Dispersing digital records
Tom, your company develops medical device technology. Now that youve had a chance to see what a substantial regional-scale event can do, has there been any kind of reanalysis at FoxHollow Technologies of what it means to be prepared for an interruption of operations? Miller: I think weve really reflected on what the impact could be in some places, like Northern California, where we are. We truly understand that any disruption is probably going to be regional in scope and that any planning we have to do has to consider not only the impact on the entire Bay area but probably the state of California.Coming back to the people element, we realize the individuals obligations are to their families first and to their business second. Now, correct me if Im wrong, but youre in an operation where a substantial amount of your assets are digital recordsclinical trial data and so on. Miller: Yes, thats correct. Do you have that information in a nice salt mine in Kansas, or is site diversity for backup storage a major priority because of the considerations weve just been discussing? Miller: We will be looking at diverse sources for storage of information, both electronic and hard copy. Would it be accurate to say that the need for a very-big-picture view of that has been intensified by this episode? Miller: Yes it has. For us, it really comes down to: What are we going to do from a risk management standpoint? And how can we make sure that we involve the business in its entirety? As with any business continuity plan, we want to make sure that it doesnt look just at the IT side of the house and that were looking at how can we operate entirely as a business. Thats actually one of the threads thats been coming back to me from some of the Y2K-readiness discussions that we had. People were saying that the main byproduct was a much wider perspective on the number of other peoples systems that have to be working for there to be any point in having systems up at all. Have any of you had any epiphanies as part of any discussions in which people have said, "You know, our own boundaries cannot be the point at which we stop talking about readiness." Siconolfi: There are service-level agreements, and there are federal regulations for how long you can take to pay a claim, for example. And the way the electronic gateways work, the EDI [electronic data interchange] tools, well, a lot of those things are programmed to meet certain SLAs. Even from systems processing a claim or a membership or whatever it might be. So, yes, were very dependent on third parties and other partners. So not only do you have to be prepared to relax certain thresholds and guarantees, but you also have to make sure that others will cooperate with you. Siconolfi: Yes. You can pay fines for not paying a claim within a certain period of time. Is there anything that is being looked at for immediate implementation, in response to the hurricane and its aftermath? Rosen: One of the things were looking at is more automated tools to help the systems at the backup site run with less attention so we dont have to get the people there. I think that may be a promising approach to take to address some of these problems. I guess a lot of it is, What is the maximum credible event? I dont think anyone has an operation scenario that says, "All right, how do we function for one week after a nuclear attack on the city?" But was 20 feet of water in New Orleans a scenario that people should have been prepared for? Whats the worst we can even plan for? Gunnerson: We try to plan for that stuff, and, on a systems side, you try to make things as resilient as possibledoing your off-site backups, the whole bit. But I think, when it comes down to it, you really have to have a plan in place and know that you can execute it. And you have to try it out a couple of times. Once youve done that, its just a matter of, Are you prepared to respond? Because youll never be able to run your rule book, right? I dont think you could ever plan well enough to respond appropriately to every scenario. So what you really have to do is have a group thats prepared to respond and then adjust your response based upon what your issues are. Thats the hardest partto make sure youre ready to respond. Check out eWEEK.coms for the latest news, reviews and analysis on IT management from CIOInsight.com.
Weve looked at things like business-resumption services through companies like SunGard, with its SunGard Availability Services, but the nearest recovery center, in San Ramon, could be impacted by a regional disaster. So, were realizing that we need to push outside the Bay area and even potentially outside California to reflect that any impact is going to be really large for us.