• The acceptable time frame for time sensitive operations
• The different resources and systems needed to ensure appropriate recovery and resumption of some or all critical systems
20 In addition, identifying additional controls will only
help mitigate the risks to the organizations. Few have suggested that all the security breaches seen in the last few months against highly secured systems—operated by the government as well as large corporations—simply mean that no system is safe or protected. In reality, it is still critical to invest in securing the environment and put in place safeguards to respond to data loss or system outages that may be caused by hacker activities.
Conduct a Cost Benefit Analysis Once the BIA has been completed, the organization
must use the information to evaluate the alternative strategies available. While in some cases outside vendors may recommend some solutions, it is still important for the group to identify the most plausible strategy, as well as the budgetary requirements for the capital needed to execute business continuity plans.
Keep in mind that the potential loss of income and
fines associated with loss of data, legal cases, or longer system disruptions can justify the cost of acquiring the appropriate strategy. A proper BIA is therefore critical to show proper justification for some of the costs required.
One essential point to make is that there must be a
proper presentation to the executive team that outlines the evaluations made for all the DRP and BCP alternatives. In addition, the presentation must discuss the financial exposures and operational impact the organization would face under each alternative.
Design and Develop the BCP Once the approval is received from senior management
and funding is made available for the proposed BCP requirements, the team can now proceed and prepare for the plan development. The plan basically needs to provide information to all staff—clinical and non clinical—about how to communicate, how to access systems, and what changes need to be made. Examples of changes include alternate ways to access patient records (by using different on-screen icons, for example) or a different method of contact for physicians and nurses.
For a hospital environment, the focus should revolve
around how patients can receive the appropriate care while also ensuring that any equipment or data that is needed— medication lists and electronic health records—can be accessed through alternate backup or offsite systems.
The implementation of business continuity plans also
means purchasing products and services. It is critical to complete all previous steps to properly define all the requirements for the appropriate solution needed in place. Some hospital system vendors provide expertise and services to assist in business continuity planning. These can provide valuable timesaving and emergency assistance.
Engage in Communications,
Awareness, and Training Educating the staff on the process that needs to be implemented during a disaster is critical. This exercise must be performed regularly. Likewise, it is critical to establish clear communications during a crisis. Communicating with key stakeholders and notifying internal and external entities must be done in accordance with the plan that was put in place. This will ensure timely and appropriate response to the emergency.
Conduct Maintenance and Testing In order to ensure that the organization remains
protected while still continuing to make additions and changes to its IT systems, it is helpful to establish a planned exercise program. These exercises will test and identify any gaps in coverage during a simulated crisis.
Examples of announced exercises include the following:
• A planned server outage to the local data store to selected business applications, such as RIS, EHR, or a bed management system. This will force the organization to test the plan for clinical staff to immediately utilize offsite systems.
• A planned system restore to an alternate site or servers. This will test the restore time and overall functionality after a full system recovery. This will also help ensure that all the critical IT components are recoverable.
An unplanned exercise, on the other hand, can use some
of the above planned exercises, but without providing prior notification. In this case, it is important to get senior management approval and to consider limiting the exercise to a controlled environment. This will help ensure that any issues discovered during previous exercises have been corrected.
The exercises are valuable, as they provide an opportunity to test and correct any problems that may be unrecoverable during a real crisis and emergency. They may also become part of the maintenance plan to ensure that, as changes are made to the IT infrastructure, BCP testing is being performed as well.
Appropriate Planning Ensures
Business Continuity We are facing new challenges every day. In recent years,
even in just recent months, we have been through some unimaginable destruction—from tornados, hurricanes and floods to acts of terrorism. We have also seen countless high-profile data breaches—not to mention the defacing of several government and security firms by hacker groups. All these factors concern healthcare organizations. While they are simply events that we wish would never happen, we must be cautious and prepare our organizations— through appropriate and careful planning—to ensure business continuity throughout these events.
VOLUME 2 • ISSUE 1
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32
| Page 33
| Page 34
| Page 35
| Page 36