you accurately include how to address issues that could arise with their specific systems.
- Designate response leaders.
In the event of a disaster, every second counts. Your ASC should designate IT “disaster authorities” — expert team members who are responsible for executing your DR plan. This would include coordinating employee response as well as support and recovery efforts provided by IT vendors.
- Understand your technology.
An effective plan will include the steps your ASC needs to take to restore its technology. This makes it essential to gain an understanding of the critical technology your ASC uses and how it processes your data.
A technology assessment should look not only at your hardware, such as desktops and servers that are located on site, but also the software you use (if it needs to be reinstalled) and any offsite technologies you rely upon, such as cloud storage and backup solutions.
- Identify your threats, and build a plan around them.
How is your technology most likely to be affected by a disaster? To answer that question, you need to understand what types of disasters you are most likely to face. Depending upon your location, that can vary greatly.
Any disaster has the potential to cause a wide range of damage on an ASC. For example, a bad snowstorm may make it difficult for some team members to make it to the facility for a few days. Will your disaster plan identify a way to allow staff stuck offsite for an extended period of time to perform their jobs remotely? If a leaky roof forces you to close off part of your ASC, do you have the means to relocate affected areas and still keep your operation running smoothly?
A flood could damage equipment sitting on the floor. Is your critical technology elevated and protected?
An earthquake could knock out power and/or phone lines. Does your ASC have a strong enough backup generator to allow you to remain open, even with reduced operations? Do you have a way to redirect landline phone calls to a HIPAA-compliant answering service or dedicated ASC cell phone?
A hurricane could destroy your entire building. How will you get your technology up and running once you have relocated?
These are just a few of the questions you will want to consider, factoring in the potential damage various disasters can inflict on your ASC. How you will answer these questions — and any others concerning possible ways your ASC could be affected — should be spelled out in detail in your plan.
- Keep it current.
An IT disaster response plan should be a living document. When there are changes in an ASC that affects the plan, it should be updated accordingly. Examples include changes to staff, technology (both hardware and software) and IT vendors.
Make sure to review the plan regularly to help catch when new information is accidentally omitted and ensure the plan accurately reflects your ASC’s current operations.
- Don’t neglect training.
Disasters rarely hit most ASCs. This can create a false sense of security, which will leave an ASC vulnerable. Surgery centers need to take disaster response seriously, and train their staff accordingly.
New staff should receive training on their role in disaster response during orientation. Existing staff should undergo regular re-training on the plan in place.
- Test the plan.
Training should include mock drills that test your ASC’s response to a disaster. While most ASCs perform such mock disaster drills annually, sometimes the technology component of response is overlooked.
Staff can be drilled on how they would respond to a small technology disaster, such as an electronic medical records process or phone line going down, or large disaster, such as a complete, extended power outage or destruction of hardware.
The more opportunities staff have to practice their response to varying degrees of technology disasters, the better prepared they will be when a disaster actually hits.
- Test backup systems.
Most ASCs have some form of a data backup system. There is only one true way to know if the system will do what it is supposed to when needed: test it.