Disaster Recovery: Cross-Training KeyTornado Experience Offers Important Lessons
"We had just completed six months ago a disaster test where we simulated a fire in our computer facility and, on paper, we took out a few of our key staff, like our network director and our server manager, just to see how the team would respond," he points out. The academic medical center cross-trains its IT staff "so no one individual holds a monopoly on any role," he notes.
This cross-training came in handy in the aftermath of the tornadoes, when several members of the data center staff could not make it to the hospital, Herzig points out.
In an interview with Howard Anderson, executive editor of HealthcareInfoSecurity, during the HIPAA Security conference May 10 in Washington, Herzig also:
- Points out that backup generators and uninterruptable power supply (or UPS) systems, plus two connections to the power grid, enabled the hospital to have continuous power.
- Advises healthcare organizations to test generators frequently. "Our generators are tested each month by our maintenance staff," he says. "You don't want to depend on a generator that's never been run."
- Stresses the importance of preparing disaster recovery plans for rare events, like tornadoes. "And be sure to test those plans."
In addition to serving as information security officer at UAB Medicine, Herzig is HIPAA security officer. He heads a team of three security specialists at the delivery system, which includes a 1,000-bed hospital and numerous outpatient facilities throughout the state. He is editor the book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.
Herzig also is the featured speaker in a webinar on developing a policy for protecting information on mobile devices.