Disaster in the Making

December 10, 2009
8 Comments

Every time I think HITECH legislation is bad, a closer look reveals it’s worse.

As I write this column, we’re only days away from tallying your votes for the “HCI Innovator Awards.” Though your work is just now concluding, our editorial staff finished up a few weeks ago, after we reviewed the 60+ nominations to arrive at our top 15.

And while those 60 entries covered every type of hospital IT project, a majority of this year’s entries were striking for their post-EMR implementation focus. So though the nation is transfixed on getting electronic records into hospitals and physician offices, industry-leading organizations — innovators — are figuring out how to plumb their deep functionality, and keep these mission-critical systems up and running.

Keeping them up and running is something I learned about first-hand while covering IT on Wall Street from 2000 to 2004. And, of course, we all know what life-changing event took place during those years right in the heart of the financial services industry. Post 9/11 Wall Street was, naturally, obsessed with disaster recovery technologies and strategies. Every firm trading stocks, it seemed, soon boasted a new executive in charge of ensuring business continuity.

Wall Street had automated decades before disaster recovery became something the industry couldn’t ignore. Automation, in and of itself, takes copious capital dollars, with disaster recovery often seen as “something important we’ll get to, but can’t afford right now.” How many people are walking around without insurance, just because, “It won’t happen to me”?

CIOs have accepted that the massive application loads being dropped onto their infrastructures require major refitting, or complete reconstruction. But fortifying the foundation is just the first step. Hospitals need to take it to the next level, with sophisticated plans for backing up their data centers. Hospitals need to plan for the possible collapse of their infrastructure due to a natural disaster, act of terrorism or cyber attack. They need plans for how to move patients from hospital A to hospital B without losing power to life-sustaining biomedical equipment, or the EHR.

Over the last few years, we’ve written extensively about disaster recovery, but this is a different time. Before HITECH, when going electronic was voluntary, organizations could move at their own pace, figuring a certain level of disaster recovery spending into their plans. But no one is taking about such things today, despite all the pressure to go electronic.

Page
of 2Next
Topics

Comments

The HITECH Act was bold and disruptive. There was just no easy way to disrupt the status quo and it took some help from the U.S. government. Although I would argue now that most of the disruption will come from innovation (i.e. now that the tech giants have seized upon the industry as the catalyst for the next wave of growth).

Agree that the Act does not provide sufficient incentives to cover the back office and also agree that for small providers the cloud is the only economically rational decision. We will see how many actually opt for that architectural approach? The decision is not a trivial one because functionality is also critical and it remains to be seen how many big players bring SaaS solutions to market and in what state?

The HITECH Act provides HIPAA with teeth and therefore I would make the argument that DR is mandated since providers that adopt EHRs must comply with the HIPAA Security Rule, which clearly has DR provisions.

Anthony,
I agree with you that there are many aspects of the HITECH legislation that could have been improved. But watching the health insurance reform legislation currently being mangled beyond all recognition by competing lobbying interests, I am reminded that our imperfect political system rarely delivers legislation that any gathering of experts in a field would have thought up or approved of. Instead, they are unwieldy compromises between competing interests topped by old-fashioned pork. The old saying is that following the legislative process is like watching sausage being made, but often it's worse. It's like watching a train wreck in slow motion.

thanks for your thoughtful comments. Let me just go down the line and address your points:

David I totally agree
Marc I totally agree
Keith because everybody naturally wants the money, some interpret this as something they MUST do, when, as you say, the reality is far different
Joe I am not saying that DR or BCP should have been mandated. What I am saying is that the ancillary work that must go into creating a stable and user-friendly e-health environment is something the policy makers have not considered, because when you factor those costs and requirements in, the timelines become even more ridiculous than they already are.

I think a lot of folks are concerned, but let us please remember that we are talking about incentives for now, rather than mandates. There's still time to plan and do it right, and incorporate business continuity into your plans without sacrificing on incentives.

Let me chime in on one point here and that is backups, downtime and disaster recovery. For the mid-size and smaller, the only sane solution is some form of hosting, and almost certainly a cloud-based model.

I know that among the knee-jerk reactions to the cloud are security and internet connection uptime. From a purely technical standpoint, both of these have largely been resolved. From a perception standpoint and from a policies and procedures standpoint not so much.

The notion of EHR in a box is great, but what happens when someone spills coffee on the box? So now it's EHR in two boxes. Well, what happens when the boxes aren't appropriately patched and updated? So now it's EHR in two boxes plus a IT admin on retainer. Pretty soon, it just makes more sense to configure one secure connection to the web in order to run (near-)zero footprint apps. Even for the rural country doctor who may have to install a satellite dish because local phone lines and cell towers are inadequate.

I admit that 6 months ago, I wasn't a fan of the cloud, but the more that I have learned and the more that I have seen, the more that I feel the best way to meet ARRA/HITECH goals is to securely, fully and intelligently leverage all of the benefits of the cloud, with prudent mitigation measures for its weaknesses.

Anthony,
You make a number of good points. Internally, I have something a kin to contempt for people who work in HCIT who describe data loss when their hard drives crash. Not if they crash, it's when and every competent professional knows it will happen. Same for hard drives as computers, power, connectivity, etc. Managing it always means doubling hardware costs and increasing complexity.

But I have trouble with blaming the ARRA/HITECH legislation for this problem. Are you saying that the legislation should go further in terms of mandating redundancy, disaster recovery, and general hardening? What am I missing?

I would like to speak to Marc's reply. I do see many advantages to cloud-based computing. One company I work with has a cloud-based managed service offering that includes a primary data center in MD and a disaster recovery center in TX. It does not matter how small or large the customer company is, they all benefit from the very expensive cloud infrastructure and an expert knowledge base of IT professionals hired to maintain it.

Two of the biggest obstacles for getting buy-in to using the cloud model are security and privacy. PKI (private key infrastructure) can be used for addressing these and PKI has been around for years. My shameless plug is to use smartcards to enable three-factor authentication and digital certificates for cryptography. That is what the DOD does and soon the entire Federal Gov. will be doing this also (HSPD-12).

Full disclosure: One of my company's software products manages smartcards.

Anthony's got it right...
In terms of funding ARRA ignores the 'back room' issues.
You are on your own for those. And as history has shown, in the race to meet regulatory /payment requirements the 'back room' will go ignored untill some catasthrope happens.

I think disaster recovery for health care will be a great business to be in in a few years.