According to the CDC, more than 95 percent of U.S. hospitals made changes to emergency procedures following Sept. 11, 2001. Industry wide, we now have intensive plans that enable more effective responses in a disaster situation, but these plans are typically costly and, in some situations, organizations must put other projects and needs on hold to support them. In addition to budget challenges, there are ongoing gaps in planning and staff preparedness that prevent a clear path forward.
Defining a disaster
The healthcare industry defines a disaster as any event that can compromise the network, jeopardize data, negatively affect patient care or cause operational challenges within the system. Today, disasters are not limited to the natural kinds such as floods or hurricanes – they can be man-made through cyberattacks and security breaches. New threats occur every day, and it’s up to healthcare organization to predict and account for the wider range of disasters.
Regardless of threat origins, all healthcare organizations need a disaster recovery plan (DRP) to avoid data loss – especially in a world where patient data is more readily available through health information exchanges and various devices. Such preventative measures not only protect the patient, but also the organization. Lost patient data can hinder efficient patient care by limiting access to personal health information, diagnoses, prescriptions and more, but government mandates and HIPAA penalties related to data loss can also set healthcare organizations back millions of dollars.
Embracing the cloud
While some healthcare organizations opt to maintain data centers in house, cloud computing is gaining momentum for organizations looking to separate valuable patient data from their physical location. Offering anytime, anywhere access and possibly lower total costs, cloud technologies provide many benefits compared to traditional disaster recovery solutions. Hosted storage and back-up services also provide increased scalability to in-house data centers, as IDC predicts that the amount of digital data doubles every 18 months.
Cloud security will always be a top concern for healthcare organizations, but securing cloud assets does not have to be a dramatic departure from doing so locally. As with traditional delivery, cloud security is not achieved through a single-point solution – it requires layered technology and policies that are actively managed. Securing cloud assets can be achieved through:
- Defining security policies for all levels of organizational data;
- Applying controls for tracking data;
- Managing access and credentials; and
- Protecting remote and mobile endpoints.
For those organizations working with an off-premise cloud provider, there are a few additional considerations. Healthcare organizations must adhere to government regulations regarding patient data, so a cloud provider must be able to meet those security standards. It is also important to vet providers and ensure they can meet an organization’s required levels of redundancy and uptime. Finally, it is essential to establish clear boundaries for where an organization’s responsibilities as a subscriber end and where the provider’s begin when it comes to security.
It’s not a one-time fix
Whether data is hosted on site or off, healthcare organizations and public health officials must work together to secure budget dollars for forward-looking DRPs if they want to achieve sustainable plans that will continue to be mutually beneficial for many years to come. Failing to focus on future planning is like putting a Band-Aid on the plan and walking away – it simply will not work. The plans our country put into place after disasters like 9/11 and Hurricane Katrina produced solid results in improved surge capacity, better communication and enhanced public health capabilities – but there is still room for improvement.
Easier said than done? Sure. Healthcare organizations face countless challenges tied to sustainability, reform, ICD-10 conversion, EHR adoption, Meaningful Use requirements, HCAHPS scores … the list goes on, and we’re left to address each of these challenges simultaneously, all while annual budgets continue to shrink. And despite its importance, CIOs rarely rank disaster preparedness as a top goal and objective for the organization, which makes the fight even harder to win.
A new kind of plan
Today’s DRP is not the 300-page document in a three-ring-binder that sits on a CIO’s book shelf. It doesn’t have a start or end date, and there isn’t a step-by-step guide for every type of disaster. Today’s plan is a living document that continually changes – it is tried and adjusted using various replication strategies, some established and some emerging. It is flexible, forward thinking and directs a plan of action for ensuring the readiness of health systems when a disaster occurs, regardless of the specifics.
The first step toward developing a DRP is to conduct a business impact analysis (BIA) – a HIPAA requirement that assesses the overall health of the organization. The BIA identifies systems, locations, applications and data that are critical for the healthcare organization to function.
Next, healthcare organizations must determine the recovery time objective (RTO) and recovery point objective (RPO) for the IT environment. The RTO represents the amount of time an organization can be without service before incurring substantial revenue or data loss – not to mention limitations in patient care – while the RPO is the maximum amount of time that data can be lost.
Decision makers then consider the RTO and RPO, as well as the BIA, to prioritize mission-critical IT assets and to determine the acceptable amount of time before necessary applications are up and running. While patient care remains an essential function for most healthcare organizations, IT assets for other departments must also be considered. For example, an application may be critical to the sales department and not for the accounting department, but it still deserves to be included in the disaster recovery conversation. A successful DRP must be thorough and involve the entire organization, not just the IT department.
Once those elements are considered, the IT department or trusted security partner can implement the necessary back-up and encryption technology for the organization to remain functional in the event of a disaster.
We can’t do it alone
Following 9/11, the federal government put millions of dollars toward better disaster preparedness for hospitals. The Department of Health and Human Services (HHS), for example, distributed $498 million in 2003, and the CDC followed in 2004 with $970 million. Yet the last decade has seen a decrease in federal funding. From 2008 to 2013, Congress made cuts to grants that contributed to our ability to prevent, protect from, respond to and recover from terrorist attacks, major disasters and emergencies. When funding dropped from $3 billion down to $1.3 billion, many healthcare organizations had to invest their own limited funding toward disaster preparedness.
Reduced investment in our nation’s disaster preparedness could have substantial consequences when a disaster inevitably occurs. In a world where the only way to test the effectiveness of a DRP is through utilization, where do healthcare organizations turn for support? What can we do to continue the focus on planning?
Currently there is no standardization on funding programs at the national or state level. The allocation of funds can alter from county to county or city to city, and there hasn’t been a great deal of collaboration between the public and the private sectors. Yet we can accomplish so much more by working together. By coming together in support of this critical issue, both sectors can drive delivery of services, reduce cost, increase awareness and create accountability for both parties. We haven’t seen many entities follow this path, but those that have were very successful. Iowa, in particular, has seen remarkable success through its “Safeguard Iowa” program. The program includes 106 private sector partners, 90 public sector partners and 44 for-profit partners. It also includes private sector partnerships with financial supporters like Wells Fargo and ING. Each partner carries a level of accountability in strengthening Iowa’s capacity to respond to disasters.
While there is no quick fix for disaster planning and preparedness in the United States, we need an ongoing effort that we modify in real time. Funding will continue to present challenges as support and investment decreases, but just as there is no one-size-fits-all solution for disaster planning, there isn’t one for financial support either. The threat of disasters continues to change and evolve, and we as a nation must make some changes too if we hope to overcome the ongoing threats that we will inevitably face.
CDW tips: Less than 130 days until Windows Server 2003 end of support
Microsoft will end extended support for Windows Server 2003, as the entire IT world has heard by now. The operating system (OS) is already missing out on some key security patches, and the need for businesses to solidify their migration plans is becoming more urgent. Here are five things to keep in mind as the end of support date nears.
1. Ignoring the end-of-support date creates security risk: Once Microsoft stops producing updates (including security patches) for this OS, it, and the applications and systems that run on it, become extremely vulnerable to zero-day and other malicious attacks. Further, businesses will not meet compliance policies, putting critical data at risk. Overall, it can be dangerous and costly to continue using Windows Server 2003.
2. You need a plan: Unfortunately, upgrading from Windows Server 2003 and migrating applications can be complex and introduce risk – including implementation failures and unexpected downtime. A four-step Windows Server 2003 migration approach helps to streamline the process:
• Discovery – review existing server workloads and applications running on Windows Server 2003.
• Assessment – utilize the Microsoft Assessment and Planning (MAP) Toolkit to determine application compatibility with new servers.
• Rationalization – connect with key stakeholders to gather additional information on specific applications.
• Migration planning – develop a roadmap for the identified server workloads and applications.
3. Consider the cloud: The average Windows Server 2003 migration takes 200 days. So if you get to the assessment phase, and find systems or applications that aren’t compatible with a newer OS, it might be time to dump that application and move to a software-as-a-service (SaaS) offering. A cloud-based application eliminates the Windows Server 2003 security problem and reduces long-term server management needs. This is a win-win.
4. When in doubt, containerize: If a full migration and SaaS are out, consider containerizing the application(s). Although it may cost a little more, technologies like AppZero can wrap an old, Server 2003-dependent application in a portable container that runs on a newer OS. The application isn’t modernized, but it’s not running on a vulnerable OS base.
5. If you can’t remove it, set up guard duty: Stuck with Windows Server 2003 past July 14, 2015? Guard it diligently. Isolate the systems behind another firewall, keep an up-to-date anti-malware system and use lock-down standards to harden the system. Finally, assign a senior administrator to monitor and manage the servers until they can be removed.
For more information on Windows Server 2003 end of support and what steps your business can take to prepare, visit www.cdw.com/WindowsServer2003EOS.
