If a hospital staged a disaster drill for a hurricane, chances are the exercise would focus on the actions of caregivers.
But would the drill also include a medical center's IT technicians?
It should, said Jim Grogan, vice president of consulting and software product marketing for SunGard Availability Services, in Wayne, PA. SunGard provides IT disaster recovery assistance and managed IT services to 10,000 customers in North America and Europe.
If IT systems go down in a hospital as part of a real disaster, the effects will be felt on the clinical front line, Grogan said. With systems down, nurses may need to send designated "runners" with diagnostic tests to the laboratory and be prepared to wait four hours for results instead of just 15 minutes electronically.
Workers may have to re-enter reimbursement information from patient charts into a rebooted billing system. In the worst IT crashes, the emergency department might have to close temporarily.
Actively including IT representatives in drills will ease interdepartmental confusion and force all sides to appreciate what others view as the consequences of disasters, Grogan said. Simply put, nurses look at mission critical systems as lab testing equipment and ventilators. IT techs view disks and servers as mission critical needs.
When both sides participate in disaster exercises and learn how IT will recover the hospital's systems, those perspectives become more open, Grogan said.
SunGard, which has clients within healthcare and other industries, offers the following three strategies for IT recovery drills:
- Test your plans frequently. Drills make participants feel more comfortable with response plans. SunGard recommends conducting disaster recovery exercises at least twice a year, which for hospitals reflect Joint Commission emergency management requirements.
- Push the envelope with unexpected scenarios. "It's not just the regularity of testing, but the variety of testing," Grogan said. Do nurses understand how the pharmacy operates if there's an IT failure, for example? Likewise, do IT techs realize how their systems' down time affects computer-aided diagnoses? The Joint Commission expects at least one drill each year to simulate an escalating series of events in which the local community can't support the hospital. Such approaches also work for IT recovery exercises, Grogan said.
- Encourage communication between clinical and IT departments. Nurses need to explain what the most critical IT factors are for them during a disaster response. For example, if a hospital uses an electronic medical records system, nurses need to outline at what point printouts of the records may be necessary (e.g., patient evacuations).
Conducting risk assessments is a good start to uncovering IT-related and other vulnerabilities in advance of a real disaster, said Timothy Rearick, FACHE, manager at the Tallahassee, FL, location of North Highland, a management and technology consulting firm. He recently spoke to HealthLeaders' sister publication, Briefings on HIPAA.
Rearick said you can reduce risks by taking the following steps:
- Identify threats. Consider the risks to your organization using the categories of natural threats (e.g., tornadoes, hurricanes, and floods), human threats (e.g., staff shortages), and environmental threats (e.g., power failures).
- Recognize vulnerabilities. Take our initial hurricane scenario and imagine your hospital in the midst of it. What if your emergency generator is in the basement and you're close to sea level? The likelihood that you will lose electric power—and potentially IT systems—because of a hurricane and flooding is your vulnerability.
- Determine the effect. If a flood causes you to lose power, what other problems will it lead to? How will this affect your organization?
- Develop a list of remediation activities. Figure out possible steps to offset the various threats and vulnerabilities you've identified.
Once you've completed these steps, establish your priorities, Rearick said. Use an orderly, logical approach to determine which of your identified threats and vulnerabilities are most significant with respect to cost and risk, and then act on them.
"With the proliferation of the Web and Web-based applications, you're opening up your systems," he said. "There is risk now in the way we exchange information."
Don't always conduct IT recovery exercises with worst-case scenarios, Grogan said. More mundane, but more likely, events often aren't reflected in recovery plans, which is a mistake, he added. Take a look at what IT incidents have caused disruptions in the past and use them as the basis for drill scenarios.