This is part two of a two-part series on data security measures. For part one, please see the February 2011 issue of Long-Term Living (“Hail your new digital gatekeeper,” p. 36).
Imagine the panic that ripples through a nursing home during a large-scale flood. “Have residents been moved to safety?” “How bad is the structure damaged?” Those are vitally important questions to be sure, but not the only ones that should be addressed. Now imagine the sense of dread overcoming those in charge when realizing their communication network, electronic database, and all other essential systems have been rendered inoperable. Data loss of incalculable proportions has potentially been suffered, leading administration to wonder, “How will we recover?”
The consequences of having no clear or detailed plan in place to recover data in the face of disasters, computer thefts, or hard disk failures jeopardize a long-term care provider's sustainability. Without one to rely on, they are essentially playing with fire. Such is the message of Joyce Miller-Evans, CIO of Ohio Presbyterian Retirement Services (OPRS), a nonprofit faith-based provider with 11 retirement communities and other home- and community-based services throughout Ohio. Long-Term Living Editor Kevin Kolus spoke with Miller-Evans on what makes for good disaster recovery protocol and how OPRS went through the process of revamping its own plan.
What is the essential role of a disaster recovery plan?
Miller-Evans: Anything that we are doing with our residents we need to be able to replicate during an emergency, based on priorities and such. One is, of course, care and another is to be able to provide the system in the midst of a disaster. So the disaster recovery plan is really the plan that guides you to recover your systems. It addresses what you do during that downtime.
OPRS was operating with a three-page disaster recovery plan that you came to find was inadequate when you were hired in 2004. What were its shortfalls?
Miller-Evans: The three-page document was what I found when I arrived, and I think you'd find that commonly in smaller organizations because so much is considered understood by all who are responsible. I come from larger organizations with 200 IT staff and I know you need to be able to communicate with a concrete plan in every direction in the time of a disaster.
The three things this existing plan identified were the recovery location, call chain of who would need to be notified, and the applications that would need to be restored at the recovery site. And while that was good, it just wasn't complete. Having been in acute-care environments-one was University Hospitals in Cleveland-I understood that a full assessment of the needs of the users during a downtime had to be available.
Please explain the components that went into your redeveloped plan at OPRS.
Miller-Evans: First we must be able to do a damage assessment when a disaster occurs. The next piece is the strategy and the review process for declaring a disaster. You have to identify who is authorized because at any one point, you may not be able to contact either the CIO or whoever else is in an executive position within the organization. So we created a chain of who would be authorized to declare a disaster.
Next are activation procedures, and that really means “activating the team.” I have 12 people in IT including myself, and that probably sounds big for long-term care facilities that are single nursing homes, but OPRS is a health system. If you look at it, we have 11 CCRCs as well as full hospice and adult day care services. We're located around the whole state and we need to be able to activate appropriate personnel during a disaster. My team includes the technology director, the senior systems engineer, and/or consulting vendors that would be notified that we are using them as disaster resources. And I think that is more like what others in the long-term care environment would do. They're not going to go six engineers deep in their organization like hospitals would, so you would more than likely want vendor backup.
Then we would have to take a look at our procedures, what it is we need to purchase, what it is we need to take from whatever site to begin the recovery process. This process comes after we've done our damage assessment, when people need their systems returned. We have a table as to how we're going to activate and get things back online. For example, with e-mail and BlackBerry use so prevalent, and being able to communicate throughout a network so important, restoring e-mail quickly is one of the biggest needs we have on our list.
On a daily basis we have to attend to our backup, making sure we do data backups-complete backups-and that they're getting off site into fireproof storage. That's critical and is something we test every six months or so.
In redeveloping the plan, we talked with our clinical divisions both in the long-term care and skilled nursing environments asking what applications are absolutely critical to their operation-so clinical is priority one in our recovery plan. Priority two is other essential applications. And then priority three is delayed applications. When we look at priority one, those systems are what have to be back up within 72 hours. Priority two can go from two to five days. Priority three can be sustained for 10 days or longer without coming back up.