Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Hurricane Irene Sparks Talk Of HIT Disaster Strategy

Health IT managers are looking at the damage done and reassessing their disaster planning strategies.

Healthcare IT Vendor Directory
Slideshow: Healthcare IT Vendor Directory
(click image for larger view and for slideshow)
Like other natural disasters before it, Hurricane Irene disrupted hospital services in the Northeast, causing hospital IT officials to once again mull their disaster preparedness strategies.

Several recent reports in the aftermath of Irene show how damaging hurricanes can be to hospital systems. At Johnson Memorial Medical Center in Stafford Springs, Conn., 43 patients were relocated to other medical facilities when the hospital lost power and utility workers were prevented from fixing the problem because of the approaching storm.

At Staten Island University Hospital in New York City, reports surfaced that the hospital's IT department shut down its computer network, all applications, and phone systems. The hospital suffered minor damage. However, their information systems returned to full operations and, shortly after that, the facility was open for business due, in part, to what CIO Kathy Kania described as a business continuity plan that works.

Reports like these have led Pam Matthews, senior director of regional affairs at the Healthcare Information and Management Systems Society (HIMSS) to contemplate what happens to data when patients are transferred to other medical facilities.

"In Irene several hospitals were relocating patients to other hospitals. Where are these patients' digitized medical records going? How is the clinical information going to be exchanged when you're transferring patients from one hospital to another? Hurricane Irene reinforces the fact that patient care doesn't stop."

Mathews also said Hurricanes like Irene present CIOs with an opportunity to assess where they are in their disaster recovery plan.

"When we do have these natural disasters it either confirms the strategy, the plan, the dollars spent, and the resources that have already been invested by the healthcare organization's disaster recovery strategy, or it provides the opportunity for the CIO to recognize the weaknesses in their existing disaster recovery plan and improve on it," Matthews told InformationWeek Healthcare.

Over at UMass Memorial Health Care, which is the largest healthcare system in central and western Massachusetts, Rick Mohnk, associate CIO responsible for operations and member hospitals, said the hospital at its Marlborough location suffered a power outage for a few hours, and five physician practices associated with the hospital also lost power. However, by the end of the business day on the Wednesday after Irene struck, power at these five facilities was restored.

Mohnk described the hospital's disaster planning efforts as a work in progress that has been built over time and will still require change as the hospital organizes its data strategy around risk management and mitigation that meet demand and expense targets.

"Power and water are still powerful forces out there that you have to deal with," Mohnk told InformationWeek Healthcare. "Our strategy is to have a fully redundant, high availability geo-located data center structure, and Hurricane Irene taught us that we've done the right things because our member hospital in Marlborough lost power, but we had generator power and the appropriate backup and recovery planning, and our data centers continued to stay up and running."

According to Mohnk, UMass Memorial Health Care has three data centers: one at its main campus in Worcester, one in Marlborough, which is 20 miles away, and another in Pittsburgh, Pa. But Mohnk noted that as the hospital considers costs, as well as new ways to improve its clinical data management, it is migrating data from its Pittsburgh data center and will move its electronic health record and other clinical data to a Siemens cloud-based system in Malvern, Pa.

With regard to preparations for Hurricane Irene, Mohnk said the hospital had several command centers with technical teams that were dispatched when power outages occurred and he noted that the IT department made plans before the storm arrived.

"On the Thursday before Irene we literally sat down and reviewed our downtime processes. We went through a series of questions including: Where are we strong? Where are we weak? What are our risks? What are we going to do to mitigate if something does happen? ... We literally had command centers through the weekend to make sure we kept everything going," Mohnk said.

According to HIMSS' Matthews, disasters such as Irene highlight the need for disaster recovery plans, especially for smaller hospitals and medical groups that have limited resources and potentially greater vulnerability to losing patient data. She also noted that hospitals need to prioritize their data and have a contingency plan in place to deal with business continuity and redundancy planning.

"Healthcare organizations need to determine where they would like to be in terms of the robustness of their disaster recovery plan. From a business perspective how much data can they afford to lose? Where are they going to have their second or third data centers? And, what is the organization willing to spend in terms of maintaining their data?" Matthews said.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...