On the surface, one would expect healthcare organizations, particularly hospitals, to have well-developed, resilient business continuity programs. After all, who better understands the importance of organization and preparedness when responding to crises? However, recent research conducted by BCPWHO (Business Continuity Planning Workgroup for Healthcare Organizations) indicates most healthcare groups focus on the Joint Commission mandated areas of emergency management and IT disaster recovery. Emergency management typically focuses on the role of a hospital as a first responder – it is mostly outward facing to ensure that clinical operations can continue no matter what happens to the physical hospital or community. IT disaster recovery, another area of focus, addresses protecting critical clinical systems that, if unavailable, would affect patient care and safety.
Unfortunately, something is missing.
While important, emergency management and IT Disaster Recovery do not protect all areas of the “business”, missing crucial elements that could determine whether a healthcare organization is able to recover following a business interruption. The remainder of this article discusses four key steps that help close this gap.
Key #1: Establish a business continuity planning team
Most healthcare providers consider payroll, billing, purchasing and cash management critical parts of the organization. While short-term interruptions are tolerable, prolonged downtime would most likely result in catastrophe. Business continuity management (BCM) is the discipline that considers the risk of business process and technology loss and develops strategies to mitigate availability-related impacts. Establishing a business continuity management function that focuses on clinical and non-clinical groups is a key step to reducing an organization’s availability risk, but it will never take hold without key #2.
Key #2: One executive should be responsible for all continuity activities
With three groups (IT, clinical, business) working on continuity related plans and strategies independently, it is incredibly difficult to coordinate planning and response activities, let alone share common resources or identify common problems. The silos get even deeper when you layer on the typical communications barriers that exist between IT, clinical and business groups, across multiple locations. The most effective solution is establishing a single executive responsible for all continuity activities. This person should be empowered to work across the organization, to drive planning activities, and to measure the readiness of individual groups. This is frequently the COO or CFO, but it could also be the Chief Information Officer or other similar role. In addition, a steering committee of senior executives can be established to oversee the continuity efforts and ensure everyone’s voice is heard. However, it may be difficult to raise the issue with executives without formal justification of the organization’s need, so we present key #3.
Key #3: Conduct a Comprehensive Business Impact Analysis
The business impact analysis (BIA) is the solution for executive awareness and action. However, it needs to move beyond clinical areas and address the entire organization. Critical non-clinical areas include functions such as HR, Payroll, Admissions and Billing. In addition, the BIA should establish:
- Recovery time objectives (RTOs) for each group, no matter how ‘non-essential’
- Supporting applications for each group, and the RTO and recovery point objective (data loss tolerance) for each
- Critical dependencies for each group – what must be operating for the group to conduct its critical functions?
- What is the true impact to the organization if this group ceases operations? Impact considerations include
- Patient care and safety
- Organization Reputation
- Financial Loss/Deferment
- Potential regulatory violation impacts
- Existing manual workarounds
When a BIA is conducted in this manner, 90% of the results are predictable. However, the other 10% is often surprising – and these discoveries are where the BIA delivers business value. Frequently, it’s in the form of applications that the IT organization considers non-critical and practitioners consider highly critical. In other cases, you will find that critical clinical operations have dependencies on back office functions, and those dependencies could significantly change the RTOs and criticalities for the back office functions.
It is imperative that results of the BIA be provided and explained to management, along with an explanation of how other organizations have structured responsibilities for continuity across the healthcare organization. We recently used the graphic above to depict the missing faces from the continuity team.
Key #4: A common platform
Establishing an executive responsible for continuity activities is important, but truly integrating such disparate groups as IT, clinical and the business takes much more. A common planning framework will allow each group to establish a common vocabulary for discussing continuity planning and execution. The plan framework should include common terms, plan formats, information repositories and team structures. The healthcare industry is privileged to already have such a platform in the hospital incident command system (HICS). HICS incorporates federal NIMS and ICS standards, so any employees already trained in those topics will be familiar with HICS. In addition, it provides a customized set of responsibilities for all key hospital operations. Because implementing HICS is out of the scope of this article, please visit the HICS website to learn more.
The payoff: An integrated response
Implementing each of these keys will allow your organization to identify hidden enterprise-wide availability risks, establish common terminology and planning approaches, and realize efficiencies caused by business-wide collaboration. Most hospitals are already experienced in working with local and state authorities (fire, police and county/state health departments) to coordinate response, but the ultimate benefit of the activities above is the integrated response. An integrated response is one in which each group involved understands their individual responsibilities and the collective objectives of the entire organization, takes decisive action, and communicates with others in order to deliver timely response and recovery. This is when the various continuity programs truly become more than the sum of their individual parts – and in the healthcare world, that can save lives.