by Gerry Verner and Brace Rennels

The following article appeared in Houston Medical Journal on August 2008, Volume 6 Issue 5

With earthquakes, floods, wild fires and other weather-related disasters continuing to dominate world headlines, it's no wonder the United Nations is putting the safety spotlight on hospitals.

Earlier this year in Davos, Switzerland, the International Strategy for Disaster Reduction (UN/ISDR) and the World Health Organization (WHO) launched their global 2008/2009 World Disaster Reduction Campaign on Hospitals Safe from Disasters . The goal is to raise awareness about the importance of protecting health facilities so they can function during and after a disaster. While much of the effort will focus on reinforcing the buildings themselves - particularly in developing countries - one of the key objectives is to better prepare and train health workers on preparedness plans that will keep health systems operational when disasters strike.

"Health facilities are only truly safe from disasters when they are accessible and functioning at maximum capacity immediately after a hazard strikes," the campaign proclaims.

On this side of the pond, natural disasters, terrorist attacks and public health crises such as influenza and SARS have administrators at North American healthcare facilities carefully examining their emergency preparedness and disaster recovery plans. That's because they have much to fear. If systems go down, how will they comply with government regulations? If hospital data is unavailable, how will they move payments between healthcare providers and insurance companies? But more importantly: if disaster strikes, how will they access patient records and confer with colleagues so they can make informed decisions and treat patients quickly?

While a solid disaster recovery plan has many components - from assessing vulnerabilities to reviewing and testing the plan and training employees on how to respond in emergency situations - let's examine two important aspects: the data and the people who need it.

The Data

Regardless of industry, no IT infrastructure is immune from system crashes, power failures, human error and natural disasters that can stop the flow of data at their facilities. Healthcare is no exception. If disaster does strike, the IT department will be on the hook to dust off the disaster recovery plan and restore the valuable data that had been created since the last backup.

Traditional backup systems, commonplace in many hospitals and healthcare organizations, do not offer the level of data protection that is critical to professional productivity and practice continuity. Tape-based disaster recovery can only restore data to the point of the last backup which, at best, is usually the night before. Consequently, any data created since the last backup will be lost. While healthcare organizations can deploy expensive hardware redundancy measures, they're often not cost-effective for smaller business-critical servers or for file and print servers that actually hold the bulk of day-to-day operational data.

To combat this, healthcare organizations are increasingly turning to a more complete data protection solution consisting of tape backup, whole server recovery, failover and continuous data replication. Continuous data protection sends a copy of the data to the target server as it is being changed. Data is sent in real time, without the hassles or time gaps inherent in traditional backup systems. Features such as built-in bandwidth control allow data to be replicated to a remote source far from harm's way while using minimal bandwidth. That same bandwidth control reduces throughput utilization costs that some hardware-based replication systems require.

With continuous data protection, patient data is always available. Mission-critical applications are protected and compliant. The entire system stays running at all times, thereby improving business operations and employee productivity. Further, healthcare organizations benefit from sound protection and a better disaster recovery plan for a fraction of the cost of hardware replication or clustering technologies.

The People

Now that information is safe, it's time to focus on the people who need it. The first priority of any business continuity plan is to ensure employee and patient safety. Once that has been achieved, the systems need to be accessible to resume critical operations.

While a pandemic or labour unrest won't damage power lines or computer networks, it can cripple a hospital's human resource capabilities by barring essential personnel from a specific area for days or weeks. If that happens, it's imperative that healthcare workers and administrators have access to mission-critical applications so they can quickly respond to the emergency, continue to treat patients, respond to suppliers, and ensure the business runs as smoothly as possible.

Traditionally, IT departments rely on obtaining access to a user's PC in order to install a virtual private network (VPN) client as well as specialized software clients that may be required for highly complex healthcare applications. Secure access is often augmented with a two-factor authentication solution such as an RSA token. Adding hundreds or thousands of users in this scenario can be overwhelming and require days.

But if disaster or pandemic strikes, hospitals don't have that kind of time. If a hospital wants to move from 100 remote users to 1,000, they don't have the lead time to order new hardware or software licenses. They must be able to do this immediately.

One of the simplest and most efficient way for hospitals to ensure that mission-critical applications are securely available anytime, anywhere is to deploy a completely clientless and managed service approach. The key ingredients to this include a secure socket layer (SSL) tunnel, a well developed identity management engine, and a role-based portal or virtual desktop for the end user. Managed solutions are particularly good at scaling without the need for hardware or software and may provide the numerous interfaces to legacy, client/server, AS400, 3270 or web-based applications typically employed in large enterprises. IT administrators can choose to add users and assign a specific application or group of applications on an instantaneous basis. Still others may have the roles they wish to assign preconfigured so that thousands of new users may be added in a single keystroke. This type of remote access solution doesn't touch the hardware or the data. Rather, users can be added within minutes through a simple Internet connection.

After a user has entered their credentials and has been successfully authenticated, they can tap into a single, secure and integrated portal for accessing the various applications (from legacy to web-based systems), file shares and information that they are authorized to access based on their role. Physicians can securely access confidential and sensitive information - including email, patient records, test results and x-rays - from wherever they are to allow quick diagnoses and reduce time-to-treatment delays.

Further, IT administrators can actively manage who is accessing the network and how they are using the information. It's all "touchless" so it does not require the installation of client software on the user's computer like traditional VPN solutions. The platform can be integrated into the hospital's pre-existing communications infrastructure and can be delivered as a service, eliminating the need for the hospital's IT administrators to set up and maintain a specialized portal for mobile users and freeing them up to focus on more pressing network issues related to the disaster.

That's especially valuable during a disaster, when people need to be authenticated quickly and people who never needed access to the network before are called upon to help deal with the situation. In a health crisis, secure remote access reduces their exposure to illness and business can continue as usual. Administrators can quickly locate and organize employees so they can consult, collaborate and better handle increased patient loads.

Good healthcare isn't just about building beautiful hospitals. By protecting critical data and then making it available to those who need it, hospitals can stay strong and continue to provide the best care possible - even in trying times.

-30-