• MARCH 2008 FEATURE ARTICLES •
Disaster Preparedness
Business Continuity Planning
It's a critical element of disaster preparedness.
Can you afford to keep it off your radar?
By Paul Rozek and Don Groth
The development and management of a robust
business continuity plan (BCP) for a healthcare organization can
be a daunting task. Keeping clinical operations open 24/7 and
providing safe and secure facilities is not where business
continuity ends. Periodic training of business departments
throughout the organization on BCP-related activities is a
standard that accompanies data protection requirements. It is
imperative that organizations are confident in their ability to
use a formal BCP to recover from a disaster situation in a
timely and effective manner.
Today, most healthcare administrators
recognize that BCP is not solely about planning for a sudden
influx of patients, but also about planning for disasters that
harm their IT systems and physical facilities. Business
continuity must be viewed as continuing key business functions —
not just those in the emergency room. Keeping safe and secure
premises and enabling timely access to data must be considered
as part of BCP.
Planning for business continuity has proven
to be increasingly challenging as the healthcare industry
employs more digital technology to improve the quality of care.
All signs for the future point to even more reliance on digital
data. Additionally, critical business functions are now
regularly outsourced to business partners, further complicating
the business continuity planning process.
Emergency Preparedness vs. Business Continuity
There are a number of challenges to the
development of a full BCP for healthcare organizations.
Emergency preparedness and IT disaster recovery plans in
healthcare organizations are fairly common and there may be a
tendency for management to conclude that the existence of these
plans means that business continuity has been effectively
addressed.
In addition, many organizations have worked
to comply with the latest HIPAA requirements for disaster
recovery, which include: data backup plans for electronically
protected health information; disaster recovery plans and
procedures to restore any lost data; emergency mode operations
plans and procedures to enable continuation of critical business
processes involving electronically protected health information
(EPHI) while operating in emergency mode; and, testing of the
plans (not required by HIPAA).
Even though technology is critical to the delivery of patient care, healthcare business continuity should not be driven solely by IT. Business continuity planning must be an enterprisewide program driven by senior management.
While HIPAA compliance is helpful and
necessary with respect to a BCP, compliance alone is not
sufficient to address the business continuity needs of the
enterprise. Many healthcare organizations have addressed the
backup and recovery of EPHI and the critical business processes
that protect EPHI; however, additional steps are necessary to
ensure the continuity of all functions critical to providing
patient care.
Emerging Trends
A number of technology trends affect
healthcare organizations' business continuity capabilities and
the overall recovery time objectives (RTO) imposed on IT
executives. The amount of patient care information captured,
stored and used in a solely electronic environment is
increasing. These electronic systems are often linked to other
systems, such as admitting, billing, pharmacy, radiology and lab
systems within the healthcare organization. Real-time access to
electronic medical records is often required on a 24/7 basis,
meaning that a BCP that takes 48 to 72 hours to implement may be
inadequate. In a 2007 survey by The Economist Intelligence Unit,
just under half of all respondents said they could endure less
than a day of downtime from their IT systems before the
disruption became serious enough to jeopardize the survival of
the entire company.
The growing use of telehealth and
telemedicine applications has increased the use of electronic
information and telecommunications technologies that support
long-distance clinical healthcare, patient and professional
health-related education, and public health and health
administration. These applications provide cost-effective
options for remote patient monitoring and treatment in both
rural and metropolitan areas — especially in cases where
significant travel and/or timely access to a health specialist
are issues. The applications can support transmission of medical
information for diagnosis or disease management. As a result,
many of these applications require very short recovery times and
high data availability. The growing dependence on these
applications makes development of a comprehensive BCP
challenging, since recovery plans must consider the interactions
with other systems and networks outside the control of the
healthcare organization.
Data Backup
The volume of medical and business data that
must be backed up by healthcare organizations has grown rapidly
in recent years and will continue to grow. As a result, data
backup will take even more time to complete. At the same time,
the complexity of current systems is increasing, more diverse
systems require integration and the recovery time objectives are
shrinking. Ultimately, the industry must realize that the time
required for recovery of data from tape libraries may result in
unachievable RTOs for the most time-sensitive systems.
To deal with the challenges of tape data
recovery for the most time-sensitive systems, organizations are
migrating to disk-to-disk (D2D) backup solutions and various
forms of data mirroring and replication technologies. While
overall technology hardware costs may increase, a D2D solution
is a significant strategy that must be considered to deal with
data backup and recovery issues. On the other hand, D2D isn't a
"cure-all" that will eliminate all data availability problems.
Disparate systems, multiple vendors, geographical separation,
and handling in-flight data transmissions during a disaster are
just a few of the many issues that need to be addressed.
BCP is no longer just a phase or project to be implemented when time and resources allow. It must be an ongoing program implemented to protect data, and ensure the integrity and security of the total organization.
In the recent past, the recovery of open
systems' servers at an alternate processing site was often
extremely difficult because of the need to rebuild operating
systems and applications on different physical servers.
Solutions such as virtualization, clustering and storage area
network technologies can offer a number of business benefits to
management, including higher potential availability of data,
smaller platform "footprints," reduced electrical power and HVAC
requirements, increased usage of IT resources and decreased
recovery time at alternate processing facilities.
Shifting Responsibility
Even though technology is critical to the
delivery of patient care, healthcare business continuity should
not be driven solely by IT. Business continuity planning must be
an enterprisewide program driven by senior management. If the
CIO is given the responsibility for business continuity, others
in the organization may view business continuity as an IT issue
and not adequately address the business issues associated with
BCP.
Healthcare organizations often have unique
business structures that can make the development of
enterprisewide business continuity more difficult. Many
healthcare organizations have decentralized systems with a
myriad of IT systems, applications and support teams. Individual
departments may or may not be autonomous, and often the
department managers function independently. Unfortunately, there
is no "one-size-fits-all" BCP solution for such an environment.
Management must be prepared to develop multiple customized plans
that are effective without being cost-prohibitive.
Many of the critical resources necessary to
provide continuous patient care are highly technical, such as
MRI, telecommunications, electrical systems, databases, data
encryption, server virtualization and disk-to-disk backup. Other
critical resources include utilities, such as water, steam, gas
and sanitary waste systems. Important, and seemingly
non-critical resources that will become critical during a
disaster include linen services, trash compacting/removal and
food services. Developing business continuity plans that address
each of these resources requires the collaboration and teamwork
of multiple departments within the organization. If senior
management sets the proper tone at the top, the organization
will be better prepared for the collaboration required to create
a comprehensive BCP.
Business Partners
Healthcare organizations often require the
use of business partners — a trend that is expected to continue
to grow in the future. These external organizational influences
can cause additional challenges in the creation of a BCP. Making
matters more complex is the fact that business partners can be
located inside or outside of an organization's walls. Critical
functions may be outsourced to vendors, business partners, and
in some cases, to competing healthcare organizations. Entire
departments within the physical walls of an organization may be
staffed and managed by a third-party vendor. And, critical
professionals and staff members may be employed by third
parties.
While compliance with HIPAA is helpful and necessary with respect to a BCP, HIPAA compliance alone is not sufficient to address the business continuity needs of the enterprise.
In a March 2007 report, the Gartner Group
points out that the costs of high availability and disaster
recovery capability can be reduced using vendor-hosted systems.
While these practices are common in all industries, they appear
to be pervasive and potentially more critical in healthcare
organizations. One common consideration when working with
external parties is to ensure that legal contracts and service
level agreements exist. There are many examples where the level
of formality and terms of engagement vary among third parties —
especially in healthcare systems that use local service
providers. As a result, consistent enterprisewide BCP
development, training, and exercising can be more difficult. In
developing a BCP, there must be active management oversight to
resist the temptation to deal only with internal staff that the
organization can better control.
While it may be necessary to begin planning
with internal staff, it is vital that all vendors are required
to participate in the development of the final, formal BCPs.
Most vendors are willing to participate, however, some may
require additional cost and contracts may also need to be
re-negotiated. If critical vendors are not willing to cooperate,
executive management may need to exert pressure and may need to
consider severing those business relationships.
Many healthcare organizations use third-party
vendors to remotely host critical applications and systems. This
approach to application support can provide a number of benefits
in quality and cost. The hosting vendor may be contractually
committed to provide specified backup and recovery services as
part of a service-level agreement.
However, the responsibility to ensure that the enterprise
business continuity requirements are met cannot be assumed. It
is vital that management ensures the vendors demonstrate their
ability to meet the contracted service levels.
Furthermore, it is not safe to assume that a
hosting vendor has the ability to provide any recovery
capability that is not included in the agreement and also not
paid for. As with other business partners, the healthcare
organization may need to renegotiate contracts to obtain the
necessary service and support at a defined cost.
Recommendations
There are numerous industry resources and
services available to management to mitigate disaster risk,
including the Business Continuity Planning Workgroup for
Healthcare Organizations (www.bcpwho.org) and DRI International
(www.drii.org). In addition, there are several guides (SP800-34
and SP800-84) from the National Institute of Standards and
Technology (www.nist.gov) that can provide further insights on
developing and testing a BCP/DRP plan for an organization.
Business continuity planning in the
healthcare industry will continue to be a significant area of
risk for management, and business executives must work closely
with IT executives to help meet their organizations' changing
needs and realities.
A BCP is no longer just a phase or project to
be implemented when time and resources allow. It must be an
ongoing program implemented to protect data, and ensure the
integrity and security of the total organization, including
facilities, information and the wellbeing of employees and
patients — the last of which is of paramount importance.
Companies cannot afford to leave the
management of a disastrous and disruptive event to chance. They
should embrace this responsibility, be familiar with and
implement a BCP, and train primary and alternate key personnel
in their roles and responsibilities in the event of unforeseen
catastrophic events.
Senior management must step up and embrace a
BCP program, giving it the importance it deserves before being
forced to do so by regulatory agencies and before disaster
strikes.
Paul Rozek (left) is director of technology risk management and Don Groth (right)
is senior business continuity management specialist for
Jefferson Wells.
Contact them at paul_rozek@jeffersonwells.com
and donald_groth@jeffersonwells.com, or call (414) 347-2345.