Seismic-Compliant Data Center Requirements

A Long Beach hospital that nearly reached 100 years in operation had to shut its doors because it was built on an active earthquake fault and is incapable of meeting state-mandatory seismic safety law. The hospital, Community Medical Center Long Beach, sent the city notice to end the lease in four months at the beginning of March, taking effect on July 1st. Earthquake research performed in November discovered an active fault beneath the 200-bed hospital.

According to John Bishop, the provider’s CEO, the only path forward in order to meet the June 30, 2019, deadline for seismic compliance was to demolish a large portion of the hospital. “We exhaustively explored all options to continue operations,” he said.

We often see stories about federal healthcare violations, failure to meet the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements, resulting in Health and Human Services (HHS) fines. This story illustrates how impactful the Seismic Safety Act can be to California hospitals. Seismic compliance is not limited to hospital design and construction. To stay aligned with state law, your earthquake preparedness must extend to the operations of your data center, whether you host a HIPAA compliant database, a HIPAA compliant website, or something else.

What is the Seismic Safety Act?

Hospitals in California must go beyond their concerns with safeguarding electronic protected health information (ePHI), the data federally protected by HIPAA. These institutions also must comply with California’s seismic compliance laws.

Seismic compliance demonstrates that a hospital has the practices, technologies, and other elements in place to maintain smooth operations during an earthquake. If hospitals want to use external locations for their information technology infrastructure, they will need to verify that the applicable data centers are either seismic-hardened or lie outside seismic hazard zones. (See the Federal Emergency Management Agency’s Earthquake Hazard Maps.)

Many hospitals are expected to migrate their IT operations to third-party hosts or colocation providers. The data centers of these third parties, whether in high-risk areas or not, are especially compelling to hospital decision-makers when they have experience with the Seismic Safety Act and other forms of healthcare compliance. The requirement for seismic hardening of data centers goes into effect on January 1, 2020.

Seismic compliance has been a concern for California healthcare for more than 30 years, with strengthening of its parameters in the Seismic Mandate, introduced through Senate Bill 1953 (Chapter 740, Statutes of 1994; Seismic Mandate) in the California Legislature and signed into law on September 21, 1994. Passed in response to the Northridge Earthquake, which led to $3 billion of hospital damage, SB 1953 extended and revised the parameters of the Alfred E. Alquist Hospital Seismic Safety Act of 1983, aka the Alquist Act, which was additionally developed through the Essential Services Buildings Seismic Safety Act of 1986 (ESBSSA).

The 1994 Seismic Mandate created a system of classification for any hospital buildings, five structural and five not. The bill also established deadlines during which classifications could be improved and created the California Facilities Development Division’s Seismic Compliance Unit (SCU) within the Office of Statewide Health Planning and Development (OSHPD). The SCU develops and drafts seismic regulations for approval by the California Building Standards Commission.

Requirements for a seismic-compliant data center

It is critical that hospitals remain open and operational when disasters strike. That means all data systems must be highly available so that they are accessible by healthcare practitioners needing immediate patient information. In order for a data center to be seismic-compliant, it must have sufficient earthquake safeguards in both its overall construction and direct equipment protections:

Building – Just like a hospital must withstand an earthquake, so must a seismic-compliant HIPAA data center. Here are parameters for construction established within the California Building Code (CBC), American Society of Civil Engineers (ASCE), and International Building Code (IBC):

• During an earthquake, any building that has a seismic rating should be extremely unlikely to collapse.
• Essential services have to remain operational when earthquakes occur. Organizations that are considered critical, ones that pose a significant threat to human life when they are nonfunctional, fall under the IBC’s Category IV. Along with hospitals, other examples of institutions that fall into this category include airplane towers, fire stations, and police stations.
• Nonstructural building components must be safe from turning over or sliding out of position when an earthquake occurs, as indicated by demanding calculations.
• Special methods of installation and/or floor design should be implemented if suggested by the component importance factor (Ip) of parts, grades that are given to all structural and nonstructural elements.

Cabinets, racks, and bracing – Servers, cables, and switches must be safeguarded against the threat of an earthquake. Specifically, you want to reduce the amount of extra motion that occurs during a quake, which strain network connections and cables. To do so, you can implement specialized equipment and components, such as seismic-compliant cabinets, racks, and braces. Sam Rodriguez, Sr., shared in Data Center Frontier the three standard ways that manufacturers can establish the seismic safety of their products:

• shaker table testing: physical testing of products, within strict parameters, that simulate the movements of an earthquake;
• experience data: evidence that a product exhibited strong performance during a seismic event; and
• design and analysis ratings: numbers and ratings, such as the Risk Category and component importance factor (Ip), that are based on established standards.

Complete IT disaster recovery plan – Preparation and response to an earthquake, as with any other type of disaster, should be systematic. The standard way to prepare for disaster, prevent downtime, and expedite restoration of services is with a disaster recovery (DR) plan. Key elements of this document are described below.

Six elements of a strong data center disaster recovery plan

The response to earthquakes should be part of a broader effort to be ready for any emergency event. Here are key components of an information technology DR plan –what you need in place internally and should expect from any seismic-compliant data center:

1. Assessment of possible threats and methods of response – A disaster recovery plan should address all possible elements that might prevent your business from maintaining operation.
2. Business impact analysis (BIA) – Core to a DR plan is the BIA, which covers impact on various aspects of your organization: reputation, legal, regulatory, safety, financial, etc. This document, said Gartner, “identifies and evaluates the potential effects… of natural and man-made events on business operations.”
3. Staff processes – You want to be aware that you need people and processes to support your operations and disaster recovery. Consider what you will require from your personnel in order to rapidly recover.
4. New version parameters – Wrongly, the disaster recovery plan is often considered a one-time affair. The truth is that updating your DR plan is critical so that it always reflects the technology presently installed at your company. The guidelines for release of new versions should be included in your original DR plan.
5. High-priority specifications – Determine what are truly your most critical systems and data. Proprietary information is high-value, for instance, as is highly sensitive personal data, especially information that must meet compliance with standards or laws. Your plan should focus first and foremost on these key areas.
6. Test and drill policies – You must test to determine how your DR plan might be applied to a real-life scenario. It is also important to have your staff practice their response to a disaster through drills (similar to school fire drills). The plan for these tests and drills – their content and schedule – should be within your DR plan.

Your seismic-compliant healthcare data center

Many hospitals are turning to hosting providers that are seismic-compliant, some of which are automatically since they are outside the earthquake hazard zone. Regardless the need for earthquake protections in a given area, you want to know that disaster recovery best practices are in place, as demonstrated by key compliance certifications; plus, healthcare compliance is critical as well. At Atlantic.Net, where our data centers are SSAE 18 (formerly SSAE 16) SOC 1 and SOC 2 compliant, we offer seismic-compliant, HIPAA-compliant hosting in our Los Angeles and San Francisco facilities and five locations outside California. See our seismic-compliant HIPAA data centers here.