A solid disaster recovery plan can help support HIPAA compliance and keep your organization secure should a natural disaster strike. But backup storage can be expensive. To outsource or not to outsource is one key question.

As medical facilities and patients require more scans, the amount of digital medical data is multiplying exponentially, resulting in a dramatic increase in storage and administrative costs for providers. On top of this expansion, new federal regulations requiring protection of data from corruption, theft, and destruction compel medical facilities to invest in more sophisticated backup capabilities.

The first concern is the ability to protect data from a natural disaster, such as a hurricane or flood. A primary key to survival is to have data stored in different and far-reaching locations. “We have backup storage on-site as well as two sister hospitals (Houston and San Antonio), in two cities that are hundreds of miles apart,” said Chad Page, PACS administrator, Christus St Elizabeth Hospital, Beaumont, Tex, near the Gulf of Mexico coast. “This ensures that data is never lost due to natural disaster or any other reason.

“When properly planned, patient data is perfectly safe during a hurricane,” Page added. “The PAC/RIS servers can run right up until the last patient in the hospital is evacuated. Basically, if we took a direct hit from a category 5 hurricane and the hospital server room was completely destroyed, we would still have all of our patient information safe and sound in off-site archives. Our server room is also on power backup so we could even have access to PACS/RIS during the storm if need be, at least for a short time.”

Although Christus St Elizabeth Hospital has established its own backup system, other medical facilities outsource their data to outside vendors. For example, St Elizabeth Regional Medical Center in Lincoln, Neb, rated one of the nation’s Top 100 hospitals by Solucient (an information products company serving health care), relies on InSite One to protect its medical data. St Elizabeth’s radiology department performs more than 160,000 studies (in a full range of modalities) each year, so its storage requirements are prodigious. Once again, the main strategy is to keep data stored in faraway places, in this case, on opposite ends of the United States.

“Our PACS data is stored on-site on our SAN. Once the study is acquired, the images are simultaneously sent to a long-term archive with InSite One in two separate locations,” said Mike Hopkins, director of radiology and radiation therapy at St Elizabeth. “We aren’t likely to have a hurricane in Nebraska, but if we had another disaster that resulted in us losing our on-site storage, and we still had power and connectivity, we would request an archival restore from InSite One.”

In geographic areas, such as Texas, where hurricanes and floods are more likely, some extra preparation is necessary. “We don’t really have a true outsourced backup vendor,” said Page. “We buy all of our backup storage hardware (hard drives, racks, etc) from EMC, and the equipment is maintained by Christus employees. During Hurricane Rita, it was just a matter of verifying that all our image data, as well as the database data, was backed up. I went into the system and verified that all our images had been stored on our two mirror sites. I then had to verify that we had two good database backups.” The database is an important component of a backup system because it maintains the location of images in the archive. “Without a database, all your image data is almost useless,” Page emphasized. As Rita approached, “we shut down all computer servers just before the storm hit to make sure they were not damaged due to power surges.”

A Choice of Approaches

Nevertheless, backup storage is very expensive, primarily because one has to figure how much a facility needs and then triple that figure to account for on-site as well as two off-site storage facilities. So deciding whether to outsource your requirements depends on a number of factors. “A lot of companies outsource backup storage completely because they do not have the off-site real estate or manpower to maintain such a system,” said Page. “But the investment is never-ending. Hospitals are constantly upgrading and refining their software and hardware when it comes to personal patient information. Our off-site backup storage, for instance, needs to be added to every year. We also just added a new and improved audit server to our PACS cluster to improve our auditing capabilities. One of our main challenges is just keeping up with the new technology. Something new is coming out every day that can help secure patient data.”

In contrast, Hopkins points out, “The backup protection costs can be minimal if you don’t own the equipment. A company like InSite One will put a server in the institution to facilitate transfer of images usually at no cost to the facility. We then pay them a per-study fee for the initial storage of the file and then retrieve that file as many times as we need without any additional cost. A one-time cost for initial storage is preferable to a per-use fee. With InSite One, our department conserves capital dollars that can be used to purchase new equipment that will have a direct impact on patient care. The resulting savings are a direct result of the radiology department not incurring additional costs to upgrade hardware or manage images.”

In assessing costs, overall system performance is also a significant factor. “Reliability is first,” Hopkins said. “Connectivity, the ability to connect [to your archives] with a wide enough bandwidth for sufficient transmission speed, is also an important factor in considering a vendor. In addition, disaster recovery is necessary, but the likelihood of needing it is not inevitable, so the price must still be reasonable.”

The cost of training and maintenance of the system is also an issue. “We have a dedicated staff working here who do nothing but make sure we are following the law as it applies to private patient information,” Page reports. “There is also a need to keep myself and others educated on the newest ways to secure patient data.”

On the other hand, Hopkins and St Elizabeth’s can take more advantage of the expertise of InSite One. “Of course, the network administrator certainly needs to be very involved and aware of the application, and the PACS administrator must know how to monitor the system for hiccups or delays, and do some problem-solving … but general users (technologists, physicians, others) do not need to be trained on the system,” said Hopkins.

Dealing with HIPAA

Yet there is more to the story than just preserving medical data from a physical disaster. There is the law, and in this case the law is HIPAA (the Health Insurance Portability and Accountability Act of 1996). Its premise is to improve efficiency in health care delivery by standardizing electronic data exchange and to protect confidentiality and security through setting and enforcing standards.

Chad Page states the issue plainly. “We are required by law to do everything possible to secure patient data so that it is not stolen or corrupted in any way,” said Page. Here is how he describes how Christus St Elizabeth Hospital responds to these legal requirements:

“We protect patient privacy by password protecting all of our computer systems so that only authorized people may access their data. We have firewalls deployed so that people on the outside of our network can not get into any system with patient information without the proper access. Each individual computer throughout the hospital is also password protected, and all of our computers are protected by anti-virus software. We audit all of our systems with patient data on them on a routine basis to make sure that nobody is abusing their privileges and also that nobody is in the system who should not be there. We are also constantly updating our software and applying security patches to plug any holes that the manufacturer or we may find. If a piece of hardware is being retired that has private patient data on it, the hard drive is wiped clean according to Department of Defense (DOD) standards. Network security is an ongoing and evolving process that you can never stop working on.”

Hopkins adds to the patient security issue, “Patients have a unique medical record number. Anyone wishing to view patient records must sign on to our information system and/or PACS utilizing a user name and password. Passwords are given only to employees and physicians who have a need to look at these records. Entry into the medical record can be monitored, and spot checks are made routinely to see if anyone is accessing a record they do not need to look in.”

With the decision to outsource medical data, other issues are relevant to effective backup and disaster recovery as well. “PAC facilities and archive vendors have to work well together, not point fingers,” said Hopkins. “The PACS facility must have a good working relationship with the archive provider because problems must be solved together in a cooperative manner. Also, it is important to have your prefetch protocols set up properly so you are not taxing the system with image files you do not need.”

In the end, Hopkins recognizes that customer support, reliable service, patient security, and data protection in the face of potential disaster deliver more than cost savings and legal compliance. With adequate preparation (especially storage at multiple locations) and the newest technology, these obstacles can easily be managed. “The overwhelming benefit is peace of mind.”


James Markland is a contributing writer for Axis Imaging News. For more information, contact .

Baptism by Fire

When a natural disaster looms large, as it did recently at Pomerado Hospital in Poway, Calif, previous planning can make a big difference. It was quick thinking and clear priorities that proved critical to a successful evacuation of patients as well as the security of records and radiology equipment.

The wildfires that swept through California’s San Diego County in mid October showed little mercy to the hundreds of thousands of residents of the area who were displaced or lost their homes. As fires ripped through acres of land, physicians and staffers could see the smoke coming over the hill behind Pomerado Hospital. On October 22, on the recommendation of police and fire officials, the hospital was evacuated.

“We’ve done drills before, on a regular basis, in fact,” said Kim Jackson, district director of health information. “But nothing compares with the real deal.” Jackson said staffers and doctors worked in tandem to coordinate the evacuation, keeping clear priorities in mind. The number one goal was the safe evacuation of approximately 80 patients; creating transfer packets of critical information to go with each patient was priority number two; only then could staffers attend to the evacuation of paper records and protection of valuable equipment.

What could have been complete chaos was instead a relatively controlled situation. The Pomerado team worked closely with emergency workers to make arrangements for care at other hospitals in the area and then transport each patient. “We worked together to coordinate buses and place provisions on board for patients,” said Bill Kail, service line administrator for cardiology and imaging. “For example, some patients needed oxygen and we made sure there was food for diabetic patients.”

Jackson organized a small team—four people—to prepare the patient information packets. Basic office equipment posed a key challenge: There weren’t enough copier machines to duplicate evacuating patients’ medical records as fast as the team would have preferred.

Even so, in a matter of 5 short hours, all patients were safely evacuated. But Pomerado Hospital staffers were left to contend with much more.

Evacuating Paper Records

According to Jackson, Pomerado Hospital maintains more than 1 million records in a master patient index of both current and previous patients from over the years. “We operate in a hybrid record environment,” said Jackson. “About 70% of the records are electronic, but the remainder are on paper.”

Fortunately, said Jackson, the electronic health records were backed up in off-site data centers. Because the Pomerado facility is part of a hospital system—Palomar Pomerado Health—it shares its electronic records and master patient index with multiple sister locations within the district.

But paper records—and parts of records that exist only on paper, such as handwritten notes by physicians—had to be secured. Jackson said it took her team approximately 4 hours to pack up and evacuate all paper patient records, a task she dubbed “a herculean effort.”

“We didn’t waste time sorting through records, we just took the entire files,” said Jackson. “The hospital district had trucks available and an additional labor pool who helped load the records and removed them to a secure location. The process went smoothly and we were able to account for every record,” said Jackson.

Securing PACS, RIS, and Radiology Equipment

Pomerado Hospital houses hundreds of PACS workstations throughout the facility. “Fortunately, there is redundancy in our PACS/RIS systems and they survived the fire,” said Kail. “As a multihospital system, things don’t reside in one site. Rather, PACS is backed up and nothing was lost.” At the time of the fire, information on the PACS and RIS systems was electronically available at the main hospital location.

Still the heat was on for Kail and his team. After patients were evacuated, they were left to contend with the radiology department. They shut down and secured equipment and supplies. The MR systems were left running to prevent problems with the magnets. The CT systems and the air conditioning also remained running. Fortunately, said Kail, the few radioactive sources from the nuclear medicine department were contained in fireproof vaults, which was ideal for the situation.

Luckily, the fires never hit Pomerado Hospital directly. But when staffers returned and the hospital reopened on October 25, there were clean-up concerns. “We vacuumed and dusted every piece of equipment,” said Kail. The hospital survived relatively unscathed, and none of the equipment was damaged. However, several physicians and staffers had dealt with days of uncertainty—many (including Kail) had to sleep in hotels and shelters and did not know during the emergency whether their own homes were safe. While Kail’s home survived, several hospital physicians and personnel were not as fortunate.

Hospital administration is currently reviewing the evacuation to see what worked and what could be improved. “More debriefing meetings are planned,” said Kail. “We’re looking at everything, and IT specifically, to be prepared for the future.”

A natural disaster can be a humbling experience. In the heat of the moment, Pomerado Hospital personnel kept their priorities straight: Patients first; then records and equipment. “We had to evacuate from our own homes, but we were still all in there serving our community,” said Kail. “It reminds you that we all breathe the same air.”

Marianne Matthews is editor for Axis Imaging News. For more information, contact .