Disaster-Proofing Your Electronic Medical Records

December 21, 2017 | Featured Articles

Download PDF

The term “life-threatening” takes on new meaning during a natural disaster, when critical information systems may be down and patients are in need of uninterrupted care. Healthcare IT professionals underscore the importance of backup, recovery, and operational access of this vital information for good reason — in times of disaster, accessing information is essential to providing ongoing care and avoiding business interruption.

One Backup is not a True Backup

In today’s era of using phones that function like computers, the concept of backing up digital information is a familiar one. But implementing a backup plan for a healthcare institution can be much more complicated than plugging a phone into a computer at night.

Many EHR/EMR providers offer a cloud-based backup system in conjunction with their software. These data backup systems are great when the internet is functioning, there’s no weather-related physical damage to a system, and staff are readily able to properly implement that data recovery. But what if a computer’s infrastructure fails? Off-site cloud storage may suffer. Worse still: the data could become corrupted.

Cloud-based backup systems are a necessary part of any backup plan. But nothing can replace physical, on- and off-site backup components. These are key to ensuring continued, operational success.

Off-site backups can be easily scheduled through an EHR/EMR provider and can occur without requiring physical backups. It’s important to check with your software provider to ensure your off-site backup system is HIPAA-compliant and performs backup protocols at regular intervals. To determine intervals, consider the work necessary to re-acquire any information not properly backed up; costs associated with acquiring said information; and the frequency of visits to your practice.

On-site backups can be much more complicated. They require more physical hardware, manpower, and time to implement. The same basic time interval principles should be considered when developing an on-site backup plan to ensure there is minimal data loss — as what has not been logged, will be lost.

The general rule of thumb is that unless there is more than one backup (or at least three if you’re a techie), it’s not really backed up. Industry professionals suggest a three-dimensional plan to ensure data is safely stored. These three dimensions are time, space, and method; and refer to the time frequency in which backups are made, the space they keep, and the method in which they are stored. Here’s a nerdy diagram to illustrate what we are talking about here. 

A plan implementing frequent physical information backups will minimize instances of lost information. Consider the following: If an off-site cloud based backup occurs during non-operational hours at 2am, but there is a power outage at 11pm that evening, and your uninterrupted power supply (UPS) only maintains power to your system for 2 hours, your system will be disconnected from the cloud for backup at 1 am. Your backup is now an entire day behind. 

Additionally, applications are rarely backed up… only the data. But the data is useless without the appropriate applications to access it. For this reason, always be sure to include application backups in your on-site implemented backup plan. Also keep a multi-person accountability program in place to verify that backup protocols are being met and performed appropriately.

Regular testing of on- and off-site backup options is imperative to ensure that information can function in times of need.


Data recovery is an oft-feared scenario. When critical patient information is at risk, it is no less frightening. It is essential that you always ensure data recovery is possible. Your ability to utilize recovered information is a crucial step to developing a true disaster preparedness plan.

Many professionals in the industry would suggest a Software as a Service (SaaS) option for achieving these objectives. Software as a service is a subscription-based distribution model for licensing where the software is centrally hosted. This is a great option if you can guarantee you will have power, internet access, and the staff to implement the recovery of your systems — Hurricanes Maria, Irma, and Harvey are in recent enough memory to be a testament to the fact that this not always the case.

In extreme scenarios where the internet may be down, you can utilize a 3G signal to tether a computer to cloud-based EHR/EMR systems. It may seem like a ridiculous plan option, but including it in your plan, and testing its efficacy is imperative to your ability to providing the best possible care in a disaster scenario.

Furthermore, it is not out of the question to make sure you have alternative options to keep the doors open, and the level of re-work down to a minimum. Paper-based systems may seem heavily antiquated in our modern era of microsized computers, augmented realities, and self-driving cars; but paper doesn’t require power to be read. Be sure to include a low-tech level of preparedness with paper forms to aid in the recovery of patient data to truly cover all of your bases.

Operational Access

Up to this point we’ve covered a variety of backup and recovery plans that all lead to this final act: operational access. None of it truly means anything unless you can be operational again, providing the best possible care for you patients as you originally set out to do.

The key component to operational access is truly being prepared for anything. If the power goes out, do you have an uninterrupted power supply to keep your systems running so that you and your staff can access the information to provide proper care? Do you have a protocol in place for a multi-person team to implement data recovery when the systems go down in a natural disaster? Are there trusted individuals or entities who can produce a copy of the HIPAA compliant off-site saved data for use when the systems are down?

All of the planning in the world for a disaster means nothing unless it can be effectively put into action when it truly counts. This can only be done through a combined plan of on- and off-site secure data storage methods, an explicit plan for execution when a disaster strikes, and true testing to ensure that all of these systems work when they are most needed.

Given the recent slew of natural disasters, it’s hard not to acknowledge the importance of preparing for what may come. Proper EHR/EMR backup and recovery procedures are not only a crucial component of providing proper healthcare, they are a necessity for quality and value in the provider-patient relationship. So make sure to discuss all of your options with your EMR vendor, and if the back up and recovery plan is lacking, seeking additional coverage in the form of other HIT professionals that specialize in this kind of protection.