About Hayes
Quick Facts Our People Management Team Our Work Client List Case Studies Our Awards Our Partners Articles & White Papers Hayes' KLAS Comments 2011
Strategic Consulting
EMR Readiness & Planning IT Strategic Planning Stark-related Business System Selection
Revenue Cycle Management
Revenue Cycle Management EDIminer
Meaningful Use
ICD-10, HIPAA 5010
IT Consulting
Enterprise/Inpatient EMR Data Conversion Legacy Support Systems Expertise
Allscripts EpicGE Centricity Business GE Centricity EMR NextGen InterSystems
Hayes' Methodology System Implementation and Optimization Interoperability Services
Web Design & Development
Interim Management
Leadership Project Resources
MDaudit Software
MDaudit™ Professional MDaudit™ Hospital MDaudit™ Client List
Media Room
Press Kit Press Releases In The News Articles & White Papers Conferences & Presentations Case Studies Our Awards
Careers
Benefits Working at Hayes Opportunities Employee Testimonials Training & Development
New! Hayes Blog

Are You Prepared for the Unexpected?

By Rob Drewniak

Disasters are not always the result of high winds and rain. In the past two years, 52% of businesses experienced an unforeseen interruption, and the vast majority (81%) of these interruptions caused the business to be closed for one or more days.
Source: 2009 Disaster Recovery & Business Continuity Survey

Rob DrewniakBusiness continuity and disaster planning
As healthcare’s reliance on technology increases, so does the need to ensure that critical systems and processes can be recovered quickly after operational interruption and/or disaster. As a result, Business Continuity Planning (BCP) is becoming a priority. This is not just an IT issue; organizational executives, from CEOs and CIOs to risk management, compliance officers and security officers are becoming more aware of the need to take strategic and proactive actions to protect their organizations. By developing and implementing a comprehensive BCP, the organization can minimize its overall risk of outages, operational down time and loss, resulting in improved patient care reliability and operational stability.

Industry semantics
There are various industry terms to describe the effort to mitigate the negative effect of interruptions on operations: Business Resumption Planning, Disaster Recovery Planning, Crisis Management and Business Continuity Planning. Although each is a bit different as outlined below, all require a plan, a process and ongoing training to be effective.

A Business Resumption Plan typically describes how to resume operations after a disruption or critical event. A Disaster Recovery Plan primarily deals with recovery of information technology and services assets after a disastrous interruption. Both plans imply an outage in critical operations or services and are essentially reactive in nature.

Crisis Management refers to how an organization will deal with the emergency, disaster or catastrophe during the event. The focus at this stage is to carry on through the crisis, and to mitigate its effects during it.

Recently, there has been a move from Business Resumption Planning to Business Continuity Planning, acknowledging that in the healthcare environment, it’s not sufficient to resume critical services; they must be provided continuously. While Disaster Recovery and Crisis Management focus on rebuilding or alleviating the effects of a disaster, emergency or catastrophe; Business Continuity Planning focuses on sustaining the delivery of services for ongoing operations. If your healthcare organization has a well structured BCP, it can continue to provide mission-critical services, regardless of the nature of the interruption.

The Business Continuity Plan
A Business Continuity Plan is a collection of policies, procedures, protocols and information that is developed and maintained for use in the event of a business interruption. The BCP outlines the steps the organization will be required to take to quickly carry on business and operations. The BCP should clearly describe the enabling processes required for operations, safety and workflow. The benefits of the BCP are far reaching; from patient safety, compliance, risk avoidance, to employee and patient confidence.

The basic elements of a well-planned BCP include a set of practical and realistic steps that begin with the identification of mission-critical systems and processes, and are followed by the actions needed to effectively continue the operations from an interruption or disaster to normal operations.

The BCP’s focus shouldn’t solely focus on steps to take if the whole organization is affected. Most interruptions are isolated to specific areas – geographies, departments, facilities, etc. Plans need to be developed and maintained for the huge variety of interruptions that may occur.

Lastly, the BCP involves more than restoring information technology. It is a plan for operational continuity and should ensure that all critical operations are maintained when faced by an interruption.

Developing the BCP
BCPThe process in developing and maintaining of a BCP includes the five steps identified in the diagram to the right: Analysis, Solution Design, Implementation, Testing and Acceptance and Maintenance. 

Although an organization’s names for these steps may vary, each is critical for a successful BCP development and implementation.

1. Impact Analysis
There are a few specific analyses that need to be performed prior to developing a BCP:

  • Business Impact Analysis (BIA): The objective of the BIA is to identify and distinguish between critical and non-critical operational functions, activities and/or processes. (In healthcare, functions related to patient safety would be considered critical, for example.) The results of the BIA will include recovery requirements for each critical function.
  • Threat Analysis: This is a list of potential threats to ongoing operations and the recommended steps to recover from each. Threats include fire, flood, earthquake, sabotage, cyber attack, hurricane, utility outage, etc.
  • Recovery Requirements’ Documentation and Review: Upon completion of the BIA, the operational and technical requirements are documented and reviewed. Reviewers should include senior leaders to operational end users. All stakeholders should be represented and engaged throughout the plan development process. This review ends with acceptance and sign-off on the documented requirements.
  • Dependency Analysis: It is important to identify the internal and external dependencies of critical services.
    • Internal dependencies include employee availability, corporate assets, (equipment, facilities, computer applications, data, tools, vehicles), and support services (finance, human resources, security and information technology lowercase information technology support).
    • External dependencies include suppliers, external corporate assets (i.e., equipment, facilities, computer applications, data, tools, vehicles), and support services (i.e., facility management, utilities, communications, transportation, finance institutions, insurance providers, government services, legal services, and health and safety services).

2. Solution Design
The purpose of the solution design phase is to identify the most cost effective restoration solution that meets the requirements from the impact analysis stage. For IT applications, this is commonly expressed as:

  • The minimum application and application data requirements
  • The time frame in which the minimum application and application data must be available

3. Implementation
Implementation is the execution of the design elements that have been identified in the previous steps. Although testing can occur throughout the BCP development, the “unit” testing that takes place during components of the implementation should not take the place of organizational testing.

4. Testing and Acceptance
Testing is a critical step in the planning process to ensure organizational acceptance and readiness. It ensures that the business continuity solution satisfies the organization’s restoration needs. Testing may include:

  • Testing of moves to primary and secondary sites
  • Operational manual processes cross over
  • Disaster command center call back

If through testing the BCP fails to meet expectations, check for insufficient and/or inaccurate data or requirements, design discrepancies, or solution implementation errors.

5. Maintenance
The BCP is a living document and will need to be reviewed and maintained on a periodic, scheduled basis.  Maintenance of the BCP plan/document can be divided into three activities:

  1. Confirmation of information in the document, distribution to staff for awareness and training for individuals whose roles are identified as critical in response and restoration. 
  2. Periodic testing and validation that technical solutions are in fact available and appropriate for recovery operations. 
  3. Testing and validating that documented operational services for the organization remain unchanged for continuous operations.  These should be performed on a scheduled biannual or annual maintenance cycle.

BCP Strategic Benefits
Well-prepared organizations survive with limited impact when interruptions occur, while those that do not plan for these incidents may place their institution in jeopardy. Disasters can and will strike at any time, may come in multiple forms and can happen one at a time or all at once. Planning and testing of the identified solutions make the critical difference between successfully managing an incident within acceptable parameters and having a situation that may take days or longer to fix.

It is important that each staff member understands and knows his/her specific task and role during a disruption. This requires consistent and frequent staff training on the processes and solutions outlined in the BCP. Frequent reviews are also required to keep the plan updated. This preparedness is critical to the strategic goals of any healthcare organization. A BCP:

  • Helps healthcare organizations fulfill their moral responsibility to protect patients, employees, the community and the environment
  • Facilitates compliance with regulatory requirements of federal, state and local agencies
  • Enhances an organization’s ability to increase patient safety, reduce financial losses, regulatory fines, loss of market share, damages to equipment, or disruption to service delivery in the event of a business interruption
  • Reduces exposure to civil or criminal liability in the event of an incident
  • Enhances an organization’s image and credibility with patients, employees, clients, funders, vendors and the community
  • May reduce the organization’s insurance premiums

BCP Critical Success Factors

1. Governance, leadership, and sponsorship
Ensure that a governance structure (i.e., committee) is in place that will ensure senior management commitment and define senior management roles and responsibilities. The BCP senior management committee is responsible for the oversight, initiation, planning, approval, testing and audit of the BCP. It also implements the BCP, coordinates activities, approves the BIA survey, oversees the creation of continuity plans and reviews the results of quality assurance activities.

2. User involvement
Remember that the BCP is more than the IT department; all organizations, units and departments should be involved in the development of the plan, from the impact analysis through testing and implementation. Ownership by all staff is needed. Staff’s solid understanding and knowledge of the process is imperative for success.

3. Training and testing
BCPS can be smoothly and effectively implemented if and when all employees and staff are briefed on the contents of the BCP and are aware and properly trained on their individual responsibilities. Continuous training updates and testing should be developed and scheduled to achieve and maintain high levels of competence and readiness. While exercises are time and resource consuming, they are the only method for validating a plan.

4. Acceptance
As part of the quality assurance and acceptance process, reviews of the BCP should assess the plan's accuracy, relevance and effectiveness. It should also uncover which aspects of a BCP need improvement. Continuous appraisal of the BCP is essential to maintaining its effectiveness. Reviews should be coordinated with operational staff, knowledgeable managers and the BCP steering committee.

5. Communication
Ensure that there is a BCP communication plan. The communication process ensures that all employees and affected personnel will have updated information. The communication plan should include links to training and specific organizational unit updates when the BCP is modified and updated. When addressing the BCP, over communication will not be an issue.

In my experience, people have the best intentions of putting together a great BCP. Then resources and time become challenging constraints that hinder the process. However, based on industry and personal experience, it only takes one incident to put business continuity planning on the short list of priorities. Don’t be caught with a skeleton plan; it could place your organization at great (and unnecessary) risk.

Rob Drewniak is a Principal Consultant at Hayes Management Consulting, with prior leadership and executive roles in business and clinical operations, technology, risk management and support. He specializes in EHR adoption and support strategy among other areas.

Comments
Be the first to post a comment!

 

[Back to Top]