Skip to content Skip to navigation

Disaster in the Making

December 10, 2009
by aguerra
| Reprints

Every time I think HITECH legislation is bad, a closer look reveals it’s worse.

As I write this column, we’re only days away from tallying your votes for the “HCI Innovator Awards.” Though your work is just now concluding, our editorial staff finished up a few weeks ago, after we reviewed the 60+ nominations to arrive at our top 15.

And while those 60 entries covered every type of hospital IT project, a majority of this year’s entries were striking for their post-EMR implementation focus. So though the nation is transfixed on getting electronic records into hospitals and physician offices, industry-leading organizations — innovators — are figuring out how to plumb their deep functionality, and keep these mission-critical systems up and running.

Keeping them up and running is something I learned about first-hand while covering IT on Wall Street from 2000 to 2004. And, of course, we all know what life-changing event took place during those years right in the heart of the financial services industry. Post 9/11 Wall Street was, naturally, obsessed with disaster recovery technologies and strategies. Every firm trading stocks, it seemed, soon boasted a new executive in charge of ensuring business continuity.

Wall Street had automated decades before disaster recovery became something the industry couldn’t ignore. Automation, in and of itself, takes copious capital dollars, with disaster recovery often seen as “something important we’ll get to, but can’t afford right now.” How many people are walking around without insurance, just because, “It won’t happen to me”?

CIOs have accepted that the massive application loads being dropped onto their infrastructures require major refitting, or complete reconstruction. But fortifying the foundation is just the first step. Hospitals need to take it to the next level, with sophisticated plans for backing up their data centers. Hospitals need to plan for the possible collapse of their infrastructure due to a natural disaster, act of terrorism or cyber attack. They need plans for how to move patients from hospital A to hospital B without losing power to life-sustaining biomedical equipment, or the EHR.

Over the last few years, we’ve written extensively about disaster recovery, but this is a different time. Before HITECH, when going electronic was voluntary, organizations could move at their own pace, figuring a certain level of disaster recovery spending into their plans. But no one is taking about such things today, despite all the pressure to go electronic.

Just like every other aspect of healthcare IT, the big players have it well in hand. But in the post-HITECH world, the majority of players are far from big. They’re the 50-250 bed community hospitals, the one-to-five doctor practices. These organizations are doing absolutely all they can to comply with HITECH’s meaningful use requirements and qualify for the incentive payments, with no time or funds left over to spend on business continuity.

Unfortunately, this is just one more side-effect of government intervention’s unintended consequences. The more interviews I do, the more it seems policymakers are operating on a combat model of acceptable losses, on the premise that to bake a cake, you have to break a few eggs.

Of course, any systemic change is painful, but I can’t stop thinking that shoddy HITECH legislation will make this conversion exponentially more so. There are going to be more “losses” than anyone anticipates, and more than a few broken eggs.

We should have gotten something better than HITECH from our legislators. We could have had the move to e-health take place along a slower and more sensible path. Instead, we’re entering a three-to-five year land rush, a mad frenzy of activity. Let’s just hope it’s not a complete disaster.



Anthony's got it right...
In terms of funding ARRA ignores the 'back room' issues.
You are on your own for those. And as history has shown, in the race to meet regulatory /payment requirements the 'back room' will go ignored untill some catasthrope happens.

I think disaster recovery for health care will be a great business to be in in a few years.

I would like to speak to Marc's reply. I do see many advantages to cloud-based computing. One company I work with has a cloud-based managed service offering that includes a primary data center in MD and a disaster recovery center in TX. It does not matter how small or large the customer company is, they all benefit from the very expensive cloud infrastructure and an expert knowledge base of IT professionals hired to maintain it.

Two of the biggest obstacles for getting buy-in to using the cloud model are security and privacy. PKI (private key infrastructure) can be used for addressing these and PKI has been around for years. My shameless plug is to use smartcards to enable three-factor authentication and digital certificates for cryptography. That is what the DOD does and soon the entire Federal Gov. will be doing this also (HSPD-12).

Full disclosure: One of my company's software products manages smartcards.

You make a number of good points. Internally, I have something a kin to contempt for people who work in HCIT who describe data loss when their hard drives crash. Not if they crash, it's when and every competent professional knows it will happen. Same for hard drives as computers, power, connectivity, etc. Managing it always means doubling hardware costs and increasing complexity.

But I have trouble with blaming the ARRA/HITECH legislation for this problem. Are you saying that the legislation should go further in terms of mandating redundancy, disaster recovery, and general hardening? What am I missing?

Let me chime in on one point here and that is backups, downtime and disaster recovery. For the mid-size and smaller, the only sane solution is some form of hosting, and almost certainly a cloud-based model.

I know that among the knee-jerk reactions to the cloud are security and internet connection uptime. From a purely technical standpoint, both of these have largely been resolved. From a perception standpoint and from a policies and procedures standpoint not so much.

The notion of EHR in a box is great, but what happens when someone spills coffee on the box? So now it's EHR in two boxes. Well, what happens when the boxes aren't appropriately patched and updated? So now it's EHR in two boxes plus a IT admin on retainer. Pretty soon, it just makes more sense to configure one secure connection to the web in order to run (near-)zero footprint apps. Even for the rural country doctor who may have to install a satellite dish because local phone lines and cell towers are inadequate.

I admit that 6 months ago, I wasn't a fan of the cloud, but the more that I have learned and the more that I have seen, the more that I feel the best way to meet ARRA/HITECH goals is to securely, fully and intelligently leverage all of the benefits of the cloud, with prudent mitigation measures for its weaknesses.

I think a lot of folks are concerned, but let us please remember that we are talking about incentives for now, rather than mandates. There's still time to plan and do it right, and incorporate business continuity into your plans without sacrificing on incentives.

thanks for your thoughtful comments. Let me just go down the line and address your points:

David I totally agree
Marc I totally agree
Keith because everybody naturally wants the money, some interpret this as something they MUST do, when, as you say, the reality is far different
Joe I am not saying that DR or BCP should have been mandated. What I am saying is that the ancillary work that must go into creating a stable and user-friendly e-health environment is something the policy makers have not considered, because when you factor those costs and requirements in, the timelines become even more ridiculous than they already are.

I agree with you that there are many aspects of the HITECH legislation that could have been improved. But watching the health insurance reform legislation currently being mangled beyond all recognition by competing lobbying interests, I am reminded that our imperfect political system rarely delivers legislation that any gathering of experts in a field would have thought up or approved of. Instead, they are unwieldy compromises between competing interests topped by old-fashioned pork. The old saying is that following the legislative process is like watching sausage being made, but often it's worse. It's like watching a train wreck in slow motion.

The HITECH Act was bold and disruptive. There was just no easy way to disrupt the status quo and it took some help from the U.S. government. Although I would argue now that most of the disruption will come from innovation (i.e. now that the tech giants have seized upon the industry as the catalyst for the next wave of growth).

Agree that the Act does not provide sufficient incentives to cover the back office and also agree that for small providers the cloud is the only economically rational decision. We will see how many actually opt for that architectural approach? The decision is not a trivial one because functionality is also critical and it remains to be seen how many big players bring SaaS solutions to market and in what state?

The HITECH Act provides HIPAA with teeth and therefore I would make the argument that DR is mandated since providers that adopt EHRs must comply with the HIPAA Security Rule, which clearly has DR provisions.


Anthony Guerra is Editor-in-Chief of Healthcare Informatics. His blog contains story lineups for...