It’s a nightmare for any IT executive in a healthcare organization, and Rich Temple saw it unfold.
Just six weeks into his new role as CIO at Deborah Heart and Lung Center in Browns Mills, N.J., Temple needed to revert to a backup copy of patient data because of system problems. Three different backup tapes were loaded, and they were all unreadable.
“All of a sudden, I’m saying, ‘Dear God, I’ve been here only six weeks and look what’s happening.’ And finally, the fourth backup tape works, and we come back up,” he recalled.
That disaster recovery scenario haunts IT executives, especially those at smaller healthcare organizations that don’t have large IT staffs with experience in the many details and variations involved in ensuring patient data is preserved in case of emergency. It’s particularly true for providers using Meditech systems, which have a unique architecture that employs a flat file database approach across multiple modules.
The intricacies of Meditech backups, and their importance to mitigate risks such as ransomware, system failures and more, was the subject of a webinar entitled, “Reimagining Backup Strategies for Meditech Environments.” In general, the strain of manual backup efforts required in a Meditech environment can be mitigated by new approaches, such as backup-as-a-service, enabling IT staffs to synchronize on-premises backups with similarly stored recovery information in a cloud.
Events that hamper access to data are common worries for healthcare IT executives, said Priscilla Sandberg, global alliance executive for Pure Storage, citing a recent industry survey which found that 79 percent of respondents had a ransomware attack in the last 24 months. “Ransomware is the new fear; the new disaster,” she said. “What’s really important is that you have a clean copy of your data that’s backed up to an offsite location.”
Backups of data are typically part of a master disaster recovery plan that healthcare organizations have in place; it’s common for them to be dusted off regularly and tested. Problem is, most unanticipated service interruptions don’t closely adhere to a script, and that’s when data access issues emerge.
“There’s a healthy dose of paranoia about this,” Temple said. “We think we’ve got everything right. We do all the (disaster recovery) drills, we test working with our partners. But in the event of an actual emergency, what if everything we tested, every drill that we’ve done, doesn’t work the way we wanted it to? You don’t know until it actually happens. The whole notion of becoming the victim of a cyberattack keeps me up at night — we have to be successful 100 percent of the time, but the bad guys only have to be successful once to cause havoc.”
Recovering Meditech is a challenge for most organizations because of the distributed nature of the database. The vendor has developed backup applications that work with its solutions, but using it is tricky because of the coordination that has to be orchestrated by a provider’s technical staff.
Organizations also need to ensure backups are safe in locations separate from their own data centers, and are accessible quickly if disasters occur, said Brian Davis, CIO of Magnolia Regional Health Center, a 200-bed healthcare system based in Corinth, Miss. The facility does two full backups a day, one stored onsite and then duplicated to offsite storage operated by its disaster-recovery-as-a-service provider.
Its recovery time objective (RTO) and recovery point objective (RPO) — which help determine the maximum tolerable hours for data recovery — are currently more than Davis would like. The organization is considering new approaches, including services from Pure Storage, to ensure faster recovery from data events, he noted.
The decentralized structure of Meditech’s system makes it difficult to back up, and a catastrophic event makes it difficult to recover without noticeable user impacts, Temple said. Often, this involves going off of electronic systems and back to paper records if recovery takes a while; it’s a double hit for clinicians, who can’t access patient records, and then may face a lag in getting handwritten notes keyed into the electronic record.
“You have to ask, what are the ramifications of losing a day or more of data; how much data would be acceptable for you to risk losing?” Sandberg said. Cloud-based backup capabilities can help ensure “that people don’t eat up resources” during a disaster.
More organizations are looking to the cloud to support data backup and disaster recover, Davis said, but healthcare IT executives still face challenges in balancing expectations from senior executives and board members against limited resources, such as smaller IT staffs and budgets.
“Our leadership really gets it,” Davis added. “As they hear more about hospitals being hit with ransomware attacks and the substantial costs in recovery, not only financial but also reputational, they see it as a strategic imperative. However, there also are financial realities, and we want to be able to do the best we can with the resources that we have.”
To view the archive of this webinar — Reimagining Backup Strategies for Meditech Environments (Sponsored by Pure Storage) — please click here.