IT Optimizers®: Strategy, Resources, Results
  Home | Search | Site Map | Contact Us
ServicesClient Case StudiesExecutive TeamKnowledge CenterCorporate Partners
   Knowledge Center   
 
   HIT Outlook®   
 
   Publications   
 
   Insights   
 
   Inside IT Optimizers   
 
   Perspectives and White Papers   

Disaster Planning: Preparing for the Unthinkable

Joseph M. DeLuca, MA, FACHE

Disaster planning is far from a new concept for health care organizations. Most have some sort of plan in place for responding to situations such as fire, power outages, earthquakes and industrial accidents. But the events of September 11, 2001 have heightened awareness and called for increased scrutiny of existing disaster plans to account for the unthinkable. Organizations are revisiting their ability to maintain operations following acts of nature or human-created disasters such as bombs, plane crashes, hostage situations or bioterrorism.

Our healthcare system is in the midst of disaster response as we speak - anthrax, smallpox and other threats have us on edge, wondering if/when/how we might be affected. A plan to respond to such threats is more than physical in nature, and must address the psychological implications of such an event. For example, a bombing that occurred in Omagh, Ireland resulted in many casualties, and to make matters worse, the medical staff of the hospital in close proximity to the bomb site were personally acquainted with many of the victims. Was the hospital prepared to offer psychological assistance to those staff members who provided care to their friends who fell victim to the bombing? Is yours?

Conducting a Threat Assessment

A quick Internet search of published disaster plans showed that most plans share a common purpose. For example, some of the goals of an IT Disaster Plan included:

  1. To serve a supportive role in the development and evolution of the organizational disaster plan, as well as the disaster training and continuing education of health care organization staff.
  2. To maintain existing services, systems and data as completely as possible.
  3. To offer support for the expanded/emergency clinical needs of the organization.
  4. To serve as a communications conduit among victims, family and community.

These objectives must be considered and met in the context of four general disaster planning scenarios. A traditional disaster includes events such as floods, earthquakes, or attacks that result in mass casualty and call for high-volume triage planning. Technology-related disasters involve local or regional telecommunications disruptions, computer viruses, or data center problems that result in widespread system down time. Another planning scenario involves the organization as a target, such as an infiltration to attempt a sabotage of response capabilities or the receipt of contaminated letters or packages. The final scenario is when the organization is the disaster, which includes quarantine situations, onsite explosions or fires.

THREAT ASSESSMENT BASICS

Systems & Technology Review

Security
  • Is your basic IT infrastructure positioned to handle emergency requirements?
  • Have points of IT failure and vulnerability been identified?
  • Have you mapped out technology responses to disaster scenarios?
  • Do you hold drills to practice response capabilities and procedures?
  • Data/Systems: passwords, audit trails, random use audits, written procedures
  • Staff: do you perform background checks for staff members in sensitive positions?
  • Physical Plant: Who has access to your facility? Have you secured sensitive areas?

Learn From Others

Consider Advanced Technologies
  • If it happened somewhere else, it can happen here too
  • Study disasters and responses and incorporate what you learn into your plan
  • Understand and incorporate local, regional and state-wide disaster plans
  • Biometric identification
  • Alternative telecommunications infrastructure (wireless, digital cellular)
  • Distributed computing centers
  • Portable data centers & telecom networks

Technology Context

In addition to planning for clinical and business recovery capabilities is the question of information technology systems, which we are becoming more and more dependent upon every day. It's important to differentiate between "critical" versus "convenient" systems and focus on those that are critical to your core business as opposed to those that are simply nice to have. Identifying and eliminating vulnerabilities in your systems can avert widespread chaos in the face of a disaster. For example, many health care organizations subscribe to ASPs or share systems, which requires that some diligence occur to ensure that their systems vendors have disaster plans in place.

Email systems are another high-risk area, as many damaging computer viruses and programs are spread in this manner. Keeping written email use policies up to date, enforcing those policies, and frequently updating viral software are all critical components of an IT disaster plan.

All health care organizations depend heavily upon their telephones and pagers for communication. Is a back-up system in place that can be easily activated following a telecommunications failure? Does your telecom carrier have a disaster plan? Will you be able to order supplies or call in additional staff in the wake or a disaster? Is your staff - onsite and off - prepared in the event that contact cannot be made with the facility?

Advanced technology such as telemedicine and remote monitoring capabilities may also plan an important role in the wake of a disaster. How can medical care be provided to communities who are cut off as a result of the disaster? Can medical experts and outside staff be called upon to provide services remotely if the hospital itself is quarantined or cut off from the community?

New & Emerging Threats

Concerns over deadly viruses, tainted water supplies, long-term power outages and bacteria-infected mail have us all evaluating our capability to function absent basic operational supports and utilities. While a disaster plan must be broad in scope and take into consideration a number of potential disaster scenarios, not every disaster can be averted or handled as planned. What health care organizations must do is lay the framework for maintaining continuity in medical services when the unthinkable happens.

 

Joe DeLuca is Managing Practice Director of IT Optimizers, a business unit of Health Care Investment Visions LLC.

 

^ top of page

 

© 1998 IT Optimizers