Webinar Lunch and Learn - 1:00:47

Educational Webinar by TruAdvantage’s Co-founder on Disaster Recovery/Preparedness for Healthcare

Transcription of Webinar Lunch and Learn:

Bryan: Thank you everyone for joining us for another Learning Lunch hosted by Format Approved. My name is Bryan Johnson and I’m the senior director of Online Education with Format Approved and I’ll be your moderator today. Today’s Learning Lunch title is disaster preparedness and healthcare in IT environments. I’m very excited about this subject I think it’s very much neglected by many practices. It really exciting to be able share the expertise of our guest today but before I introduce our expert I would like to thank for sponsoring this learning launch event… to deliver peace of mind by their clients by reducing cost, increasing efficiency and implementing world class IT solutions at an affordable fixed monthly fee. You can learn more about and we’ll talk more about them at the end of our session today as well. We’re joined today by Kayvan Yazdi who is the cofounder and CEO. So thank you so much for joining us today Kayvan.

Kayvan: Oh it’s a pleasure to meet you Bryan.

Bryan: Well as I was saying before I’m excited about this session because I know I’m going to learn about disaster recovery and I think all of us could stand to learn more about best strategies in this area. Again you can see Kayvan’s bio on your screen. But just to reiterate. It’s one of the few IT firms in the San Francisco San Jose area that’s fully focused on health care practices. And Kayvan to help practices and they were in dire need of IT experts who understand health care industry challenges. Alright now let’s look at our list of questions we’re going to talk about today. While I just go over some quick housekeeping notes for our guests remember that you can ask questions of our expert at anytime during the session by entering them into your chat area. We’re going to hold those questions till the end and then we’ll address as many questions as time allows. We’ll share al questions with our expert. So if we don’t get to hear questions don’t worry about it he’ll get back to you by email. Remember also that all registered attendees of today’s session will receive an email with link above the slides that we’re looking at and also the recorded version of this event. People always ask us if they can get the slides so don’t worry about that we’ll send them out after today’s session. Alright so here is a nightmare scenario for a lot of folks I’m sure. Kayvan let’s start out with the disaster. What happens if there is a fire in a practice server room?     

Kayvan: Alright Bryan I want to thank you and thank everyone to being at this webinar it’s pretty good to be here. As you mentioned this is one of the topics that is ignored and in a lot of practices it’s not a very pleasant thing to think about it especially with a question like that. But again it’s something I believe every business owner, every medical practice every small and medium practice needs to think about it and should be a part of the business planning. Also wish everyone a belated and prosperous 2017 I hope it’s going to be a great year for everyone. I’m sorry I have to start this webinar with this question. But this is actually one of the best ways to start this discussion because I’ve been to webinars and I want to make sure everyone is engaged in this presentation. I want to make sure that people can relate to this topic and kind of start thinking about their own business, their own practice in terms of these questions. It doesn’t matter if you have a business of 5 people, 10 people or 100 people these questions relate to everyone, everyone needs to talk about. Another reason I’m bringing this question first up is this is how we start our backup and disaster cover planning when we go to sites or new clients we always start with this very basic question. It’s a very good question what happens if there is a fire in your server room. So if you have a server room, you have the place where you have your computers. Believe it or not I’ve seen servers one at an office and one at a doctor’s house or something. So we’ve seen all sorts of scenarios. Let’s say you have a server room and God forbid what really happens to your infrastructure? There is a number of questions you want to ask yourself when you rely on technology and you want to do some sort planning. First question would be can you continue doing business. There reason I use continue doing business because business continuity is one of the topics we want to talk about. The easiest way to go over it is going over the words can you continue doing business or partial operation. Let me give you an example if you have an EMR server and you receive patients you have practice management, TM server or TMR server and may God forbid it was in that server room and it’s on fire. Now everything you’ve got is gone; that server is gone; it takes the backup you had next to that server; if you had any backup it’s gone, the USB drive or the hard drive that you were backing up; everything is gone that was in the vicinity of that server room what you had for your business. Can you still see patients… can you receive emails? What are the things you’re going to be losing? Another question that you want to start thinking about okay this I lost everything in terms of the server room and the data that was in it. I can’t work or I can’t work, I can only work partially. How long does it take to get back to normal? How long does it take to get back to the basic functionalities we had and going to the normal, receiving patients, you know processing EMR, your practice management, your accounting software whatever it is you do with computer, servers and applications. How long does it take? Is it half a day? Is it an instant you can go back to normal you don’t rely on it too much? So these are the questions you really want to start thinking about. One more thing you require when you start thinking about it (again I told you this is more of a business question than a technology question) is a lot of people will start thinking about how much revenue they lose if their IT systems of server room is completely gone, half a day or a whole week. How much is it that we lose? We’ve had medical practices that every hour we=ill lose $20,000, $30,000.

Bryan: Wow

Kayvan: Yeah there receiving patients. Every hour meant 20,000, $30,000. Even having that number in mind you see a lot of idea where you want to go with this planning? How much do you want to spend? Now you have numbers in front of you that you can look at and take you from there. And finally the most important question would be can you recover from such a disaster like that financially and operationally. I’m going to show you that there are companies, there are practices, there are businesses that can never recover from such a thing because they didn’t do the planning right; they didn’t want to think about; it wasn’t a pleasant thing and they ended up with unrecoverable data and imagine having losing your patient data for ever. I hope it’s never going to happen to anyone but just in case of that.

Bryan: But only if you. Obviously planning is in order if you’re going to prevent that disaster from happening.

Kayvan: Exactly

Bryan: Maybe this a good time to tell us then give us some statistics for what data loss and disasters mean for business.

Kayvan: Sure there is exactly a lot of sources that do research on this because one of the hottest topics out there it’s a very important topic. This you can take with a grain of salt, it’s not written in stone. I’ve seen different numbers but it gives you an idea of what’s going on because disaster is not something tangible that we can see we need to get reminded of that. What I realize with our clients when I give them numbers, when I show them the statistics they kind of oh okay that happens too I forgot. And that’s why it’s very important to have an idea about the situations out there. As you’ve noticed 93 of companies that lost their data for 10 days or more file for bankruptcy within 1 year of the disaster. And 50% file for bankruptcy immediately. When I see 10 days it was a little bit more information about this they’re going to put it on display. We’re talking about critical data, I’m not talking about mp3 files, I’m not talking about your glossy templates or anything else, I’m talking about your patient records, I’m talking about your accounting information. So if you really use that information it’s kind of relative but there are statistics out there if you can’t get access to them for more than 10 days there is a 93% possibility that you would file for bankruptcy. That’s from National Archives in Washington. Another piece of information that’s important is based on (Inaudible 9:52) 20% of small and medium businesses will suffer a major disaster causing loss of critical data from every site. Now I told you too take this with a grain of salt this is actually I would change it to every 4 years from my experience. There is some sort of disaster and we can go over that later on in what I define is a disaster that every 4 years a business is going to be somehow hit by a disaster and experience loss of data. And that’s something that I’ve experienced. The third one is actually the third piece of information the most relating was especially for a smaller business. This is 2014, this year 40% of SMB Small to Medium Businesses that managed their own networking, using the internet for more than email will have their network accessed by hacking and more than 50% would wouldn’t even know they were attacked. This is by very credible route for a lot of us to know. Now you might wonder what does that mean? That manage their own network. I’m talking medical officers, I’m talking about an office that buys 15, 20 people where you start growing and you have son in law or you have your son doing your IT and you just go to a retail, you go to Flies, Best Buy to buy a cheap router, you put the router there you get internet connection like Tom Cassy and all of a sudden you have 10, 20 desktops connected to this very important highway called internet. There is no monitoring going on and you start doing a lot of other stuff. And guess what? One of those 10 desktops from my experience is going to do something for your desktop that is going to expose your network. If you don’t have the right tools or you don’t have the right monitoring that you do with the router on the gateway of your network your patient information is going to be exposed and you’re not going to even know it. You might never know if for 5- 10 years nothing will happen or this information might be exposed and sold. In this cases getting ransom for info for these things we’ve seen different cases but that’s a very alerting piece of information that we even notice with companies that have their IT infrastructure managed, data managed they don’t have the right monitoring tools. There are people that all that they do is access in the networks; they scan the network on a daily. I wouldn’t say daily by second basis they have automatic tools. They see vulnerability, they see an open network, they see a desktop that has opening ports and they access it and they do their best to do it. Some really do it for fun; really some people do it for fun. But I hope if someone gets hacked it’s just for fun it’s not for anything more than that. Sometimes they do it for other reasons. But those 3 pieces of information are the relevant ones for small businesses that need to put into perspective. So we can go into

Bryan: Alright so let’s talk more about the nothing bolts of preparation. Obviously we can see that losing data can be disastrous and many small businesses are experiencing this regularly. What are the high level steps they can take for IT disasters?

Kayvan: Sure this slide is very summarized. And it again since we have limited time I have to put really the bullet points of what is involved in preparing for IT disasters. If you notice I put the word IT Disaster because disaster recovery could be a little more comprehensive only more comprehensive. There are IT companies, medical companies that use… generators and all those mechanical things we need to get a full tube fully recover from a disaster and get it going. We really in today’s presentation… focused on the IT disaster and how to recover from that. You’ve heard the information you saw the stats, now you wonder where you start. Having done this before some of this information is ready. I like to get an idea about where to start. Where do I go, where do I buy? I would say don’t buy anything. Really nothing you shouldn’t even buy everything. Everything starts we deliver a planning of understanding your infrastructure. This is the most resistance from doctors even medical practice managers. They don’t want to be involved in that process they want to be handed off. I’m sorry you have to be involved in this process. This is a process; this is a business planning process. It involves technology and IT but you need to be involved in this. Then I’m going to be as hands-on as possible but this is the part you need to initiate and this is the part you need to be involved. You went with an IT team, you’re an IT expert for the company you’re working for your internal guy that does your IT. But you as a business owner you as practice manager you need to be involved in this process it’s not hands up.

Bryan: Its interesting I hate to interrupt I just want to amplify your point it’s interesting you say that because we hear that often for an approver around the risk analysis there is really no way to do an entire risk analysis without participation from the practice. But sometimes what they want is buy something off the shelf and it just be done but of course you can’t really make a real analysis of risk without getting information from the practice itself. So if you’re trying to plan these things out, you’re the only person who has the necessary knowledge.

Kayvan: Exactly this is actually… it’s… this planning is not a commodity; you can’t go buy it from Best Buy; you can’t go buy it from Amazon. This is something that requires processing, requires brainstorming, requires talking to other employees of the company requires an IT expert being there on site and kind of a combination of a lot of things. A lot of it happens by evaluating it on site IT structure and also talking to others, talking to your vendors and all those things. If you have an EMR system that has some sort of gateway or interface tool to a hospital or something. This is something that if I don’t know as your IT provider I’m not going to cover it. To me everything is like a folder. We know oh this is what it does. This needs to be up 24-7. These are the reports that get sent out to Kiser at this time and this time. If I don’t know these things it doesn’t matter how smart I am as your IT provider I’m not going to be able to address them now. There are IT providers they kind of know they have to be more practice about it so they go deeper in questions, they ask everyone, they have a process about it. But my whole point is that you need as a business owner you need to be involved in this process. Performing an IT assessment is the first step really just sitting down with your IT provider, listing the critical application they use. Think about your EMR system; think about your emails think about your files. And then I want to put this in perspective please do not be a perfectionist in creating documentation. I would say this is the obstacle we notice a lot with people oh my God documentation. Start a notepad and just put the main application that you are using then realize do a little bit more… surveying with the application something you’re using on site, or it’s not it’s in the cloud. You don’t even host it at your place, it’s not local, something that you accessed from the cloud. The email system might be on site or your EMR you might be using Clinical works or one of the cloud based EMR systems that’s it’s not even hosted so you don’t need to worry about it. So it’s very important just create a bullet point of your application, is it posted low code or cloud just do that and even we’ve seen people create a little bit, they do a little bit of degree of how critical this application is. So it’s really something really basic when you think about it. But you’d be surprised how many people don’t even have that. The second step would be to conduct your risk analysis. I make really simply when I’m talking people about conducting the risk analysis create what if situations very basic, what if situation. The main what if situations I personally like when people come up with their own is when you think about losing data or failed systems there Is really only 3 scenarios when you think about it. I would say the lowest level of losing data is corrupted files, the deleted files, access a lost file that you need to restore. I would say that would be what if I lose this file. If you noticed I’m using the word file. The second level of case which gets a little bit more severe would be what if my whole server (notice the word whole server) what if my whole server goes down. I have no access to the whole server. This is different from case number one your whole server is down. And the third what if scenario would be what if my whole office is not acceptable anymore I get hit by fire or a disaster. So I would say again I’m going to use these 3 cases again so I’m going to reiterate them again, lost file number one, number 2 would be full server down. And number 3 would be the whole office not accessible. So these are the 3 scenarios. Then you’re going to start thinking about what happens if I lose certain files on these servers… using Dropbox or a file system. What if I don’t have access to them and I lose my internet connection. Then I go to what if situation number 2. Again the planning takes a little more work but I’m going to kind of just touch on it here and take it from this. These are the 3 what if situations you can easily create and then take it from there. And the next one should be devising the disaster recovery requirement. And this is something you might have a little template about. When you’re creating your plan the first thing you want to think about is your goals. I’m going to give you a little example. There is a term we use Recovery Objective (Inaudible 21:23) RTO. People have different expectations about recovery, the expected time to back up. There are medical offices or clients they tell me you know what I don’t care about my emails but my EMR system needs to be up all the time. If you notice the difference of expectation here, two different systems, one of them is okay to be down for 48 hours sorry. The other one needs to be up and running all the time that’s what we call an R tool and that’s a very, very important thing to remember is the objective time people have in mind and based on that you have a review okay this is what you need based on this objective. And this is what you need based on this objective. It’s very simple you think about it. People by looking at lost revenue like moving my email don’t get email for 48 hours. I’m not going to follow it it’s not critical. If you’re searching 48 hours I’m not going to lose that much revenue. My EMR system I need it up running all the time. I would define the light resources and whatever to make sure it’s up and running all the time. So determine your goals, determine your objectives of the recovery, that’s the first thing you want to do. The second thing you want to do you want to define the steps to achieve that goal. I’m going to give you an EMR example. That’s something you want to look at your IT pro. If you don’t want your EMR system to be down or be done in a minimum time what are the steps you want to take about it. You want to have same day hardware on your server. Do you have there are actually companies that deliver a hard drive within an hour. Do you have that service? Do you pay for that service? If you can pour into that you can have it up and running all the time? All is real detailed now that you need to think about. Again this is something your IT provider might have probably provide for you. But that’s when I say you need to determine the steps you get there based on your objects that’s what I mean get the right warranty, get the right team on it, get the right whatever you need to buy, have an extra hard drive on the site. There are people that get different. They have a full extra server actually up and running all the time just to make sure they have zero down time if their EMR goes down. The third part of the planning would be flexibility. Who is involved? Name the vendors? Is it Dell? What is the number, what is the account number? Make sure you have these things accessible. I’m going to go over documentation later but remember that when things happen people are stressed out. Getting even a mind to get Dell’s number and then talking to different people on your site to get your account number is going to be hard. Make sure you have these things documented things you take for granted actually. It comes really handy in situations like this when it happens. It’s going to shorten the time you recovering it. It’s going to make it easier on the person doing the recovery. So have it documented, have the responsibilities, who does what if someone needs to stay up all night who is that person, is it your office managers, work with your IT vendors or your receptionist or something. Determine those responsibilities and also the vendors and the account numbers and so on. The next thing would be test the plan. If you notice I put tested before disaster. You would not believe me when I say how many offices call us something has happened you don’t know them. And they contact us and they tell us yeah we lost your data this and that. You go there and the office manager, the receptionist whoever is handling the backups she tells us “Everything was working okay; here is our locks backup successful, backup successful every night.” I’m looking at it and I’m like holy shit all the backups have been successful. They never tested the backups to make sure. This is horrible.

Bryan: Yeah

Kayvan: So that’s very critical. That’s actually one of the main reasons people lose data. They think they have backup but they don’t.

Bryan: Yeah just to add to that I think a lot of people aren’t aware of the fact that’s even a requirement of Hippo not only do you have to have a backup but you’ve got to test it just to be incompliance let alone from all of these business continuity questions. But yeah I think it’s very unusual for people to test the backup.

Kayvan: Bryan, One of the reasons they don’t do is actually if you’re not working with the right vendor or you don’t have the right knowledge it gets a little tricky it gets challenging.  Who wants to test backups every day or every week that’s a lot of work? I need to assign a different person to do this that’s another position. The good news is you don’t have to do it anymore. There are solutions out there that actually have that test restored embedded in the solution itself. Our own solution Total Protect does that too and there are some other solutions out there that do that so you don’t need to worry about it. Make sure you back up and you test it. This part I would highly recommend either get a solution to have that or don’t manage it yourself have your IT team manage it. This is the part that needs to be hands-on. You don’t want your medical, practice manager or one of your doctors doing restores on a daily or weekly basis. I think to them it would be a waste of time. So you need to kind of delegate that to your IT provider. And again 2 things that are very important is people start creating, the case of (Inaudible 27:35) people create like a new folder… I don’t know they have a new HR system and they create a folder. They never add that folder to their backup because their backup is not updated. And a year later it’s been a year that the folder has been created but it’s never been backed up. The backup job is a success but never includes that folder.

Bryan: Right

Kayvan: That’s one of the main basic things that you go to like wow the folders I missed pretty much. That’s where you want to analyze your data. You want to go over your critical data, your critical folders and make sure all those folders are included in your backup. Another thing is paid backups. A lot of people like paid backups. Paid backup are pretty much the worst types backups at this point they are mechanical and a lot of times they are not restorable. You wouldn’t know it till you put it and you restore. So those are the cases we’ve seen. The next thing next phase of this would be documenting the client. We talked about it but again I want to mention certain things. Don’t be perfectionist please note that. Don’t use a note pad I just want to make sure you don’t make big things in your mind documentation. All you need is a basic function to work with some bullet points.

Bryan: Yeah

Kayvan: Really that’s fine. You don’t know how much that little document which hopefully is not going to be more than a page. I think companies buy servers for 30 40 desktops the whole thing was less than a page. It was sufficient and it helped us a lot when something happened. Keep it simple; use bullet points for your point and everything. But also remember to print it out. I’ve seen cases where they have document and server crash.

Bryan: Yeah was going to ask about that. You know maybe have a copy somewhere other than your office just in case something happens.

Kayvan: Exactly, exactly that and also I would recommend you paint it out and you have it handy in the office in a safe place. Where people can access it without wasting time and kind of go over it. Yeah just make sure you don’t put it on a server that crashes or you won’t be able to access that document and it’s not available anymore. So that’s one thing I wanted to mention. Then the last thing I want to say is maintain the plan; treat this plan like a living document. I just mentioned I just told you about these missing folders. The reason people miss folders in their backup is because they never updated this oh we have a backup plan and we have the document. That document was from 3 years ago. You’ve added 30 new folders and they’re not even included in your backup. So make sure that every 3 months, ever 6 months you kind of validate that oh we added the HR system, we added this accounting system. Is this something that we need to add to our backup? Make sure every addition is included. That comes with half an hour of reviewing what you have with your IT provider. And again reviewing and maintaining is much easier. It’s really a minimal task. Beginning might be a little more but as you start as you get on a roll you continue, ever 3 months, every 6 months just spend half an hour making sure that document is updated the latest and greatest… I think we can move onto the next slide.

Bryan: Let’s look at this. What are the main causes of how people actually lose their data?

Kayvan: Actually now you’ve heard a lot about losing data and I wanted to kind of give you a list of why people… what are main causes of losing data. Its category… to two things it’s natural disasters and then manmade disasters. As you see I have the list of natural disaster and going over it. Remember Hurricane Katrina that actually caused a lot of data loss in that area when it happened; you know floods, fires, power surges, lightning these are some of the main causes. If you’re here in the Bay area thankfully you haven’t had that many hurricane, fires and power surges. Those are the 2 things I would say are more relevant for our area. I know every part of US might relate to 1 or 2 of these things. But the more important one that people don’t know about too much is actually manmade disasters. The number one cause of losing data is first of all manmade disasters actually cause us more damage and data loss than natural disasters; that’s something to remember. Out of all those categories we have there end user meaning your staff, end user deletion by mistake this is actually number one. We have a lot of cases where people delete something by mistake they don’t realize and 2 months later they are looking for it and nobody knows where it is. Their backup they only backed up to a month. Now that data is gone forever. It’s a file that you access once in a while. Something happens to that file the staff or employee deletes the file or some other file gets corrupted or something. A lot of times they overwrite it; I’ve seen a lot of overwriting. They have a backup for 30 days and its day 45. There is no way to get that back so that’s one of the main things. Theft is another cause of losing data. If you have your EMR and patient records on it’s server, desktop or something don’t think it’s too hard to unplug that desktop and just you know just get it out of your office or something.

Bryan: It happens all the time, all the time. And we see news reports about this happening. Big medical systems you know breach in LA here in Chicago all the time people are running off with desktops that have all of this protected health information. 

Kayvan: Exactly and I think the reason I want to… I think it’s a good point to mention here encryption. I don’t want to throw out big words but if you have encryption then you are spaced based on Hippo. And h\that’s why Hippo requires encryption. Anywhere that you have patient records that are digital or EPHR. Anywhere you have it you need to have it encrypted.

Bryan: I couldn’t agree more absolutely.

Kayvan: If some sort of theft or something happens people can’t read it; it’s there and they can access but they can’t make sense of it. They need it, they need to be coded very much. Data encryption, a lot of people are familiar with that. A lot of people think that’s a main cause. That is one of the main causes but it’s really on my list it would be 3rd it’s not really number 1. Data infection or deletion by hackers, I just gave you the stat by small business being hacked and I gave you some numbers about hackers. That’s actually one of their hobbies. They log into your information and they delete your information. One of the things happening a lot is kind of worrisome is this you call it ‘The Ransom Ware’ they encrypt your data. They encrypt your data and they can acquire you to pay some money and a lot of times you pay with something called ‘Bitcoin’ because it’s not legal they could decrypt that data for you. So every day you’ve been accessing this folder one day you go there and you can’t open the folder when you open the file you can’t see anything. There is a little note pad with a little note hey you’ve been hit by this encryption tool and this is where you go to pay $500 to get your files back. It actually happens. If you don’t have backup, if you don’t have a live backup you’re not going to be able to really. It actually happened to one of our clients. More concerning part about this is your virus protection does not protect you against ransom. So you need another tool for that to really get that going. That’s something, that’s the trend; I will say the trend of 2014. 

Bryan: Yeah

Kayvan: That happened. The last thing have is the hardware malfunction which is again another main cause. Think about your hard drive the mechanical part is always spinning and anything that spins for 2-3, 4 years one day will give out so just get ready for it or have a plan for it.

Bryan: Absolutely so why did providers need backup and disaster recovery plan and the picture there says a lot of the story but please address this if you would.

Kayvan: Sure definitely yeah… so that’s actually a picture from when Katrina happened. I think there was a loss of 108 billion not data but the whole damage might be… I might be a little off from the number because that’s what I remember from what I read. I always think about the backup and disaster planning health insurance. Thankfully I’m a healthy person so far and I pay on monthly basis for my health insurance in 2014. I never went to a doctor but does it mean I really wasted my money. I didn’t because if disaster happens something happened to me that was major and you know the medical bills nowadays I’ll probably go bankrupt if I need to pay those bills myself. That’s a problem in our system we’ll hopefully get it fixed soon. Not related to the topic but anyways. So think about the backup and disaster recovery planning as your health insurance. The funny thing happening with Obama Care and everything it’s actually getting mandatory now to have health insurance. Guess what we’re in an industry called health care that you’re required to have health insurance. If you were in legal industry or you’re in accounting you would not require to have it. But in health care you require it. So I don’t know if it’s a good thing or bad thing. To me it’s a good thing because people need to sometimes be pushed. If you noticed I actually have from Hippo section 164.308 it talks about a backup contingency plan and I’m going to break it down for you. If you know, you’ll know from an expert in Hippo there are certain parts in Hippo that are required and there are certain parts in Hippo that are addressable. Having a backup plan, having a disaster recovery plan and having an emergency mode operation plan I call (Inaudible 38:52) is actually required. You need to have it, if you don’t have it, if you don’t have that plan right now you’re actually violating Hippo you could be fined. Now you might get fined think of it as your tax return, you might not. But don’t even do it because of Hippo it’s just best practice. Think of it as your health insurance one day in 3 years 4 years hopefully you’ll never need it but one day you might need it. And that’s when people go bankrupt because they can’t restore this data or patient records they lost the patient records.

  

Bryan: You do it for your business but it certainly is worse remembering that it is also required by the law.

Kayvan: Exactly it’s required and if you don’t do it you pretty much are violating that. Now the addressable part is the testing (Inaudible 39:47) remember the client should test (Inaudible 39:53) really you don’t want to test your backup and disasterrecovery even your IT room is caught on fire and you don’t anything left. You really want to test your backup and disaster recovery because it’s too late.

Bryan: Now you were saying before about you know paid backup probably the worst option today. Give us some draw backs of that approach and more traditional backup approaches.

Kayvan: So I want to kind of break down I use 3 things so far. I know a lot of people backup they’ve been using the word ‘backup’ for years. But I kind of want to touch the basis of what backup is and I want to tell you about disaster recovery and business continuity. So we’re getting 3 trends, backup, disaster recovery and business continuity. I want to start with backup which is the most basic. And then I’m going to give you some drawbacks to the traditional backup that you’ve seen. Backup is a simple thing you backup actually copying or creating duplicates of your files or your full server or system image. I’m not talking about the location of it. When I saw ‘backup’ I’m not mentioning if it’s going on site if it’s a  site(Inaudible 41:11) when you use the word ‘backup’ you’re just talking about the activity itself; you’re creating backups of your file or full system images. I divided backup into 2 categories, either it’s a file backup or a full system backup. And they are different. I mentioned the file is you just restore files, the system you backup everything on a server like an image then you can restore that whole server which is definitely more recommended. A lot of medical offices Bryan are unfortunately still using paid backups. They’re using… I hope I don’t offend anyone. I’ve been to medical offices where you step in and there is… a toolbox around and I’m looking at it and there is the tool boxes like Monday Wednesday Tuesday the name of the weeks on it. In that right in front of my eyes there is this USB with all the patient records for each day. And believe or not I could’ve put it in my pocket and leave that easily.

Bryan: Right

Kayvan:  That easily… please don’t backup like that put it in a safe when you do it. First thing paid backup even USB and hard drive backup they are easily stolen easily lost because they are mobile. You can put it in your pocket and go. Second thing 99% of them they’re not encrypted. Meaning if I put that USB drive in my pocket and go home and connect it to any computer I can read the data on it that easily. It’s not encrypted it’s really plug and play type of thing. Actually the paid backups are really, really slow. So if your objective time is to store within 1 or 2 hours I don’t know of any paid backup that can restore a full system in 2 hours you might be looking at 5 or a whole day. Paid backups are really slow; remember paid backups are linear you need to get to that part of the tape. They are mechanical. For the backup there are factors to actually remember. Most important thing is how often you do a full system backup. This goes back to your planning. Remember I talked about EMR you don’t want it to be down I would say for 0 minutes, Or if it’s down you wan be able to restore up to this point; meaning my EMR went down I want to be able to restore up to the last hour; that means you need an hourly backup. If your backup is from last night I’m not going to be able to give you anything from the morning part that you worked. So determine your applications and determine how often you want them to be backed up, so when you want them to be restored you know you can go back and do that. The new solutions out there Total Protect they go all the way to every 15 minutes of backup, so you can actually back up every 16 minutes.

Bryan: And obviously then you’re not talking about a manual process where you’ve got to switch out your media or whatever it is. Because the more manual that process of backing up is the more unreliable it’s going to be and the more labor intensive for the practice obviously.

Kayvan: Exactly this is going to be something completely automated. All you want to see is a bunch of reports that everything is working fine, be completely hands-on. Another factor to consider is how fast you can restore. I mentioned about paid backup. Hard drives are a little… not even a little they are much faster of paid backups but again they have the problem of encryption and being easily stolen and testing it. Paid backup testing could be very tough. Imagine putting the tape up every night and start testing the paid backup. I don’t think anybody would do that. These are the drawbacks to using a paid backup. Let’s move onto the next slide. And so I gave you the backup. A lot of people already know about backup. You heard about disaster recovery and you know what it is but you’re still not clear what it does and the relevance of backup. I always mentally the way I think about is think about… draw it in your mind and put backup. That’s the name of the circle. Now put this circle in a bigger circle and call it disaster recovery. So backup is a subset of disaster recovery. They go hand in hand. And the way you do your backup kind of determines whether you have disaster recovery or not. And in simple terms it referred to the specific steps taken to resume operations in the aftermath. You notice I put the word ‘aftermath’ in bold or catastrophe or manmade disaster or national emergency. Something disastrous happens. What is disaster the lowest level of disaster I would say is your whole server completely down on the next level or the normal disaster I would call the whole server room or your whole office being down, from afire or something like that. That’s what we call a disaster. You need to have some sort of plan to be able to recovery from that. And going to go over some scenarios later on… I know we’re running out of time but the most important thing you need to remember in disaster recovery is the location of your backup. You need to have an offside put it in for instance cloud sort of backup so you can restore your data from offsite if your server room is gone, servers are gone, hard drives are gone, tapes are gone, the only way to get your data is from off site and a lot of people equate the term off site with disaster recover. Disaster is a little more than that but the key thing you need to have is having some sort of offsite backup and taking it from there.

Bryan: Right now we’re going to talk about the cloud here in a minute as well and why that makes so much sense for disaster recovery. We’re running short on time maybe we should get to what is business continuity. How is that distinguished form disaster recovery?

Kayvan: Sure now again business continuity now you can draw a bigger circle that involves both backup and disaster recovery. And in simple terms business continuity gives you the possibility of continuing doing business, meaning getting emails receiving patients using your EMR even if your whole server room or even your whole office is down. You might wonder how that works so there is a little thing we’re going to cover later but that’s really what business continuity is, is that it not only protects you it makes data loss. It actually protects you against down time. And I’ll make sure to change the word downtime. You’re not going to have downtime, it doesn’t matter people are working on servers you ordered new servers because it caught fire, it’s going to arrive you need to configure it. All these things are going to take time. And here and there I’m looking at 48 to 72 hours at least to get the basic server going. But meanwhile when these things are happening what if you still continue doing business you’re not going to notice things are happening. I’m going to tell you how that works and what solutions out there that kind of enables you to get. Bryan this business continuity and I’m not exacting to tell you even portion 500 couldn’t do it 7, 8 years ago, Now it’s available to small business they can do it. It’s affordable and a lot of people don’t know about it but it’s on the cloud and virtualization. Its affordable, it’s easy to deploy and a lot of work with your IT provider you can get the right solutions to give you business continuity. Let’s move onto the next slide and… alright so… 

Bryan: Let’s talk about them what is the best way in your opinion to go about doing this?

Kayvan: We heard all these terms and wonder how do I go about this, what solution do I need? If you’re talking to your IT provider or vendor I would say the first thing should be requirement. Very simple the solution you’re looking for should include backup, disaster recovery and business continuity. You don’t need to worry about exactly what they are I know we colored it. This is a requirement you should have in your business. Make these 3 topics are covered in whatever solution you’re getting; backup disaster recovery and business continuity. If you’re using some sort third party cloud backup make sure these 3 check boxes are there for that. IT provider can help you determine that or give you the right solution that does it. That’s the summary of exactly what an optimal solution is. Make sure Hippo compliance encryption. I don’t know of any new some of the new solutions that are out there that are Hippo compliant and I want to make sure and I think Bryan noticed there are companies big names out there that are not Hippo clients or sign a business associate agreement. I know Carbonite, I know Dropbox  some of them they don’t sign anything with you and some of them are not even mentioned if they are Hippo compliant or. So they are big names.

Bryan: And some of them say and I won’t name names but some of them say things about the law that is just not correct. So if you don’t have a business associate agreement with them I couldn’t agree with you more you’ve got to make sure that’s in place and they’re Hippo complaint.

Kayvan: Yeah it’s important you need to work with a company that have a VA agreement with you and if they don’t comply it doesn’t matter if it’s Microsoft you can’t really do business with them it’s that simple as that. Make sure the solution you get is managed; you don’t want to be doing backups and restores, tests and all of the things on a daily and weekly basis. Make sure as delegated as possible off your plate, on their plate and it’s completely managed. Backups are very flight. The optimal solutions including our Total Protect make sure you don’t have to pay too much capital cost partner service where you buy, you get the hardware for your backup and recovery and you pay some sort… you show costs but you don’t buy it, it’s kind of leasing it pretty much. They don’t need that much up front capital cost for it. Make sure whatever the solution you get is pay as you go model which means you might have 2 servers today you might have 4 servers. Data happens very fast right now, you might hear the word big data. It’s happening a lot, people putting charts quickly things are filling up. Make sure you get a solution that is sustainable. And you kind of pay as you go model and you can kind of go with that instead of getting the big thing at the beginning and not using it. The management costs make sure it’s included in your monthly cost for the solution; so whatever you pay on a monthly basis for the solution. If there is problems with it make sure it’s already in place and you don’t need to pay. A lot of times these are kind of senior level engineers. So it could be very sensitive you need to pay for it hourly. I don’t think there are solutions out there that would charge you but make sure they don’t charge you for whatever contract you have. Anything happens to your backup, any kind of aid you need, you need to do this, you need to do that make sure it’s included in your monthly plan. You don’t need to worry about. And then one more item I want to mention is… there might be times and I’m going to mention in the next slide there might be times where you need to run a virtual server, chrome server in the cloud. Make sure you know how much it’s going to cost you. If your office is not accessible for 2 weeks and you need to run your EMR server in the cloud 2 weeks of cloud time. If there is a cost how much it’s going to be… for our Total Protect solution we offer it for free for clients if there are other solutions out there we charge you on a daily basis. You have 2 servers running a cloud per day this is how much it’s going to cost you. (Inaudible 54:00) so these are the 4 major areas. The most important would be whatever you get make sure it includes backup, disaster recovery and business continuity. Let’s move on to the I guess the last slide. I noticed this picture looks a bit overwhelming but I’m going to simplify. This is the kind of picture based solution that is the optimal solution that includes backup disaster recovery and business continuity. If you notice in the middle I have a local map think of it as a device, total protect. It’s something that it comes to your site, it comes to your office all your email server your fault server, let’s say you have an EMR your EMR server, desktop anything that you have does backup to this device. Now I mentioned about these 3 cases of data loss that happens. Using case number one using a full server with case number 2 and having the whole office the whole down is case number 3. Let’s see with each case what happens and how we can recover from this. The first case is deleting a file by mistake from your file server. You access a local map and you store that file where it’s accessible to actually web. When I say ‘web’ it’s actually local but you can use it like Internet Explorer or Chrome to access it. The second case what if your email server your whole server catches fire, overheats, the hard drive dies and the whole server is down. Now remember that I told you that it was a 0 downtime with some companies they don’t expect any downtime. The beautiful thing about this solution is local maps clone server on itself. What it can do is it can boot that Chrome server and get you up and running. Your staff won’t even know the original server is down actually. They still think they are accessing the server. As I mentioned these are every 15 minutes. So you might lose about 10 minutes but compare that to days or weeks being off or down when your full server is pretty much gone. People start using the (Inaudible 56:25) call server on this little map you can spend 7 days, 10 days, 20 days fixing the original server or order a new server (Inaudible 56:37). As you noticed it’s going to give you business continuity at the same time. Moving on to the third case where your whole office is down. If you see the picture my local map is synced with the offsite map which is in the cloud. This happens on an hourly basis meaning that if your whole office is down you need to still have access to your EMR system. You need to get that going. You have the clone(Inaudible) your EMR server in the cloud we can actually boot that server for you get you going and give you some remote access, get you going you can start accessing data whatever it is that you need to do till your whole office is fixed, everything is fixed from some sort of fire. And then you can move back to your original office and get the physical or original servers up and running. But again it gives you instant access. And it gives you business continuity where you continue doing business even though it was a full disaster that happened in the office. So that’s a higher level picture of that. What I meant by making sure you know how much they charge you if you run your server in the cloud I was talking about number 3 where your whole office is down and you need to run your servers in the cloud. I have an idea of how much it’s going to cost. But some people offer 14 days free. I hope the 14 days you have your office back. 

Bryan: That might not be as easy as it sounds. It might not be possible in some cases.

Kayvan: Exactly

Bryan: It’s interesting to see how this hybrid approach offers the best of both worlds because you’ve got the onsite local storage but then you’ve also got the cloud backup option as well because you know if all your backups are in your office and your office burns down you’ve defeated the purpose.

Kayvan: Exactly definitely you want to get that offsite. The beautiful thing about this Bryan is you can’t only do file  backups offsite, your server offsite so you can get a clone of your server in the cloud offsite till everything is fixed.

Bryan: And you can just do that very quickly without…

Kayvan: Very quickly within one hour maybe less than an hour you can get that going and clients love it. It’s the best thing that happened to us for the past 15 years we love it.

Bryan: Well we’re just about out of time. We didn’t have time to get to our questions we had some from our audience. We’re going to go ahead and send those to our experts so don’t worry about that. I want to thank you so much for joining us today Kayvan. This is a really great subject. I really feel like we learned a lot from your presentation so thank you much.

Kayvan: My pleasure I hope it’s going to be a good year for everyone.

Bryan: Okay if you want to learn more about this subject or learn more about the services. We’re also going to send out the slides and the recorded versions of this event if you want to share with anyone so please do that. I want to thank our audiences for joining us today. And again thank you Kayvan for joining us. If you’re looking for level 2 Hippo training we have a new workshop series approaching next week here at Format Approved. Our certified HIT security administrator course builds on basic Hippo knowledge to give you an advanced knowledge of security practices. You can learn more about that at www.Formatworkshops.com. You can go to FormatApproved.com and click on that learning lunch series button to see our upcoming events. Also keep an eye on your email inbox for upcoming events. We bring experts to you on a weekly and monthly basis on subjects related to HIT so please join us for those future events. Thank you again to everyone and we’ll see you at our next Learning Lunch event.