Although the financial impact of downtime certainly is important, in the eyes of executives it often pales in comparison to the potential for negative publicity and possible community impact.
That’s one of the three surprising keys to healthcare disaster recovery that Robert Giffin, CBCP, CISA, noted during the recent McKesson webinar “Resiliency Services – Disaster Recovery in Healthcare.”
“People obsess most about the financial impact, but ultimately, estimating the financial impact of downtime results in a series of estimates and guesses,” says Giffin, director and co-founder of Avalution Consulting, a provider of business continuity and IT disaster recovery consulting services. “Most decisions to invest in DR at the executive level are made based on a gut feeling for the reputation and community impact risk involved.”
Potential impacts of system downtime for hospitals include:
- Financial impact (overtime, lost revenue, etc.)
- Reputation impact (perception as unreliable or cheap)
- Community impact (especially for hospitals of last resort)
- Compliance Impact (especially in the case of trauma centers)
- Viability of downtime procedures
In Giffin’s experience, the vast majority of executives are seeking a DR solution that provides protection from the other four considerations rather than financial. “Your reputation, you can’t protect it with insurance, and it’s hard to get back once you’ve lost it,” Giffin says.
The second surprising aspect of DR planning is that some downtime is acceptable – even with PACS and EMR systems. Every hospital accrediting body requires that clinical departments maintain downtime procedures so patients can be treated during system outages. Effective downtime procedures can allow for several hours of downtime while IT is restoring a system without any patient impact.
Giffin says a small hospital can likely go for a day without medical imaging software by reading the images directly on the modalities. That same scenario will work for larger hospitals, but the challenge becomes matching up physicians who read the images with the machines where the images are stored, especially among those physicians with off-site offices. Often larger hospitals can only run on downtime procedures for a few hours.
Based on Giffin’s experience, the following are common downtime tolerances for key hospital applications:
- EMR: 2-4 hours
- Lab and Pharmacy Systems: 4-8 hours
- PACS and CPACS: 12-24 hours
- Finance/Revenue management: 3-5 days
“A PACS can be out for up to 24 hours, which can be a hassle but it can be done,” Giffin says. “Beyond 24 hours, the issue is that paper (documentation) piles up.”
The final surprise comes when it’s time to present the findings to executives. Many IT people believe it’s important to advocate for a particular healthcare disaster recovery solution, building a case for their preference. However, Giffin believes it’s better to present execs with two or three choices showing dollar amounts and recovery times for key systems.
People are accustomed to gold/silver/bronze or good/better/best choices when making buying decisions. And that is at the heart of resiliency services, determining risk tolerance and putting a dollar amount on what it will cost to bring the organization to that level of risk.
“The benefit to IT is that you don’t have to argue for what you want,” Giffin says. “You provide the options and then get out of the way.” This empowers executives to understand better what level of healthcare disaster recovery protection they are buying and takes IT out of any potential crossfire.
But the good/better/best scenario doesn’t let IT off the hook. It’s imperative that the executive or executive team understand exactly what each scenario, such as a hosted storage service, represents and the cost for doing nothing. And remember, “Choosing to spend nothing is a choice that an executive can make,” Giffin says.
For more information, see the healthcare disaster recovery presentation posted in the Learn More About Professional Services sidebar on our web site.