Disaster Recovery: Planning for the Day You Hope Won’t Happen
David KleinmanDisaster recovery is an event that PACS administrators hope that they never will have to confront, but it is increasingly clear that it needs to be a top-of-mind concern. Natural disasters, particularly tornadoes and floods, seem to be occurring more frequently, with greater intensity and with more resulting damage. Hospitals and imaging centers are not exempt from their effects. The impact along the Gulf Coast of Hurricane Katrina in 2005 (with the subsequent levee breach in New Orleans, Louisiana) was a wake-up call to health-care IT staff that catastrophic disaster recovery planning to protect data storage resources must extend beyond a geographically vulnerable region. Restoring established PACS at some of the damaged health-care facilities proved to be daunting, and some patient files were lost forever. Fast-forward past Superstorm Sandy to 2013: Newer technology services, such as secure cloud disaster recovery and archiving solutions, are making preparedness easier (and potentially less costly) than the use of tape or other media-based backup would be. This is good news for PACS administrators who are challenged by the growing size and quantity of medical images. What is important is to assess disaster recovery requirements at regular intervals, according to David Kleinman, director of cloud services at FUJIFILM Medical Systems USA, Inc. It’s also important to verify continually that data are being backed up and can be accessed without unexpected problems, for both on-site and off-site storage. Of course, guaranteeing that HIPAA privacy and security requirements are being met to the letter of the law also is essential. “Outsourcing data-transfer and backup services to a third-party provider is a very viable solution,” Kleinman says. “Cloud-computing companies that maintain HIPAA–compliant security offer many benefits to a hospital IT department. Initial costs tend to be lower, as a radiology department doesn’t need to make a large capital investment to make multiple copies of backup data or to expand tier 1 storage. Deployment of a data-recovery system is rapid and can be scaled. Round-the-clock services are provided without increasing local IT staff.” Defining Service Criteria Not all cloud-service providers are created equal. In addition to the basic requirements of data encryption and of maintaining security levels, additional criteria that must be defined with the vendor include: • data rights and ownership, • the location of data, • how data are stored, • how quickly data can be accessed and retrieved, • the number of times that the data are duplicated, and • how rapidly scaling can be added—and at what cost. Service accessibility and uptime should be 24/7 and 99.99%, Kleinman states. Compliance and audit requirements should be spelled out, as well as a method that enables a subscriber to monitor performance independently. Data-migration issues and planning for service termination (and transition to another service) are also important to discuss up front. For HIPAA purposes, it is important to get the vendor to sign a business-associate agreement. Such an agreement requires the service provider to notify the health-care customer if any improper use or accidental disclosure of health-care data has occurred. What You Pay For The level of security and service required will naturally have an impact on price. “Costs can differ greatly among vendors,” Kleinman says. “Companies that provide the most minimal services offer inexpensive data storage, but this is probably not an appropriate service for the mission-critical data that health-care companies need to protect. Companies that offer secure data transfer, multiple tier-4 data centers, 24/7 service, and rapid data-recovery services might charge a small fortune. It’s important to define your data-protection requirements and choose a cloud-service provider that understands the data and can provide you with a competitive price for its services.” Fujifilm introduced its latest cloud-based storage service for both on-premises and off-site archiving and disaster recovery through Synapse® Cloud Services on April 2012. By taking advantage of the density and speed of linear tape-open magnetic tape storage, in conjunction with spinning-disk technology used in PACS, the solution provides a lower-cost full-service archiving and data-recovery product to hospitals and imaging centers (with PACS of all sizes and from all vendors). Kleinman says that Synapse Cloud Services was the outcome of a robust solution built upon proven technologies, representing an evolution of Fujifilm technologies that combined expertise both as a leading provider of professional broadcast video and data tape and as a leading RIS/PACS provider. It spent more than a year being validated after rigorous testing, and it was field tested at a Synapse PACS customer’s location, Cape Regional Medical Center (CRMC) in Cape May Court House, New Jersey, which is implementing the full service this month. Images and related data, in addition to being stored on CRMC's storage network, will be transmitted to Fujifilm’s secure data center in Denver, Colorado, via VPN, for storage in the vendor’s private cloud. A recent upgrade of Internet connections in the Cape May area allows transmission to occur at a speed of up to 100 megabits per second. Technical Details The service is scalable to meet changing needs, and it is sold with a portfolio of add-on options. It works with any PACS and is treated as another tier of storage. PACS data can be uploaded and retrieved online in two ways: by transferring data over a VPN (with directory sharing) or by using the solution’s file-migration client. The file-migration client automates, monitors, and validates file transfers to a protected Fujifilm data center. It works in a Microsoft Windows environment, and it has built-in, tiered storage management designed to help customers conserve on-site storage by archiving data off-site, in the Synapse cloud, based on customer-defined parameters. Kleinman says, “We work with customers to define their needs with respect to on-site storage and instant access to images. This intelligent, always-online system has prefetching functions. The system will review modality worklists and retrieve any off-site images, based on the customer’s parameters. They are online for the radiologist, if he or she needs them.” Data migration operates invisibly, in the background. A customer portal provides PACS administrators with comprehensive information. “Everything is transparent to customers,” Kleinman says. “They have the ability to monitor everything that is happening and to conduct independent performance audits, whenever they wish.” The company’s secure, tier-4 data centers are located in Atlanta, Georgia, and in Denver, Colorado. By default, there are at least three copies of data. When Disaster Strikes In the event that a disaster decommissions on-site data, Fujifilm will ship data-recovery clients up to 10TB of data (in a disaster recovery unit) within 72 hours. The unit contains a server with all the encrypted data needed to provide storage and archival functions for a PACS. For Synapse PACS customers, there is an added bonus. The customer’s PACS is configured on the server as well. “If a customer’s PACS has been destroyed, all that is necessary is to plug the unit into a network, and Synapse is up and running,” Kleinman says. “A customer-service engineer will arrive in time to make this happen.” Having immediate access to stored images contained in the disaster recovery unit is a huge benefit for radiologists, Kleinman notes. Other cloud services provide access to cloud-stored images through a DICOM viewer, but this can be very taxing for a radiologist trying to compare images displayed on a diagnostic workstation with those displayed using a simple Web viewer. Having the disaster recovery unit also eliminates the nightmare of querying and retrieving one exam at a time from a cloud archive—especially when a catastrophic event might be putting greater strain on a department’s operations. Kleinman says, “By outsourcing disaster recovery for PACS, administrators can alleviate a lot of work and pressure from their jobs. A company that provides safe, secure, and comprehensive data-file migration, that manages storage rules and disk use, that schedules jobs and storage levels, that performs backups, that conducts audits, and that proactively manages all disaster recovery storage functions is worth its weight in gold. Paying less for full-service, cloud-based disaster recovery and archiving services is something that I hope PACS administrators will pursue when evaluating cloud-service offerings.” Cynthia Keen is a contributing writer for Radinformatics.com.