Get your practice ready for natural disasters

Q: Seeing the devastation caused by Hurricane Sandy has got me thinking what we would do if our small (three-provider) family practice were hit by a disaster of that magnitude. What steps should we take to protect the information stored in our electronic health record system and our hardware (desktops, laptops, routers, etc.)? 

A: This is a great question, and one  that every business needs to consider. Your first step should be to undertake what is known as a business impact analysis to find out where your practice is most vulnerable. This analysis would include not just your electronic and computer equipment but anything that would affect the operation of your practice. Think what would happen if:

• the building that houses your practice is destroyed;

• your practice’s paper records, electronic files, computer equipment, supplies, and Internet access are lost;

• key employees are not available for days or several weeks;

• a disaster strikes during operating hours requiring evacuation or protection for your staff and your patients.

The next step is to put the impact analysis into a written plan and distribute copies to all your employees so they know what to do if a disaster does occur. This document is called a business continuity plan.

Just as with routine fire alarm tests and evacuation drills, a business continuity plan needs a budget and testing so you know that the plan will work. The plan should rank what’s absolutely needed and what you can live without for a specific amount of time-typically immediate, 24 hours, 2 to 3 days, and more than a week-and include:

• contact information for all employees and a call tree,

• information about temporary off site locations,

• computer system recovery information,

• detailed telephony recovery/redirection procedures,

• contact information for current  patients and area hospitals, and

• regulatory compliance information, such as relevant language from the Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standards.

Have off-site backup that is readily accessible from a temporary location available for all your systems. Keep in mind that Internet access may be a problem for an entire metropolitan area if power outages are widespread, as happened during Hurricane Sandy. Remember, even if you have power, your Internet service provider may not.

Have redundant power supplies on more critical equipment such as firewalls/routers, switches, and file servers. Use duplicate network cards in key systems, and keep spare parts for older or difficult-to-replace components.

Finally, evaluate your practice’s insurance policies to see whether you have coverage for business interruption. Such coverage will be crucial for mitigating the financial consequences of a disaster and getting your practice back up and running quickly.

The author is principal consultant and chief executive officer of Sorensen Informatics in Lombard, Illinois. Please send your technology-related questions to medec@advanstar.com. Also engage at www.twitter.com/MedEconomics and www.facebook.com/MedicalEconomics.