Why does it often take a crisis to get people’s attention or for them to take action regarding imminent danger? During the late 90’s and until recently, I stumped around the country for healthcare organizations to plan, build and implement disaster avoidance. I always emphasized the importance of doing so and illustrated over and over again the payback of taking such action. My position hasn’t changed in 20 years, but the evidence supporting my position has.
Security, replication, redundancy and data recovery systems are critical in healthcare and yet, many still do not have those things properly in place. If cost is justified, why do they still not exist? That is a great question that I believe is answered by one word; “leadership”. Let me show you some statistics that will get your attention.
Let’s begin with the annual cost of data loss to U.S. businesses – $12 billion. I don’t yet have your full attention? OK, how about the statistic that reveals that of 50% of businesses that experience a system outage are forced to close their doors within 5 years. And downtime revenue per hour impact averages from $1.25 million in information technology to nearly $3 million in the energy sector.
So with such high stakes, the importance of protection is amplified. The increase in cyber-attacks may be due to knowledge of both the high stakes of down-time and the value of a patient health record on the black market. And perhaps that helps explain the increase in ransom requests when systems are crippled by malware attacks, often referred to as “Ransomware”.
This excerpt from the Becker’s Hospital Review describes what has happened recently:
“The first, and most public, incident happened at Hollywood Presbyterian Medical Center in Los Angeles, where in early February hackers shutdown the hospital network and locked physicians out of the EHR. The second occurred at Methodist Hospital in Henderson, Ky., in March, where a ransomware virus limited the use of the hospitals web-based services. “
The impact of ransomware can be devastating financially. Let’s not forget to mention the potential impact on quality of care. In essence, this criminal activity could become like robbing banks in the days of Bonnie and Clyde. Unless stopped it could wreak havoc on our healthcare system.
So why then is this a leadership issue? Because leadership has to recognize that IT within an organization is not just a necessary evil, but necessary to fight evil. When budgeting and prioritizing, why is disaster avoidance system implementation so often overlooked in favor of something else? Why are IT staffs so often over worked and under resourced? Could it be that the proper planning and prioritization is not taking place and mission critical activities such as disaster avoidance are being put on the back burner?
There is one last group of statistics to further prove this point. Decisions regarding disaster avoidance are often predicated on the notion that the primary threat for downtime comes from natural disasters such as floods, fires and storms. Incorrect. The leading culprit of downtime at 44% is hardware or system malfunction. In order, to follow, are human error (32%); software corruption (14%); computer viruses (7%) and finally, natural disasters (3%). So, investing in infrastructure disaster avoidance alone will potentially reduce 97% of downtime problems. The final 3% can be inexpensively protected to some degree by remote backup facilities.
I know people who provide disaster preparedness and recovery services efficiently and inexpensively. Some companies understand that their IT environments aren’t adequately resourced to accomplish what they need. Those who have not yet committed to execute disaster avoidance are gambling the future of their operation, and that is a leadership issue.