Evaluate Your IT Support
If you don’t address vulnerabilities now,
the odds are against you when disaster strikes.
Information technology (IT) is a critical part of your healthcare organization. To effectively secure its data and systems, your organization’s IT support must be up to date on the latest trends, technologies, and efficiencies and they must maintain the most current certifications. If you aren’t confident (and, probably, even if you are) that your organization’s data is being managed properly, now’s the time to examine its infrastructure more closely.
It Won’t Happen to Me
Too often, I hear clients and business associates say silly things like:
- “It will never happen to me.”
- “I’m just a small practice; I’ll never get audited for HIPAA compliance.”
- “I’ll never be hacked.”
- “My email will never be compromised.”
- “My server will never fail.”
- “I’ll never have a fire that will destroy my business.”
- “No one will steal my laptop.”
Contrary to these misconceptions, IT vulnerabilities and the resulting loss of data, data breaches, downed systems, and other nightmares occur regularly in organizations of all sizes. The odds against you are too high and the consequences (financial and otherwise) are too serious to assume the worst will never happen.
Backup and Disaster Recovery
A proper backup and disaster recovery plan is vital. If you need a reason why, consider this: If your IT systems are down, you’re losing revenue. Specifics you should examine include:
Backup Plan – Have a written plan detailing how your systems are backed up, what is being backed up, how often the backup is occurring, and the retention policy of the backup (how long old data is retained). A backup that occurs every five minutes is significantly better than one that occurs each night.
Backup Media – On what media is the backup being saved? Find out if it is a backup to tape, hard drive, universal serial bus (USB) drive, online backup, etc. Each presents a mix of pros and cons.
For instance, if you’re backing up to tape or USB drive, is that media then taken offsite? If so (and it should be), be sure the backup data is encrypted. This will protect the integrity of the data in the event it’s lost or stolen. If you’re using an online backup provider, ensure it meets your regulatory needs for security and reliability.
If you’re backing up to a device that remains onsite, and there’s a fire, flood, or other catastrophic event that ruins both your production data and backup data, will your organization be ruined? Make sure you have a plan B.
Mean Time to Recovery (MTTR) – This simply means the average time it takes for your systems to be operational again in the event they go down. This is important because if your systems go down, you’re immediately losing revenue. Determine how long it will take for IT support to get you back online and whether there will be data loss. If your server crashes, will it take four hours or four days to recover? The difference could mean an organization’s survival or failure.
Test Your Backup and Disaster Recovery Solutions
You do not have a working backup and disaster recovery plan until it has been tested. Even if your backup reports “Success,” don’t trust it. The only way to ensure success is by testing it.
Questions to Ask an IT Support Vendor
If you’re thinking about hiring an IT support vendor, talk to other business partners about their IT support solutions and experiences. Find out whose services they use, and the pros and cons to those services.
If you’re ever in doubt about your IT support, or want a second opinion, invite a competitor or outside IT support company to review your systems. A peer review may reinforce recommendations made to a client, or confirm there is nothing further of value they can provide.
Remember that you get what you pay for. It’s more important to hire someone who wants to work with you and who understands you — someone you can trust as a business partner. This is an important partnership because IT is so critical to your organization.
If you want to test your IT support, copy a folder or two of documents to an alternate location and time how long it takes them to recover the files. This is a nominal task that should take under 30 minutes to accomplish.
IT Support vs. IT Management
I describe IT support vs. IT management as “Reactive vs. ProActive.” Many people or companies providing IT support are simply there to provide support in a time of need. IT support is great, but most organizations need more. Someone providing IT management knows you’ll need support, but also proactively works in the background to maintain, monitor, and document your IT systems. IT maintenance used to consist of disk defrags and the occasional service pack. Today, there are a number of proactive measures. For example:
- Up-to-date systems patches protect against the latest vulnerabilities;
- Reliable anti-virus and spyware protection further guards against hackers; and
- Optimized configurations keep systems running smoothly.
This isn’t something that’s done once, but repetitively. Just like a regular oil change, if you maintain your systems, they will last longer and perform better. Continuous monitoring is an important proactive measure to prevent downtime, respond to and resolve problems quicker, and prevent revenue loss.
IT management should work with the business owner or manager to budget, improve, and plan IT expenditures. Whomever you have in this position should be able to discuss IT with you in language you can understand. You can’t make the best business decisions for your organization if you don’t understand the information provided to you.
Brian Shrift, CISSP, HCISPP, is president of Precision Business Solutions.