Postscript

dummy

mechanical

Sign-Off

print proof

neW pdf

revised pdf

HMTPg.10

circle/rs#

lit#

shoWline

i/o check

prod mGr

Nelson Publishing

2500 Tamiami Tr N

Nokomis, FL 34275

1-800-226-6113

he development and management of a robust business continuity plan (BCP) for a healthcare organization can be a daunting task. Keeping clinical operations open 24/7 and providing safe and secure facilities is not where business

continuity ends. Periodic training of business departments throughout the organization on BCP-related activities is a standard that accompanies data protection requirements. It is imperative that organizations are confident in their ability to use a formal BCP to recover from a disaster situation in a timely and effective manner.

Today, most healthcare administrators recognize that BCP is not solely about planning for a sudden influx of patients, but also about planning for disasters that harm their IT systems and physical facilities. Business continu-ity must be viewed as continuing key business functions — not just those in the emergency room. Keeping safe and secure premises and enabling timely access to data must be considered as part of BCP.

Planning for business continuity has proven to be increas-ingly challenging as the healthcare industry employs more digital technology to improve the quality of care. All signs for the future point to even more reliance on digital data. Additionally, critical business functions are now regularly outsourced to business partners, further complicating the business continuity planning process.

Emergency Preparedness vs. Business ContinuityThere are a number of challenges to the development

of a full BCP for healthcare organizations. Emergency preparedness and IT disaster recovery plans in health-care organizations are fairly common and there may be a tendency for management to conclude that the existence of these plans means that business continuity has been effectively addressed.

In addition, many organizations have worked to comply with the latest HIPAA requirements for disaster recov-ery, which include: data backup plans for electronically protected health information; disaster recovery plans and

procedures to restore any lost data; emergency mode opera-tions plans and procedures to enable continuation of critical business processes involving electronically protected health information (EPHI) while operating in emergency mode; and, testing of the plans (not required by HIPAA).

While HIPAA compliance is helpful and necessary with respect to a BCP, compliance alone is not sufficient to ad-dress the business continuity needs of the enterprise. Many healthcare organizations have addressed the backup and recovery of EPHI and the critical business processes that protect EPHI; however, additional steps are necessary to ensure the continuity of all functions critical to providing patient care.

Emerging TrendsA number of technology trends affect healthcare orga-

nizations’ business continuity capabilities and the overall recovery time objectives (RTO) imposed on IT executives. The amount of patient care information captured, stored and used in a solely electronic environment is increasing. These electronic systems are often linked to other systems, such as admitting, billing, pharmacy, radiology and lab sys-tems within the healthcare organization. Real-time access to electronic medical records is often required on a 24/7 basis, meaning that a BCP that takes 48 to 72 hours to implement may be inadequate. In a 2007 survey by The Economist Intelligence Unit, just under half of all respondents said they could endure less than a day of downtime from their IT systems before the disruption became serious enough to jeopardize the survival of the entire company.

The growing use of telehealth and telemedicine ap-

It’s a critical element of disaster preparedness. Can you afford to keep it off your radar?

B y P a u l R o z e k a n d D o n G r o t h

Business Continuity Planning

T

Disaster Preparedness

Even though technology is critical to the delivery of patient care, healthcare business continuity should

not be driven solely by IT. Business continuity planning must be an enterprisewide program

driven by senior management.

ECHNOLOGYT Health Management

Healthcare Information Systems Solutions since 1980 www.HealthMgtTech.com

Disaster Preparedness Postscript

dummy

mechanical

Sign-Off

print proof

neW pdf

revised pdf

HMTPg.11

circle/rs#

lit#

shoWline

i/o check

prod mGr

Nelson Publishing

2500 Tamiami Tr N

Nokomis, FL 34275

1-800-226-6113

plications has increased the use of electronic informa-tion and telecommunications technologies that support long-distance clinical healthcare, patient and professional health-related education, and public health and health ad-ministration. These applications provide cost-effective op-tions for remote patient monitoring and treatment in both rural and metropolitan areas — especially in cases where significant travel and/or timely access to a health specialist are issues. The applications can support transmission of medical information for diagnosis or disease management. As a result, many of these applications require very short recovery times and high data availability. The growing de-pendence on these applications makes development of a comprehensive BCP challenging, since recovery plans must consider the interactions with other systems and networks outside the control of the healthcare organization.

Data Backup The volume of medical and business data that must be

backed up by healthcare organizations has grown rapidly in recent years and will continue to grow. As a result, data backup will take even more time to complete. At the same time, the complexity of current systems is increas-ing, more diverse systems require integration and the recovery time objectives are shrinking. Ultimately, the industry must realize that the time required for recovery of data from tape libraries may result in unachievable RTOs for the most time-sensitive systems.

To deal with the chal-lenges of tape data recovery for the most time-sensitive systems, organizations are migrating to disk-to-disk (D2D) backup solutions and various forms of data mirror-ing and replication technolo-gies. While overall technology hardware costs may increase, a D2D solution is a significant strategy that must be considered to deal with data backup and recovery issues. On the other hand, D2D isn’t a “cure-all” that will eliminate all data availability problems. Disparate systems, multiple vendors, geographi-cal separation, and handling in-flight data transmissions during a disaster are just a few of the many issues that need to be addressed.

In the recent past, the recovery of open systems’ serv-ers at an alternate processing site was often extremely difficult because of the need to rebuild operating systems and applications on different physical servers. Solutions such as virtualization, clustering and storage area network

technologies can offer a number of business benefits to management, including higher potential availability of data, smaller platform “footprints,” reduced electrical power and HVAC requirements, increased usage of IT resources and decreased recovery time at alternate processing facilities.

Shifting ResponsibilityEven though technology is critical to the delivery of

patient care, healthcare business continuity should not be driven solely by IT. Business continuity planning must be an enterprisewide program driven by senior management. If the CIO is given the responsibility for business continuity, others in the organization may view business continuity as an IT issue and not adequately address the business issues

associated with BCP.Healthcare organizations

often have unique business structures that can make the development of enter-prisewide business continu-ity more difficult. Many healthcare organizations have decentralized systems with a myriad of IT systems, ap-plications and support teams. Individual departments may or may not be autonomous, and often the department managers function indepen-dently. Unfortunately, there is no “one-size-fits-all” BCP solution for such an environ-ment. Management must be prepared to develop multiple

customized plans that are effective without being cost-prohibitive.

Many of the critical resources necessary to provide continuous patient care are highly technical, such as MRI, telecommunications, electrical systems, databases, data encryption, server virtualization and disk-to-disk backup. Other critical resources include utilities, such as water, steam, gas and sanitary waste systems. Important, and seemingly non-critical resources that will become critical during a disaster include linen services, trash compacting/removal and food services. Developing business continuity plans that address each of these resources requires the col-laboration and teamwork of multiple departments within the organization. If senior management sets the proper tone

BCP is no longer just a phase or project to be implemented when time and resources allow.

It must be an ongoing program implemented to protect data, and ensure the integrity and security

of the total organization.

Postscript

dummy

mechanical

Sign-Off

print proof

neW pdf

revised pdf

HMTPg.12

circle/rs#

lit#

shoWline

i/o check

prod mGr

Nelson Publishing

2500 Tamiami Tr N

Nokomis, FL 34275

1-800-226-6113

business continuity requirements are met cannot be as-sumed. It is vital that management ensures the vendors demonstrate their ability to meet the contracted service levels.

Furthermore, it is not safe to assume that a hosting ven-dor has the ability to provide any recovery capability that is not included in the agreement and also not paid for. As with other business partners, the healthcare organization may need to renegotiate contracts to obtain the necessary service and support at a defined cost.

RecommendationsThere are numerous industry resources and services

available to management to mitigate disaster risk, including the Business Continuity Planning Workgroup for Health-care Organizations (www.bcpwho.org) and DRI Interna-tional (www.drii.org). In addition, there are several guides (SP800-34 and SP800-84) from the National Institute of Standards and Technology (www.nist.gov) that can provide further insights on developing and testing a BCP/DRP plan for an organization.

Business continuity planning in the healthcare industry will continue to be a significant area of risk for manage-ment, and business executives must work closely with IT executives to help meet their organizations’ changing needs and realities.

A BCP is no longer just a phase or project to be imple-mented when time and resources allow. It must be an ongoing program implemented to protect data, and ensure the integrity and security of the total organization, includ-ing facilities, information and the wellbeing of employees and patients — the last of which is of paramount impor-tance.

Companies cannot afford to leave the management of a disastrous and disruptive event to chance. They should embrace this responsibility, be familiar with and implement a BCP, and train primary and alternate key personnel in their roles and responsibilities in the event of unforeseen catastrophic events.

Senior management must step up and embrace a BCP program, giving it the importance it deserves before being forced to do so by regulatory agencies and before disaster strikes.

Paul Rozek (left) is director of technol-ogy risk management and Don Groth (right) is senior business con-tinuity management specialist for Jefferson Wells. Contact them

at paul_rozek@jeffersonwells.com and donald_groth@ jeffersonwells.com, or call (414) 347-2345.

at the top, the organization will be better prepared for the collaboration required to create a comprehensive BCP.

Business PartnersHealthcare organizations often require the use of busi-

ness partners — a trend that is expected to continue to grow in the future. These external organizational influences can cause additional challenges in the creation of a BCP. Making matters more complex is the fact that business partners can be located inside or outside of an organization’s walls. Critical functions may be outsourced to vendors, business partners, and in some cases, to competing health-care organizations. Entire departments within the physical walls of an organization may be staffed and managed by a third-party vendor. And, critical professionals and staff members may be employed by third parties.

In a March 2007 report, the Gartner Group points out that the costs of high availability and disaster recovery ca-pability can be reduced using vendor-hosted systems. While these practices are common in all industries, they appear to be pervasive and potentially more critical in healthcare organizations. One common consideration when working with external parties is to ensure that legal contracts and service level agreements exist. There are many examples where the level of formality and terms of engagement vary among third parties — especially in healthcare systems that use local service providers. As a result, consistent enterprisewide BCP development, training, and exercis-ing can be more difficult. In developing a BCP, there must be active management oversight to resist the temptation to deal only with internal staff that the organization can better control.

While it may be necessary to begin planning with internal staff, it is vital that all vendors are required to participate in the development of the final, formal BCPs. Most vendors are willing to participate, however, some may require addi-tional cost and contracts may also need to be re-negotiated. If critical vendors are not willing to cooperate, executive management may need to exert pressure and may need to consider severing those business relationships.

Many healthcare organizations use third-party vendors to remotely host critical applications and systems. This approach to application support can provide a number of benefits in quality and cost. The hosting vendor may be contractually committed to provide specified backup and recovery services as part of a service-level agreement. However, the responsibility to ensure that the enterprise

While compliance with HIPAA is helpful and necessary with respect to a BCP, HIPAA

compliance alone is not sufficient to address the business continuity needs of the enterprise.

HMT

Reprinted from Health Management Technology, March 2008Copyright © 2008 by Nelson Publishing Inc. • www.healthmgttech.com

Disaster Preparedness