To quote ProPubilica.org: “It is a hospital’s nightmare: The power goes out and the backup generators don’t kick in, leaving critically ill patients without the mechanical help they need to breathe.”
Hurricane Katrina and the patients that died in dark New Orleans hospitals should have taught us what happens when electricity and water cut out. The stories from the healthcare professionals that carried on under those conditions were horrifying. Why are we seeing a repeat of this problem with Hurricane Sandy when Mayor Mike Bloomberg was reassured that the hospitals were ready with emergency generators and backup fuel supplies? On Halloween night 2012, we are watching hundreds of patients being evacuated from Bellevue hospital in New York City with long lines of ambulances and buses. Bellevue is the same hospital that lost all power during the massive New York City blackout in 1977.
The solution goes beyond the simple testing of generators several times a year to examining the real risks and continuity planning. HIPAA requires the development and testing of both a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) for Covered Entities like hospitals. HIPAA Contingency plans address the “availability” security principle. The availability principle addresses threats related to business disruption -so that authorized individuals have access to vital systems and information when required. Threats that need to be identified include pumps located in basements that feed fuel to rooftop generators as we saw in New York this week. Assessment of threats to availability is the cornerstone to success in contingency plans when faced with natural disasters like Hurricane Sandy.
Contingency planning/Business Continuity Planning (BCP) is about a coordinated strategy that involves plans, procedures and technical measures to enable the recovery of systems, operations, and data after a disruption. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) is the overall process of developing an approved set of arrangements and procedures to ensure your business can respond to a disaster and resume its critical business functions within a required time frame objective. The primary objective is to reduce the level of risk and cost to you and the impact on your staff, patients and suppliers. One risk that was clearly overlooked this week was blocked roads that prevented re-fueling, firefighting or basic transportation in some areas of the city.
A Business Impact Analysis (BIA) is performed at the beginning of disaster recovery and continuity planning to specifically identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption. A key objective is to identify all critical systems that are required for the continuity of the business. Further, a determination of the time it would take to recover such systems in the event of a loss. Critical systems have typically been viewed as IT systems but the principle should be extended to the bedside due to the sophistication of life support systems today.
The HIPAA disaster recovery plan is a required implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule. The objective of a disaster recovery plan (DRP) is to establish (and implement as needed) procedures to restore any loss of data. A disaster recovery plan is the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. The ability for key personnel trapped in their homes, with no power or blocked streets to respond for recovery may be a key risk for identification and mitigation.
Quite often Business Continuity Plans or Disaster Recovery Plans simply go untested or partially tested due to the cost and resources required in an annual operating budget. Or if these plans are tested, the testing scenarios are often very mild compared to the catastrophic conditions experienced in recent hurricanes or older power outages. The ability to cope with multiple days of backup generator operations including the heat and need to refuel were clearly factors in recent failures under really catastrophic conditions. Let’s let these patient evacuations with long lines of ambulances call us to re-examine the commitment to develop and thoroughly test these HIPAA Contingency plans.
How does your healthcare organization look on this critical issue?