Securing Your Medical Practice Data in a Natural Disaster

If you’re a medical practice in the Mid-Atlantic or Northeast, you’re probably stressing about when and whether to close your doors, and how to accommodate your neediest patients.

And if that isn’t stressful enough, there’s the data issue: protecting yours from a natural disaster. Whether you already have an emergency plan in place, or you’re just realizing now that you should have had one, healthcare experts offered us a few tips on the best, most HIPAA-compliant ways a practice can protect its data in the event of hurricanes and their after-effects (flood, water damage, apocalyptic winds, etc.).

Let’s start with practices who rely on cloud-based EHRs and other technology systems. If you fit into that category, the first step is to call your cloud providers and find out where data is stored.

“Typically, your more robust companies will have a widely distributed backup system in at least two locations,” Ron Cline, manager of physician consulting services for Brentwood, Tenn.-based healthcare consultancy QHR, told Physicians Practice. “So a natural disaster affecting your data is very unlikely.”

Healthcare consultant Bruce Kleaveland said practices should also ask if the cloud provider has made provisions in the case of a natural disaster. A list of questions may include:

• Where is the data center located?

• Do you have redundant backup in the event that the primary data center is compromised?

• Where is the redundant backup located?

• Do you have any other backup for our data?

Next, if you’re still open for business, be prepared for an Internet outage.

“If Internet goes down, assuming you’re still open for business, some of the systems will do local backups,” said Cline. “Try to connect to a wireless router, or to the Internet through another source like a cell phone.”

If that doesn’t work, you may have to use paper and enter data when your connection goes back up.

Ideally providers that use on-site hardware and software and are open for business, should have an UPS (uninterrupted power supply) in the event that power is lost, said Kleaveland.

“The UPS is a short-term battery backup that provides the practice with ability to power down in a systematic way in the event of power loss,” said Kleaveland. “They should have all of the data backed up on a physical medium that they can take with them and protect from any natural disaster. If there is a particular location is subject to flooding it would probably be prudent to temporarily move the server to a safe, secure place until the threat had passed.”

But before you load equipment into your vehicle and take it offsite, consider HIPAA security issues.

Practices with bigger, rack-mounted systems should call their IT staff (contracted or otherwise) for assistance in getting it off-premises. And for small practices with portable equipment, “the question is, ‘where are you going to put it?' All that stuff is HIPAA protected so you can’t just park it in someone’s garage.”

Practices should house data in the most secure possible location, such as a satellite office that’s in a less-likely-to-flood zone. And for next time, plan ahead for future disasters.

“Your data backup plan should have you covered for just this kind of thing,” said Cline. “What if your building burns down? Same kind of situation. Your backup plan should not include on-location storage.”