With healthcare disaster recovery systems, storage options evolve
As cyberattacks continue to hit health data networks with alarming frequency, providers are increasingly turning to hybrid cloud and other forms of healthcare disaster recovery.
If things go bad for its data network, Virtua Health System IT managers are confident they can rely on well-honed disaster recovery systems to deal with the problem.
Virtua started building its healthcare disaster recovery (DR) system in the early 2000s by securing support from the c-suite for a storage architecture that could quickly get the provider back in business in case of network failure or cyberattack.
"Since then, we've transitioned from traditional backup to being focused on redundancy and high availability as we enter this almost paperless world," Tom Gordon, Virtua's CIO, said.
Healthcare disaster recovery not new, but evolving
DR in healthcare isn't new. HIPAA has, since its inception in 1996, required healthcare organizations to maintain healthcare disaster recovery plans for backup and recovery of health data, although there are no requirements for recovery time.
Now, however, there's exponentially more data to store and protect since the near universal digitization of health records wrought by the 2009 HITECH Act's EHR incentive program. The health IT world has also been seized by a profound sense of urgency about DR amid nonstop cyberattacks and ransomware attacks on health data in recent years by hackers, insider data thieves and foreign state actors.
Another new driver for healthcare disaster recovery is the new round of HIPAA audits now underway by the Department of Health and Human Services Office for Civil Rights.
As for Virtua, the southern New Jersey health system uses a three-data center setup for its DR and works with security consultants from CynergisTek Inc. to test it regularly. Virtua maintains production and backup locations on premises at two different hospitals within its own network, and an off-site recovery center colocated with other organizations' servers a safe 70 miles away from its main hospital, in Pennsylvania.
Hybrid cloud for healthcare disaster recovery systems
Unlike with the hybrid cloud disaster recovery systems -- which house production on premises and backup in the cloud -- that are fast becoming popular with healthcare provider organizations, Virtua still owns and maintains dozens of its own backup servers at the "colo" center. That colocation paradigm is still common in healthcare.
More than a decade ago, Gordon said, there was a trust factor for many providers considering cloud storage and disaster recovery. They were wary of multi-tenancy in a public cloud and the potential for security problems that could come with comingling their patients' protected health information with data from other organizations.
Now, Gordon said, his organization is envisioning someday replacing its DR infrastructure with a cloud system in which the cloud hosting company owns the hardware and essentially leases space in its cloud to the healthcare provider.
Since the HIPAA Omnibus Rule of 2013 extended HIPAA compliance requirements to cloud vendors, many cloud hosting companies and consultants have been selling into the healthcare industry. More healthcare organizations are becoming comfortable with cloud vendors' security assurances.
"I do feel that hybrid cloud and cloud is the wave of the future," Gordon said.
Hot sites, paper fading
Another healthcare disaster recovery format that is receding in popularity is subscription-based "hot sites," off-site physical locations to which providers can move IT operations after a disaster, Angela Devlen, a healthcare disaster recovery and business continuity consultant for Wakefield Brunswick, based in Tampa, Fla., said.
In the past, hospitals could move paper records to the hot site and try to keep serving patients while rebuilding the electronic information. Now, while paper still exists at many providers, members of a new generation of clinicians and health IT professionals generally are not familiar with printed records as a primary resource, Devlen noted.
"Ten years ago, we could more easily go back to paper," Devlen said. "The recovery time tolerance was much longer. Now, recovery time is much less, measured in minutes and hours."
Bryson Hopkins, director of global solutions architects at Equinix, a data center and colocation and cloud consulting firm, said healthcare organizations have only started moving substantively toward the cloud over the past 18 months.
Healthcare warming to cloud
They are also starting to use cloud for everyday applications and patient care and getting comfortable with the cloud and its cost-saving and data-sharing benefits that way, he said.
For example, "some of these urgent care doctor practices are starting to embrace the use of office automation stuff from [cloud vendors]," Hopkins said.
Hopkins said providers like these are asking themselves: "'How can we also be a little more survivable so when things [like cyberattacks] start happening?'"
"It's no longer people trying to set up stuff in their office," he said. "They're more comfortable with DR in the cloud."
Despite the growing popularity of cloud technologies, however, Hopkins predicted that many storage applications and daily workflow applications, especially those that require super-fast response, will continue to be handled on-premises for a long time.
Wariness and welcome for cloud
Virtualization expert David Davis, a co-founder of Actual/Tech Media LLC, who has written about healthcare disaster recovery, said when considering disaster recovery systems, organizations should evaluate risk, or how much data they're willing to lose, as well as recovery time.
They should also carefully review contracts for security provisions and be attentive on their side to building networks and data pipelines that can handle the cloud traffic, he said.
If organizations are buying disaster recovery as a cloud service, the faster they want data recovered from the cloud and less they're willing to lose when or if a failure occurs in their data center, means higher costs, especially for high-bandwidth data such as medical images.
"It's just going to cost a lot more money, a lot more bandwidth, a lot more storage," Davis said.
Davis noted that at the same time that many organizations are opting for some kind of cloud storage, others are moving back to on-premises approaches after absorbing huge bills from public cloud vendors.
Nevertheless, the advantages of cloud DR can be compelling, Davis said. They include pay-as-you-go and charge-back to assess usage time, scalability and agility, and eliminating hardware overhead.
As for big healthcare providers' longstanding wariness of the cloud, Davis said: "I don't blame them."
"Any company should be leery of cloud to some degree. Initially we have high expectations. We think it's just always on and they're perfect," he added. "That's not to say they don't also have problems. And when they have problems, they're massive. You lose a lot of control."
Let us know what you think about this story on healthcare disaster recovery; email Shaun Sutner, news and features writer, or contact @SSutner on Twitter.
Handbook: Disaster recovery in the cloud
Storage magazine covers on-premises disaster recovery
Why network monitoring is key to protecting against healthcare cyberattacks