As the nation breathes a collective sigh of relief this week that hurricane Gustav was not the “mother of all storms,” it still was a significant disruption to Louisiana and the New Orleans area. It is also the latest reminder to Information Technology management on the necessity for continual assessment of disaster recovery (DR) planning and execution.
I would venture to guess that healthcare information technology’s disaster recovery plans are more robust for data than they are for imaging. The April 2005 HIPAA regulations for safeguarding electronic protected healthcare information (ePHI) have as much implication for imaging services as they do for other patient information, but potentially add another level of complexity to IT plans for compliance.
I’d like to spend a few minutes exploring a few aspects that relate to the inclusion of imaging in IT disaster recovery plans.
Multitude of Data Sources
Has IT identified how many imaging sources exist within the enterprise that may need to be addressed in a disaster recovery plan? The likelihood is that if the facility does not have a PACS, imaging data may be stored at the modality. These MOD’s, CD’s or DVD’s are most likely not considered when looking at DR requirements, but they represent electronic patient data, and should be considered. I have recent experience with two sites that do not yet have a PACS, but are archiving CT, MRI, and Ultrasound on DVD’s – one goes in the patient chart and one is used as a backup. Unfortunately, the backup is merely that, and it is not managed from a true DR perspective, as it is stored on site. But at least the sites have considered the need for redundancy of data.
Similarly, I have been in a number of cardiac labs that store data on MOD’s or DVD’s, and have them neatly (or otherwise!) stored on a shelf in the control room. In these cases, there is no backup or DR plan. I am sure there are many other examples including Echocardiography and GI videotapes, sleep lab data, etc. that represent un-cataloged imaging information that under HIPAA should be addressed as part of a DR plan.
DR Test Plan
I have asked a number of sites during imaging evaluations if they have a disaster recovery plan. Usually, they will say they have a policy and are creating redundant data. When asked if they routinely test the plan, there are a lot of “deer in the headlights” stares. I frequently ask these same people if they have a digital camera and any digital images on their home PC, and if they have ever made a backup copy on a CD or DVD. Usually, people will say yes to creating a copy, but few can respond positively if they have actually tested the media to assure that the images were properly written to it.
This is a significant problem – especially for areas outside of IT’s direct control. It’s a daunting challenge to consider how all of these individual areas would be coordinated to address a true DR plan, as well as the testing of backup to assure recovery. Another significant factor is the resource required to do the testing. Chances are IT has resources assigned to DR policies and plans. But the likelihood is these are insufficient to conduct a thorough test of backups. And, clearly, should a disaster strike; are resources sufficient to result in a timely recovery?
The Cost
How does one put a price tag on compliance and what is the risk of non-compliance? I suppose it depends on geography and circumstances. Certainly healthcare IT in Florida and Louisiana are much more sensitive to the issue than healthcare IT in the Midwest. But perhaps while the risk is greater, the result of a tornado ripping through a hospital is the same whether it is Iowa or Florida. One has to use common sense in terms of determining the means of transport and location for data to be “out of harm’s way.”
The other cost factor that will need to be considered is that imaging data is considerably denser than other patient data, so the cost of managing DR for imaging will naturally be more expensive than for textual data. This is often overlooked in planning for imaging services, but perhaps in areas of high probability, it needs to begin to be taken into account. Services that may be economical for other data may need to be reconsidered for imaging, and alternatives found.
So, I ask, does imaging raise the bar for DR? Most certainly it does! IT management should reassess its DR plans to take into account the impending impact of imaging. New and creative solutions will need to be identified if Information Technology is to be prepared to effectively and economically address imaging in DR plans. Gustav may be just another wakeup call.
