Hospitals place high importance on delivering uninterrupted care regardless of circumstances, and, as such, invest heavily in preparedness. Hospitals that are the most successful in achieving a high-level of preparedness typically have integration between four disciplines: Emergency Preparedness (HICS), Business Continuity, IT Disaster Recovery, and Information Security. Building cohesion sounds fairly straightforward, but, in reality, it can be complex. From our experience assisting hospitals successfully tackle this charge, here are some practical steps to move toward an integrated approach to preparedness:
Start with Governance
Ideally, create a cross-functional steering committee that ultimately oversees all of these disciplines and has the authority to make risk-based decisions that takes into account analysis from across the preparedness landscape. Again, this sounds simple, but it can be difficult to successfully achieve. If it isn’t possible to work from one steering committee, try to align risk criteria across preparedness disciplines so that risks and considerations are assessed on a level playing field, ensuring the most critical issues are addressed first.
Perform a Business Impact Analysis
The Business Impact Analysis (BIA) is much more than an inventory of functions and resources. When done correctly, the BIA provides a deep understanding of how a hospital or health system operates, helps clarify what is needed to sustain operations, and can help to define key information security requirements quickly and efficiently. When executing a BIA, involve stakeholders from across preparedness disciplines in the planning process – organizations are often surprised at how much value the BIA can deliver to stakeholders outside of the business continuity world.
Collaborate on Incident Response Planning
Perhaps the largest commonality among preparedness disciplines are incident response plans. Unfortunately, many organizations build plans in a silo, resulting in duplicated effort, unnecessary bureaucracy, and the lack of an overarching management decision making framework. Working cross-functionally to define escalation criteria, understand where plans integrate, and to create an approved management decision making framework is critical to an integrated approach to preparedness. Of note, since HICS has business continuity and IT roles – and is scalable – it often serves as the management-level framework regardless of what type of event has occurred.
There are certainly many other areas where hospitals can work cross-functionally to build higher levels of preparedness. However, starting with these three steps can quickly deliver value, ultimately creating more opportunities to collaborate and breaking down artificial organizational and cultural barriers that traditionally exist at some organizations.
CURRENT EVENTS AND REGULATORY LANDSCAPE
The focus on preparedness is helping healthcare organizations manage unplanned events that impact patient care and supporting operations, regardless of whether an event impacts a hospital directly (e.g. cyberattack) or the community in which a hospital operates (e.g. terrorism). There are also a number of regulatory drivers that require hospitals to meet certain preparedness-related requirements:
- The Joint Commission (and other accreditation bodies) requires hospitals to have an emergency preparedness (HICS) program.
- Government regulations (such as HIPAA) require hospitals to protect all medical information, including electronic medical records (EMRs).
- The Center for Medicare and Medicaid Services (CMS) established new planning requirements for providers delivering any type of patient care, which becomes enforceable in November 2017.
Furthermore, current events and threats are pushing hospitals to consider additional preparedness-related capabilities, including the following notable trends:
- The loss of mission critical technology resources, including EMRs, due to a cyberattack. This threat also requires hospitals to implement aggressive backup and recovery capabilities for mission-critical systems (with strategies that may differ from those of a traditional “loss of a data center” scenario).
- Unavailability of personnel and facilities due to natural disasters. Events over the past decade, such as Super Storm Sandy and extreme winter weather in the Northeast, have put an emphasis on preparedness that has helped many organizations manage through hurricanes like Irma and Harvey effectively. It is likely that the 2017 storm season will keep this issue top of mind for many organizations.
While hospitals should certainly prioritize patient care functions, there is a need to ensure time-sensitive back-office and supporting functions have response and recovery capabilities and plans in place to continue operations during disruptive incidents. After all, many of these functions ultimately support – or directly enable the delivery of – patient care in some manner, and should appropriate contingency plans in place to ensure hospitals and health systems can meet all critical obligations during unplanned events.
If you’re looking for assistance developing a cross-functional approach to hospital preparedness, please contact us today. We look forward to hearing from you.