Even a Superstorm can’t propel disaster planning to the top of the list.
When it comes to disaster preparedness, most CIOs take a proactive rather than a reactive approach. Yet still, an event like Hurricane Sandy can expose weaknesses in even the best laid plans, and prompt leaders to reevaluate their strategies.
According to the November healthsystemCIO.com Snap Survey, 58 percent of CIOs said they believe their organization is sufficiently prepared to keep its doors open during a catastrophic event, and 54 percent characterize their disaster preparedness and disaster recovery strategies as “comprehensive.” However, in a testament to the high-standards to which CIOs hold their organizations, many respondents noted that there is always room for improvement. “We take the learnings from each situation and improve our process over time,” said one CIO. Another noted, “we are always looking at our strategy to 1) identify vulnerabilities, and 2) plan for them.”
Many respondents also viewed the recent hurricane as an opportunity to make disaster preparedness a higher priority. According to the survey, nearly 30 percent of CIOs are revisiting their strategies in the wake of Sandy and believe it is crucial to strike while the iron is hot. “CIOs should take advantage of these opportunities to get D/R strategies more adequately funded,” said one respondent.
However, for many organizations, the reality is that disaster planning is just one of many areas that require a great deal of time and attention, both of which are at a premium. A number of respondents identified “competing priorities” as a barrier to improving disaster preparedness, and even those who carve out time to plan for catastrophes question whether they are, in fact, prepared for the worst case scenario.
As one respondent asked, “How do you know you are prepared though until it actually happens?”
(SnapSurveys are answered by the healthsystemCIO.com CIO Advisory Panel. To see a full-size version of all charts, click here. To go directly to a full-size version of any individual chart, click on that chart)
1. Do you believe your organization is sufficiently prepared to keep its doors open and provide quality care during a natural disaster?
- We can always do better, and we have more work to do to fully prepare for a quick and solid response.
- We had a test of it when the tornado hit Tuscaloosa in April of 2011.
- We’ve been working it for a number of years, with significant investments.
- While we fared reasonably well, I do believe there is always room for improvement. We did not need to evacuate, but we did lose power for a period of time. We take the learnings from each situation and improve our process over time.
- Our biggest risk is tornadoes. We would limp along, but I have not witnessed a full-fledged test. Our systems are fully redundant so we would stand a good chance to be able to use them in an all-out disaster.
- We are on a two-year journey to be at the appropriate level for a MAJOR disaster.
- Our primary and DR data centers are across the street from each other. We will be addressing this in the next 18 months. With that limitation, DR capability is robust.
I’m not sure
- “Sufficiently” is a key word. I don’t think it’s necessarily sufficient, but we’d pull together and do what is needed to help the community. That’s what we are called to do.
- We were okay this time, but alternative scenarios could alter the outcome.
- From a planning standpoint, we look good. How do you know you are prepared though until it actually happens? First contact with the enemy, etc.
2. If not, are you reevaluating your strategy in the wake of Hurricane Sandy?
- We are doing a post-event review even though we came through well. There is always some way to improve.
- The Joplin disaster got us attention and funding; Sandy just adds fuel to the fire. CIOs should take advantage of these opportunities to get D/R strategies more adequately funded.
- We found nuances where we could be more prepared. We have off-site locations that now house some mission critical functions that need revised continuity plans. We’re diligently capturing the lessons learned and making revisions to our disaster response plans.
- It was already underway. Perhaps the news stories heightened the visibility and questions, but it’s just an important thing to do.
- We just reevaluated after our tornado.
- It is not really come up; too many competing priorities.
- We were already in the process.
- We already have a strategy we are implementing — Sandy didn’t change that.
- Our most common form of disaster is blizzards. We have been tested on that multiple times and we are ready. Our emergency preparedness plan is tested often as a community.
- We’re always re-evaluating.
- We are always looking at our strategy to (1) identify vulnerabilities and (2) plan for them. Just last week, our city lost water pressure for almost 24 hours (due to a broken water main). This was actually more difficult than any weather-related issues we have had over the past few years.
- We are reevaluating, even though we feel prepared.
3. How would you characterize your organization’s disaster planning/recovery strategy?
Comprehensive (plans are in place for a number of different scenarios)
- Comprehensive for IT, somewhat thorough for the rest of the company.
Somewhat thorough (plans are in place for a few select scenarios)
- Due to competing priorities, we have not run full D/R tests, but we have done select tests and tabletop drills. We are actively updating our plans, infrastructure, and testing activities.
- We have lots of documented plans yet little ongoing testing to ensure proper execution. Heroic activity takes the place of crisp execution.
- I don’t think we’re far ahead or far behind most others in our sector. But it always seems to be secondary to the next new thing we need to tackle.
We don’t have a strategy
4. What is your biggest concern from an IT standpoint when it comes to potential natural disasters or other major unforeseen events?
Power outages/generator issues
Inability to access patient data
- Loss of connectivity to our system providers and to our workforce (who rely on remote access in difficult circumstances).
Damage to equipment
Having to relocate patients
- One hospital has a generator for lights, equipment and IS but not for HVAC, so it will heat up quickly, even in the dead of winter. We are working to remediate. Now the lights and computers would be on, but it would get to 110 degrees in the OR area.
- My biggest concern is a catastrophic loss of the data center without any harm/disruption at the hospitals. If it was a major natural disaster, we’d all be in the same boat doing all we can. If it’s isolated to the data center, that’s a world of hurt.
- Connectivity and communications.
- Internet connectivity. If pipes are broke, then it doesn’t matter if the data center is still spinning.
- All of the above — our most likely scenario is a major earthquake.
- Our core infrastructure is in good shape. I am not as comfortable that if we lost the support staff environment that they would have a good place to work.
- Staff availability and safety when they and their families are also impacted.
5. If your organization has owned or affiliated physician practices, have you met with them to devise a disaster planning/recovery strategy?
- Yes for closely aligned physicians, no for less affiliated physicians.
- We did it on the fly, but we have scheduled meetings to have that discussion.
- No, but we need to!
- This is on our agenda but we do not really have any plan in place. We have started sending a CCD to our regional HIE so that is a backup resource.
- Our physician partners are our primary group. We share our EHR environment, including all patient financial systems. We also have some key independent physician groups on our systems as well. We cover their DR scenarios.
Editor’s Note: Please note that in question #4, respondents were permitted to check more than one answer, which affected the overall numbers.