In our business continuity/disaster recovery world, we often are caught up in a “one-size-fits-all” mentality. Sometimes we fail to seek an out-of-the box solution that best suits the quickly changing business that we serve. Consequently, we pick proven remedies rather than unconventional approaches. Well, let me tell you about a recent situation that started on a normal DR path, but ultimately, took a turn for the better.
Like many businesses, medical institutions pride themselves on maintaining impeccable reputations. Ultimately, patients select reputable practices and physicians based on public trust. Support for information technology must be treated with the utmost care, like vital patients’ electronic medical records, along with a corresponding DR program. This is our core business competency, which must be protected in a highly competitive industry. However, we did not have to uniformly apply this mindset to all systems, as with our newly purchased back office system.
Historically, the information technology and services (ITS) department internally hosts all business systems within our datacenters. So when it was time to purchase the new back office system, conventional thinking told us to repeat this practice. Besides, we didn’t have any experience with external hosting. Therefore, our decision looked like a slam-dunk – just build the supporting data center environment to fit this safe solution.
Even though the road ahead appeared self-evident, we considered an externally hosted solution. Surprisingly, this underdog solution became more compelling as we completed the business case. As we got closer to making this unconventional decision, some resistance surfaced. Would the outsourced arrangement be able to deliver on the required service level agreement? Would the business be satisfied? And more broadly, would this model replace the internal hosting solution that has served our clients so well over the
Two dominant reasons supported this unconventional solution. First, ITS leadership needed to examine our core competency. Once we clearly recognized that our core medical skills were far more important than developing back office skills, such as managing our procurement process, the solution became more evident. Second, ITS leadership addressed the risk management consideration. We wanted to give greater funding consideration to medical technology rather than administrative systems, provided we could properly support the business needs and not compromise our stringent DR requirements.
A recent business impact analysis defined the recovery requirements that the external hoster could support, as captured in our contract with appropriate penalties for non-compliance. But could the vendor demonstrate a legitimate DR program to satisfy our requirement? The vendor provided its DR plan documentation, which appeared sound. Moreover, the vendor was committed to testing its DR plan twice a year, which the leadership reviewed and approved.
This resolution taught several (humbling) lessons. First, business (medical) competencies trump other considerations. Our decision needed to be aligned with this reality. Second, don’t prejudge your DR decision. It is best to allow your decision-making process to bubble up the best solution. Third, all repu-
table external providers will divulge their DR programs, which become just one more dependency that needs to be managed. Overall, we satisfied our risk management objective by selecting an unconventional solution over a predictable approach. CI
Larry Heck, CBCP, is leading the DR planning effort at Weill Cornell Medical College, serving the New York City area for over 110 years. This institution’s triple mission is academic, research and patient care, and is affiliated with New York Presbyterian Hospital, one of the top U.S. hospitals. He can be contacted via e-mail at firstname.lastname@example.org