Protect computerized data with off-site backups: steps to safeguard residents' records before an unplanned event threatens them.Who can forget the devastation and suffering that Hurricane Katrina  Editing of this page by unregistered or newly registered users is currently disabled due to vandalism. inflicted on nursing homes? Some 30,000 nursing home residents were
evacuated or displaced to other care settings and, tragically, 140
nursing home residents died. For fragile residents, evacuation to safety
posed another risk--lack of information. "Records were lost and
most of the time, evacuees Resident or transient persons who have been ordered or authorized to move by competent authorities, and whose movement and accommodation are planned, organized and controlled by such authorities. could not remember nor did they know what
medicines they were on or how much," observed one medical
volunteer.
The electronic patient record movement is gaining more momentum because of Katrina. Kindred Healthcare Kindred Healthcare Incorporated (NYSE: KND) is a Fortune 500 healthcare services company located in Louisville, Kentucky. Kindred Healthcare was founded in 1985 as Vencor, Inc. , which uses an electronic record system, lost no records and gained considerable positive press as a result. While electronic records can be safer and more secure, implementing an electronic record system requires planning and action on the part of an organization's administration well before a disaster strikes. With an electronic record system, all resident records are stored in a single, compact, centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. database, which allows fast and easy access to all records from virtually any location in the organization--the benefits of which are well known. But by concentrating all records in a single location, risk of loss is increased: If that centralized database is damaged, all the records can be lost, and a Katrina-like disaster is not necessary--it could be as simple as a defective hard drive, a leaky leak·y adj. leak·i·er, leak·i·est Permitting leaks or leakage: a leaky roof; a leaky defense system. Adj. 1. pipe, or a careless computer technician. Imagine the impact on a long-term care facility long-term care facility n. See skilled nursing facility. of losing all its resident's records. Even without computerized care documentation, how many facilities could survive losing all of their computerized financial information, including accounts receivable accounts receivable n. the amounts of money due or owed to a business or professional by customers or clients. Generally, accounts receivable refers to the total amount due and is considered in calculating the value of a business or the business' problems in paying , unbilled claims, personnel records, and payroll processing capabilities? Off-Site Backups--The Final Line of Defense Katrina's first lesson for healthcare information technology managers is to geographically diversify one's data. Kindred's records were safe not because they were electronic, but because they were in Louisville, Kentucky  “Louisville” redirects here. For other uses, see Louisville (disambiguation). , which was a by-product by·prod·uct or by-prod·uct n. 1. Something produced in the making of something else. 2. A secondary result; a side effect. by-product Noun 1. of the records being electronic (if the Kindred KINDRED. Relations by blood. 2. Nature has divided the kindred of every one into three principal classes. 1. His children, and their descendants. 2. His father, mother, and other ascendants. 3. corporate data center had happened to be in New Orleans New Orleans (ôr`lēənz –lənz, ôrlēnz`), city (2006 pop. 187,525), coextensive with Orleans parish, SE La., between the Mississippi River and Lake Pontchartrain, 107 mi (172 km) by water from the river mouth; founded instead of Louisville, the story may have been very different). Unfortunately, the many Gulf Coast hospitals, long-term care facilities, and physician offices that kept their computer backups in the same room--or even the same city--as their main servers found these backups provided them with no added protection. [ILLUSTRATION OMITTED] Off-site backups of computerized data are an organization's ultimate "fail-safe" protection against catastrophic data loss, but to fulfill that role, off-site backups need to be managed correctly. An effective off-site backup procedure incorporates four characteristics: distance, frequency, security, and accessibility. Distance. The point of off-site backups is to prevent all copies of an organization's data from being destroyed in a single catastrophic event. Thus, the more distance between the various copies (that is, the "live" system and each backup copy A disk, tape or other machine readable copy of a data or program file. Making backup copies is a discipline most computer users learn the hard way-- after months of work is lost. See backup and LAN free backup. ), the lower the risk. Apply this principle to all backups--store daily backups down the hallway from the server room, or in the building next door. Better yet, divide them between two locations. Then, significantly separate the fail-safe off-site backups from the main server location. Five miles should be the minimum. But more important than distance is selecting a location that is not subject to the same risks as the main data center location. Before Katrina, the Tulane University History Founding/early history The University dates from 1834 as the Medical College of Louisiana.<ref name="facts" /> With the addition of a law department, it became The University of Louisiana Medical Center stored its off-site backups elsewhere in New Orleans but, after the hurricane hit, it was unable to access them when needed--the building was locked up and inaccessible. Frequency. If an organization's off-site backups were ever needed to restore its systems, the organization would lose all of the data entered into the systems between the time that the off-site backups were created and the time of the catastrophic event. Clearly, the more frequently backups are sent off-site, the lower the data loss risk. A common off-site backup rotation (operating system) backup rotation - Any system for re-using backup media, e.g. magnetic tape. One extreme would be to use the same media for every backup (e.g. copy disk A to disk B), the other extreme would be to use new media every time. cycle is a week, and this should be the minimum--losing a week of data would hurt most organizations, but would not be devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. . Security. All healthcare providers are required to provide proper security for all copies of individually identifiable health information regardless of the media used to hold it or the location in which it is stored. This includes backup copies of computerized data that contain individually identifiable health information. Thus, backup data must be transported securely--ideally, in locked cases and by a bonded courier. Verify the physical security of the backup storage A storage device used to hold copies of data for backup and recovery. In the IT world, tape drives and tape libraries have been the traditional backup storage medium; however, magneto-optic (MO) and other optical discs as well as regular magnetic disks are also used. See LAN free backup. location. Could an unauthorized person gain access to stored backups and leave the building with them? What systems and procedures are in place to prevent this? If a commercial records storage company (or any location not owned or controlled by the organization storing the backups) is used to store off-site backups, it is prudent to execute a HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, business associate agreement with the entity responsible for the storage location. To further improve security of backup data, use software that encrypts and password-protects backups. A simple but often overlooked practice to improve the security of backup data is maintaining up-to-date logs of where all backup copies are located. Such a log will provide a quick alert to missing or misplaced mis·place tr.v. mis·placed, mis·plac·ing, mis·plac·es 1. a. To put into a wrong place: misplace punctuation in a sentence. b. backup copies. Accessibility. While it is important that off-site backups be secured against unauthorized access, backups need to be available quickly when validly needed. When selecting an off-site storage location, explore all aspects of accessibility: What is the procedure for requesting and obtaining the off-site backups? How rapidly can backups be retrieved when requested? Does access vary by time of day? What if the off-site backups are needed at 3:00 a.m. on a Sunday? Accessibility considerations must include the ability to make use of off-site backups once they are obtained. If the computer equipment in the data center was inaccessible, damaged, or destroyed, is a computer available elsewhere in the organization that could be used as a temporary server to host the data from the off-site backups? Does this computer have the necessary equipment and software to read the off-site backups? A best practice is to store the necessary device (e.g., tape drive) and software with the off-site backups. Online Backups It is difficult to find a balance between security and distance and between accessibility and exchange frequency, which also minimizes the organization's risk, all at a reasonable cost. Online backup services are an increasing popular alternative that minimizes these conflicts. With an online backup service, backups are sent over the Internet to a secure, remote data center. If a system needs to be restored, the backup is downloaded via the Internet from the remote data center. Since there are no tapes or disks to be physically transported off-site, backups can be sent off-site every day (some services even offer continuous synchronization (1) See synchronous and synchronous transmission. (2) Ensuring that two sets of data are always the same. See data synchronization. (3) Keeping time-of-day clocks in two devices set to the same time. See NTP. with their customers' servers). The cost of such a service is competitive with commercial record storage firms' storage charges and even comparable with the cost of internal staff time to prepare and transport traditional off-site backups. Before signing up with an online backup service, due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. is required since the online service will have custody of the organization's most critical data. In addition to checking with current customers and the other usual investigative questions, ask the following: * Where is the company located? * Is the backup data encrypted while being transmitted across the Internet? Is it encrypted while stored at the backup service? * What physical, logical, and administrative security practices are used by the backup service to protect customer data? * Will the firm execute a HIPAA business associate agreement? * Is the firm's data center and data storage infrastructure sufficiently robust? * In addition to the monthly fee, what additional charges might be incurred? For most long-term care facilities, the only significant drawback to online backups is the Internet bandwidth required to send backup data to the service. Some testing and calculating will be necessary to determine if a facility's current Internet service will be sufficient, or if the cost of additional bandwidth will need to be factored into the decision. Beyond--or Before--Backups Off-site backups are a necessary fail-safe measure to protect computerized data from the worst-case scenarios. But the use of backups should be avoided, if at all possible, by preventing information technology disasters. Since most information technology catastrophes are created by minor events (compared with Katrina), they can often be prevented. Thus, in addition to off-site backup storage, the following measures should also be in place to protect computerized data from more run-of-the-mill tragedies and disasters: * Protect all Internet connections and connections to unrelated organizations with firewalls. * Adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. good security practices, as outlined in the HIPAA Security Regulations. * Maintain organized, up-to-date system documentation. * Use reliable server hardware with as much built-in redundancy as possible. * Protect servers, routers, switches, and telephone systems from power failures with uninterruptible power supplies See UPS. (hardware) Uninterruptible Power Supply - (UPS) A battery powered power supply unit that is guaranteed to provide power to a computer in the event of interruptions in the incoming mains electrical power. (UPS) and, if available, emergency generators. * Place servers and other critical computer equipment in locations with excellent air flow and cooling, and minimal chance of water damage from flooding, leaky pipes, etc. "Many of their records have been literally washed away," notes Carol Diamond, MD, MPH, of the Markle Foundation The Markle Foundation is an organization concerned with technology, health care, and national security. People associated
Bruce Eckert, MBA MBA abbr. Master of Business Administration Noun 1. MBA - a master's degree in business Master in Business, Master in Business Administration , CPHIMS CPHIMS Certified Professional in Healthcare Information and Management Systems , is Executive Consultant for Massachusetts-based healthcare management consultants Beacon Partners, Inc. For more information, phone (781) 982-8400 or visit www.beaconpartners.com. To send your comments to the author and editors, please send e-mail to eckert0506@nursinghomesmagazine.com. BY BRUCE ECKERT, MBA, CPHIMS |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion