Business continuity planning: it's a critical element of disaster preparedness. Can you afford to keep it off your radar?The development and management of a robust business continuity plan (BCP BCP Best Current Practice(s) BCP Business Continuity Planning BCP Business Continuity Plan BCP Book of Common Prayer BCP Banco Comercial Português BCP Bureau of Consumer Protection (US Federal Trade Commission) ) for a healthcare organization can be a daunting daunt tr.v. daunt·ed, daunt·ing, daunts To abate the courage of; discourage. See Synonyms at dismay. [Middle English daunten, from Old French danter, from Latin task. Keeping clinical operations open 24/7 and providing safe and secure facilities is not where business continuity ends. Periodic training of business departments throughout the organization on BCP-related activities is a standard that accompanies data protection requirements. It is imperative that organizations are confident in their ability to use a formal BCP to recover from a disaster situation in a timely and effective manner. Today, most healthcare administrators recognize that BCP is not solely about planning for a sudden influx of patients, but also about planning for disasters that harm their IT systems and physical facilities. Business continuity must be viewed as continuing key business functions--not just those in the emergency room. Keeping safe and secure premises and enabling timely access to data must be considered as part of BCP. Planning for business continuity has proven to be increasingly challenging as the healthcare industry employs more digital technology to improve the quality of care. All signs for the future point to even more reliance on digital data. Additionally, critical business functions are now regularly outsourced to business partners, further complicating the business continuity planning Business Continuity Planning (BCP) is an interdisciplinary peer mentoring methodology used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined process. Emergency Preparedness vs. Business Continuity There are a number of challenges to the development of a full BCP for healthcare organizations. Emergency preparedness and IT disaster recovery plans in healthcare organizations are fairly common and there may be a tendency for management to conclude that the existence of these plans means that business continuity has been effectively addressed. In addition, many organizations have worked to comply with the latest HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, requirements for disaster recovery, which include: data backup plans for electronically protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the ; disaster recovery plans and procedures to restore any lost data; emergency mode operations plans and procedures to enable continuation of critical business processes involving electronically protected health information (EPHI EPHI Electronic Protected Health Information (HIPAA) ) while operating in emergency mode; and, testing of the plans (not required by HIPAA). While HIPAA compliance is helpful and necessary with respect to a BCP, compliance alone is not sufficient to address the business continuity needs of the enterprise. Many healthcare organizations have addressed the backup and recovery of EPHI and the critical business processes that protect EPHI; however, additional steps are necessary to ensure the continuity of all functions critical to providing patient care. Emerging Trends A number of technology trends affect healthcare organizations' business continuity capabilities and the overall recovery time objectives (RTO (Recovery Time Objective) The amount of time a computer system or application can stop functioning before it is considered intolerable to the enterprise. It can be computed to be from seconds to days, depending on how critical the application is to the organization. ) imposed on IT executives. The amount of patient care information captured, stored and used in a solely electronic environment is increasing. These electronic systems are often linked to other systems, such as admitting, billing, pharmacy, radiology and lab systems within the healthcare organization. Real-time access to electronic medical records is often required on a 24/7 basis, meaning that a BCP that takes 48 to 72 hours to implement may be inadequate. In a 2007 survey by The Economist Intelligence Unit The Economist Intelligence Unit (EIU) is part of The Economist Group. It is a research and advisory company providing country, industry and management analysis worldwide and incorporates the former Business International Corporation, a U.S. , just under half of all respondents said they could endure less than a day of downtime The time during which a computer is not functioning due to hardware, operating system or application program failure. from their IT systems before the disruption became serious enough to jeopardize the survival of the entire company. The growing use of telehealth and telemedicine applications has increased the use of electronic information and telecommunications technologies that support long-distance clinical healthcare, patient and professional health-related education, and public health and health administration. These applications provide cost-effective options for remote patient monitoring and treatment in both rural and metropolitan areas--especially in cases where significant travel and/or timely access to a health specialist are issues. The applications can support transmission of medical information for diagnosis or disease management. As a result, many of these applications require very short recovery times and high data availability Refers to the degree to which data can be instantly accessed. The term is mostly associated with service levels that are set up either by the internal IT organization or that may be guaranteed by a third party datacenter or storage provider. . The growing dependence on these applications makes development of a comprehensive BCP challenging, since recovery plans must consider the interactions with other systems and networks outside the control of the healthcare organization. Data Backup The volume of medical and business data that must be backed up by healthcare organizations has grown rapidly in recent years and will continue to grow. As a result, data backup will take even more time to complete. At the same time, the complexity of current systems is increasing, more diverse systems require integration and the recovery time objectives are shrinking. Ultimately, the industry must realize that the time required for recovery of data from tape libraries may result in unachievable RTOs for the most time-sensitive systems. [ILLUSTRATION OMITTED] To deal with the challenges of tape data recovery for the most time-sensitive systems, organizations are migrating to disk-to-disk (D2D (Disk-to-Disk) Typically refers to backing up data on disks rather than on tape. Disk-to-disk backup systems provide a very fast restore capability compared with tape backup. See D2D2T and virtual tape. ) backup solutions and various forms of data mirroring and replication technologies. While overall technology hardware costs may increase, a D2D solution is a significant strategy that must be considered to deal with data backup and recovery issues. On the other hand, D2D isn't a "cure-all" that will eliminate all data availability problems. Disparate systems, multiple vendors, geographical separation, and handling in-flight data transmissions during a disaster are just a few of the many issues that need to be addressed. In the recent past, the recovery of open systems' servers at an alternate processing site was often extremely difficult because of the need to rebuild operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and applications on different physical servers. Solutions such as virtualization An umbrella term for enhancing a computer's ability to do work. Following are the ways virtualization is used. Hardware Virtualization Partitioning the computer's memory into separate and isolated "virtual machines" simulates multiple machines within one physical computer. , clustering and storage area network technologies can offer a number of business benefits to management, including higher potential availability of data, smaller platform "footprints," reduced electrical power and HVAC (Heating Ventilation Air Conditioning) In the home or small office with a handful of computers, HVAC is more for human comfort than the machines. In large datacenters, a humidity-free room with a steady, cool temperature is essential for the trouble-free requirements, increased usage of IT resources and decreased recovery time at alternate processing facilities. Shifting Responsibility Even though technology is critical to the delivery of patient care, healthcare business continuity should not be driven solely by IT. Business continuity planning must be an enterprisewide program driven by senior management. If the CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. is given the responsibility for business continuity, others in the organization may view business continuity as an IT issue and not adequately address the business issues associated with BCP. Healthcare organizations often have unique business structures that can make the development of enterprisewide business continuity more difficult. Many healthcare organizations have decentralized de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. systems with a myriad of IT systems, applications and support teams. Individual departments may or may not be autonomous, and often the department managers function independently. Unfortunately, there is no "one-size-fits-all" BCP solution for such an environment. Management must be prepared to develop multiple customized plans that are effective without being cost-prohibitive. Many of the critical resources necessary to provide continuous patient care are highly technical, such as MRI 1. (application) MRI - Magnetic Resonance Imaging. 2. MRI - Measurement Requirements and Interface. , telecommunications, electrical systems, databases, data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign , server virtualization (1) Running applications in separate, isolated partitions within a single server. The "virtual machine" method can run different operating systems simultaneously, whereas the "OS virtualization" method runs applications for only one operating system (see virtual machine and OS and disk-to-disk backup. Other critical resources include utilities, such as water, steam, gas and sanitary waste systems. Important, and seemingly non-critical resources that will become critical during a disaster include linen services, trash compacting/ removal and food services food services Hospital services A 24/7 department in a hospital that provides for the nutritional needs of inpatients–eg, those needing special diets, preparing meals and transporting them to the floor and, through the cafeteria, the hospital staff and . Developing business continuity plans that address each of these resources requires the collaboration and teamwork of multiple departments within the organization. If senior management sets the proper tone at the top, the organization will be better prepared for the collaboration required to create a comprehensive BCE BCE abbr. 1. Bachelor of Chemical Engineering 2. Bachelor of Civil Engineering BCE Abbreviation for before the Common Era. Business Partners Healthcare organizations often require the use of business partners a trend that is expected to continue to grow in the future. These external organizational influences can cause additional challenges in the creation of a BCP. Making matters more complex is the fact that business partners can be located inside or outside of an organization's walls. Critical functions may be outsourced to vendors, business partners, and in some cases, to competing healthcare organizations. Entire departments within the physical walls of an organization may be staffed and managed by a third-party vendor. And, critical professionals and staff members may be employed by third parties. In a March 2007 report, the Gartner Group (company) Gartner Group - One of the biggest IT industry research firms. Address: Connecticut, USA. points out that the costs of high availability Also called "RAS" (reliability, availability, serviceability) or "fault resilient," it refers to a multiprocessing system that can quickly recover from a failure. There may be a minute or two of downtime while one system switches over to another, but processing will continue. and disaster recovery capability can be reduced using vendor-hosted systems. While these practices are common in all industries, they appear to be pervasive and potentially more critical in healthcare organizations. One common consideration when working with external parties is to ensure that legal contracts and service level agreements exist. There are many examples where the level of formality and terms of engagement vary among third parties--especially in healthcare systems that use local service providers. As a result, consistent enterprisewide BCP development, training, and exercising can be more difficult. In developing a BCP, there must be active management oversight to resist the temptation to deal only with internal staff that the organization can better control. While it may be necessary to begin planning with internal staff, it is vital that all vendors are required to participate in the development of the final, formal BCPs. Most vendors are willing to participate, however, some may require additional cost and contracts may also need to be re-negotiated. If critical vendors are not willing to cooperate, executive management may need to exert pressure and may need to consider severing sev·er v. sev·ered, sev·er·ing, sev·ers v.tr. 1. To set or keep apart; divide or separate. 2. To cut off (a part) from a whole. 3. those business relationships. Many healthcare organizations use third-party vendors to remotely host critical applications and systems. This approach to application support can provide a number of benefits in quality and cost. The hosting vendor may be contractually committed to provide specified backup and recovery services as part of a service-level agreement. However, the responsibility to ensure that the enterprise business continuity requirements are met cannot be assumed. It is vital that management ensures the vendors demonstrate their ability to meet the contracted service levels. Furthermore, it is not safe to assume that a hosting vendor has the ability to provide any recovery capability that is not included in the agreement and also not paid for. As with other business partners, the healthcare organization may need to renegotiate re·ne·go·ti·ate tr.v. re·ne·go·ti·at·ed, re·ne·go·ti·at·ing, re·ne·go·ti·ates 1. To negotiate anew. 2. To revise the terms of (a contract) so as to limit or regain excess profits gained by the contractor. contracts to obtain the necessary service and support at a defined cost. Recommendations There are numerous industry resources and services available to management to mitigate disaster risk, including the Business Continuity Planning Workgroup for Healthcare Organizations (www.bcpwho.org) and DRI See Digital Research. International (www.drii.org). In addition, there are several guides (SP800-34 and SP800-84) from the National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. (www.nist.gov) that can provide further insights on developing and testing a BCP/DRP plan for an organization. Business continuity planning in the healthcare industry will continue to be a significant area of risk for management, and business executives must work closely with IT executives to help meet their organizations' changing needs and realities. A BCP is no longer just a phase or project to be implemented when time and resources allow. It must be an ongoing program implemented to protect data, and ensure the integrity and security of the total organization, including facilities, information and the wellbeing of employees and patients--the last of which is of paramount importance. Companies cannot afford to leave the management of a disastrous and disruptive event to chance. They should embrace this responsibility, be familiar with and implement a BCP, and train primary and alternate key An alternate key (or secondary key) is any candidate key which is not selected to be the primary key (PK). For example, a relational database with a table "employee" could have attributes like "employee_id", "bank_acct_no", and so on. personnel in their roles and responsibilities in the event of unforeseen catastrophic events. Senior management must step up and embrace a BCP program, giving it the importance it deserves before being forced to do so by regulatory agencies regulatory agency Independent government commission charged by the legislature with setting and enforcing standards for specific industries in the private sector. The concept was invented by the U.S. and before disaster strikes. Paul Rozek is director of technology risk management and Don Groth is senior business continuity management for Jefferson Wells. Contact them at paul_rozek@jeffersonwells.com and donald_groth@ jeffersonwells.com, or call (414) 347-2345. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion