Disaster Recovery and Patient Care: It’s Complicated—and Essential

Topics: Healthcare IT Management | Optimizing for Electronic Medical Records Transition

If healthcare organizations weren’t already paying attention to disaster recovery, they certainly took notice after Superstorm Sandy challenged several New York hospitals last October. With this example still top of mind, it’s time to update or develop your plan—not only to protect your information according to HIPAA guidelines, but also to ensure that you can continue to deliver patient care even after disaster strikes.


FAST FACT: Recovery time is key in the wake of a disaster—40% of companies that fail to recover their vital data within three days of an interruption eventually close their doors.

DID YOU KNOW? The actual cost of an EHR system failure is almost $488 per hour per physician, an AC Group report found.


Indeed, four New York hospitals remained partially closed a month after Sandy. The struggle to get healthcare services back in place continued into 2013, with some organizations unable to predict when they would again be fully operational. 

The bad news is that many facilities—hospitals among them—that sustain significant data loss never fully recover. The most common reasons include:

  • Crippling fines for failing to follow consumer data-protection laws
  • Inability to collect outstanding receivables because associated data cannot be recovered
  • Loss of hardware and onsite data backups 

Your Disaster Recovery Plan: Must-Haves

To prevent such a scenario from happening to your organization, you need to refine your disaster recovery and business continuity plans to cover every conceivable contingency and every data source. Begin by looking at all the places where your data resides and where you’ll need to store backups.

Your plan should include preserving both your physical and electronic data. Your organization’s recovery time and recovery point goals will inform both the type of storage you use and the number of data tiers you create within your network.

Consider these critical steps to retain and protect records according to HIPAA requirements.

Step #1: Update your disaster recovery plan. In the wake of Superstorm Sandy, many organizations realized that their disaster recovery plans didn’t take such extreme storms into account. Instead, healthcare providers and organizations thought in terms of more common data loss problems, such as employee error and data-center crashes. For a disaster recovery plan to actually protect your organization, it must be constructed to include even a rare event like Sandy.

Step #2: Identify vital records and information and remove/protect them from disaster risks. One hospital’s backup generators were in its basement, but floodwaters rendered them useless. As a result, the facility couldn’t provide adequate patient care or retrieve critical data.

Step #3: Prioritize critical data for protection. Don’t assume you need access to all data immediately. Prioritize the data that’s critical to getting your organization back up and running while providing competent patient care.

Step #4: Prevent information gaps with regular backups. Particularly in a hospital or healthcare system, a data backup system is only as effective as its most recent entry. After all, information that’s a day or even an hour old can literally mean the difference between life and death. When you schedule routine and regular backups, you’ll avoid creating potentially lethal gaps of information.

Step #5: Move backup tapes and paper records offsite and away from the disasters in your region. Natural disasters, from hurricanes and tornadoes to wildfires and floods, commonly affect wide areas. Make sure you’re storing backup data somewhere far removed from its primary point of use.

Step #6: Periodically review and test your disaster recovery plan, and update it as needed. Don’t assume that a disaster plan will remain 100 percent effective just because it started out that way. For example, tapes sometimes go bad, and reader formats change—both variables that could damage your data as severely as a category 3 hurricane. You can avoid such internal calamities with regular disaster recovery plan and system monitoring and testing.

As you create or update your disaster recovery plan, consider working with a trusted partner to help you implement these and other best practices. Look for a partner with safe, secure facilities, health information management expertise, regulatory knowledge and proven data protection services that can get you back up and running quickly after a disaster.

Iron Mountain Recommends:

Five Questions to Ask Your Offsite Storage Partner

  • Is your storage facility safe from floods, earthquakes and other disasters?
  • Will we be able to readily access our offsite records?
  • What are the key features of your indexing and tracking system?
  • What security measures does your facility take to safeguard its customers' records?
  • Are you regularly testing your own disaster recovery plan to make sure it works smoothly and reliably?

Do you have more questions about your current Health Information and Management strategy? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your information management challenges.  

Related News:

Best Practices for creating a comprehensive healthcare data retention plan

Preparing your healthcare organization for the high stakes game of data security

Evaluating a hybrid approach to offsite data storage