Having appropriate business continuity plans (BCP) and disaster recovery plans (DRP) in place will ensure that health care organizations can operate and care for patients through different types of interruptions. Whether natural disasters, human errors, or system crashes, catastrophes can be tragic in the health care setting, and having these plans in place is critical.
BCP is the logistical plan that ensures the system can recover all or some of the patient care systems. In some cases recovering from a system failure quickly can be a matter of life or death. In addition to patient health, resuming normal operations as quickly as possible minimizes disruption to the business.
The basic definition of a BCP is an organization-wide process that can define, test and maintain a plan to recover from any system disruption or failure.
Existing standards provide key elements and controls for risk assessment. HIPAA requirements provide controls for administrative, physical and technical safeguards. Meanwhile, a widely adopted international standard -- defined in the International Organization for Standardization and the International Electrotechnical Commission's ISO/IEC 17799 -- consists of definitions for information security controls in the following 10 areas:
- Security policy
- Organizational security
- Asset classification and control
- Personnel security
- Physical and environmental security
- Communications and operations management
- Access control
- Systems development and maintenance
- Business continuity management
Overall, several steps have been developed as general guidelines as part of the process when creating business continuity plans. Each is covered below.
1. Prepare a task force.
During this initiation phase, the leadership team must define and identify the different stakeholders and members of the BCP team, as well as a team lead. The team or BCP leader must be familiar with the different departments in the hospital or integrated delivery network (IDN).
One must keep in mind that the teams preparing business continuity plans may not necessarily be the pool of individuals who, during a disaster, will assume some of the roles defined in the plan. This BCP team will only be responsible for creating the processes and plans.
2. Conduct a business impact analysis.
It is not a simple task to truly know the importance of a system and its impact on an organization unless it has been properly assessed. This is where organizations such as hospitals find it critical to properly conduct a business impact analysis, or BIA.
Part of the BIA process is assessing the financial impact (example: lost revenue from inability to perform medical procedures) and non-financial impact (example: damaged reputation or regulatory non-compliance) due to a business continuity event.
During this step, the BCP team will conduct several assessments, which will identify the following key criteria:
- Critical hospital systems, operations and services needed
- Potential social, financial and legal impacts on the organization
- The acceptable time frame for time sensitive operations
- The different resources and systems needed to ensure appropriate recovery and resumption of some or all critical systems
In addition, identifying additional controls will only help mitigate the risks to the organizations. Few have suggested that all the security breaches seen in the last few months against highly secured systems -- operated by the government as well as large corporations -- simply mean that no system is safe or protected. In reality, it is still critical to invest in securing the environment and put in place safeguards to respond to data loss or system outages that may be caused by hacker activities.
3. Conduct a cost benefit analysis.
Once the BIA has been completed, the organization must use the information to evaluate the alternative strategies available. While in some cases outside vendors may recommend some solutions, it is still important for the group to identify the most plausible strategy, as well as the budgetary requirements for the capital needed to execute business continuity plans.
Keep in mind that the potential loss of income and fines associated with loss of data, legal cases or longer system disruptions can justify the cost of acquiring the appropriate strategy. A proper BIA is therefore is critical to show proper justification for some of the costs required.
One essential point to make is that there must be a proper presentation to the executive team that outlines the evaluations made for all the DRP and BCP alternatives. In addition, the presentation must discuss the financial exposures and operational impact the organization would face under each alternative.
4. Design and develop the BCP.
Once the approval is received from senior management and funding is made available for the proposed BCP requirements, the team can now proceed and prepare for the plan development.
The plan basically needs to provide information to all staff, clinical and non clinical, about how to communicate, how to access systems and what changes need to be made. Examples of changes include alternate ways to access patient records (by using different on-screen icons, for example) or a different method of contact for physicians and nurses.
The potential loss of income and fines associated with loss of data, legal cases or longer system disruptions can justify the cost of acquiring the appropriate strategy.
For a hospital environment, the focus should revolve around how patients can receive the appropriate care and at the same time ensure that any equipment that is needed, or data such as medication lists and electronic health records, can be accessed through alternate backup systems or offsite systems.
The implementation of business continuity plans also means purchasing products and services. It is critical to complete all previous steps to properly define all the requirements for the appropriate solution needed in place.
Some hospital system vendors provide expertise and services to assist in business continuity planning. For example, Epic Systems Corp. provides extensive services around BCP and documentation to assist in properly preparing for outages. These can provide valuable time-savings and emergency assistance.
5. Engage in communications, awareness and training.
Educating the staff on the process that needs to be implemented during a disaster is critical. This exercise must be performed regularly.
Likewise, it is critical to establish clear communications during a crisis. Communicating with key stakeholders and notifying internal and external entities must be done in accordance with the plan that was put in place. This will ensure timely and appropriate response to the emergency.
6. Conduct maintenance and testing.
In order to ensure that the organization remains protected while still continuing to make additions and changes to its IT systems, it is helpful to establish a planned exercise program. These exercises will test and identify any gaps in coverage during a simulated crisis.
Examples of announced exercises include the following:
- A planned server outage to the local data store to selected business applications, such as RIS, EHR or a bed management system. This will force the organization to test the plan for clinical staff to immediately utilize offsite systems.
- A planned system restore to an alternate site or servers. This will test the restore time and overall functionality after a full system recovery. This will also help ensure that all the critical IT components are recoverable.
An unplanned exercise, on the other hand, can use some of the above planned exercises, but without providing prior notification. (In this case, it is important to get senior management approval and to consider limiting the exercise to a controlled environment). This will help ensure that any issues discovered during previous exercises have been corrected.
The exercises are valuable, as they provide an opportunity to test and correct any problems that may be unrecoverable during a real crisis and emergency. They may also become part of the maintenance plan to ensure that, as changes are made to the IT infrastructure, BCP testing is being performed as well.
Conclusion: Appropriate planning ensures business continuity
We are facing new challenges every day. In recent years, even in just recent months, we have been through some unimaginable destruction, from tornados, hurricanes and floods to acts of terrorism. We have also seen countless high-profile data breaches, not to mention the defacing of several government and security firms by hacker groups.
All these factors do concern health care organizations. While they are simply events that we wish would never happen, we must be cautious and prepare our organizations, through appropriate and careful planning, to ensure business continuity throughout these events.
Reda Chouffani is vice president of development with Biz Technology Solutions Inc., which provides software design, development and deployment services for the health care industry. Let us know what you think about the story; email [email protected].