While hospitals are well-equipped to respond to certain disasters, oftentimes healthcare organizations are missing a critical ingredient in the recipe for preparedness: business continuity.
This guide looks at hospital preparedness in terms of what hospitals do well, what’s missing, and how to achieve a wholistic program to ensure hospitals can continue to perform critical functions (like saving lives!) in the face of any disruptive event.
Before we dive in, let’s define a few key terms that we will further explore in this article:
The number one priority for hospitals is to provide continuous, superior care to patients, regardless of circumstance. This principle results in the need to invest time and resources in preparing for disruptive events. In addition, a number of external parties require hospitals to invest in preparedness measures, specifically the following:
To achieve these goals, most hospitals implement a Hospital Incident Command System (HICS).
What is a Hospital Incident Command System (HICS)? Per the HICS Guidebook (Fifth Edition, 2014), HICS is an incident management system that can be used by any hospital to manage threats, planned events, or emergency incidents. HICS is not a singular activity or plan; it is an overarching program or framework that helps to design, implement, maintain, and improve an emergency preparedness program. HICS is closely related to the National Incident Management System (NIMS) Incident Command System (ICS) mentioned above; however, HICS is specially adapted to meet the needs of hospitals, while ICS can be applied broadly to almost any public and private organization.
To implement HICS or find out more about the specific HICS framework and requirements, check out the HICS Guidebook and HICS forms. Per the HICS Guidebook, HICS forms are intended to “provide guidance for incident documentation, resource tracking, safety information, cost collection, and other critical activities within the Hospital Command Center.” The forms alone are not the solution to implement an emergency management program, but they are an excellent resource.
Most hospitals frequently use their HICS frameworks to effectively respond to emergency situations and continue delivering patient care. Ideally, HICS programs incorporate related disciplines, such as IT disaster recovery, information security, and business continuity. However, most organizations have implemented HICS with a focus on dealing with external disasters and mass casualty events, thus investing little time into planning for other events that could occur.
Increasing Focus on IT Disaster Recovery and Information Security
In addition to HICS, hospitals are focusing increasingly on IT disaster recovery capabilities and information security preparedness. Since hospitals are becoming more reliant on IT applications to store patients’ medical information, robust IT disaster recovery programs are needed to ensure applications are available to support medical professionals in treating patients. Technology is so engrained in providing patient care that oftentimes any amount of downtime for key systems would result in impacts to patient care. Therefore, hospitals focus on IT disaster recovery strategies to reduce downtime of systems and data loss. Furthermore, hospitals put in place “downtime procedures,” or manual workarounds, for critical systems where possible. This includes storing some patient information locally so that providers can access the information if the primary data source were unavailable. Additionally, hospitals have retained paper procedures, such as patient charting and ordering prescriptions, as backups to critical systems. Of note, although these workarounds are typically available at hospitals, oftentimes younger staff and day-shift staff are not adequately trained on these manual processes due to never having to use them. (Night-shift staff are typically required to use manual processes during system upgrades and older staff typically used the manual processes before the systems were installed.) Therefore, it is critical that hospitals’ IT disaster recovery programs encompass downtime procedure development and training.
Hospitals and healthcare providers are also focusing heavily on information security for several reasons:
To address information security, most hospitals have established information security programs. These programs implement and manage preventative measures, such as policies, training, and “hardening” environments, and response plans.
Until recently, the focus of many hospitals has solely been on establishing and maintaining a robust HICS program. In the past several years, hospitals have put significant efforts towards IT disaster recovery and information security programs. With these programs in place, are hospitals fully prepared to respond to any type of disruption? Oftentimes not.
The gap in preparedness comes from hospitals tending to use a narrow lens when considering the areas that should be in scope for preparedness efforts and the types of disruptions that could occur. HICS does a great job preparing for natural disasters and other community-wide events. IT disaster recovery and information security both reduce downtime of technology and prepare to respond and recover from these events. So, what’s missing?
Current hospital preparedness efforts neglect a few key disruptions that could occur. For example, HICS plans typically do not address strategies for a loss of third-party suppliers. The typical hospital preparedness measures and programs also tend to focus exclusively on patient care departments and neglect back-office or support departments. In doing so, support departments, such as Call Centers, Payroll, and Accounts Receivable, may have significant risks of downtime with no plans to recover. Sometimes these departments, if unavailable, can impact patient care. For example, downtime of the Call Center could prevent patients from scheduling appointments.
To address these gaps and ensure a complete preparedness program, hospitals implement a business continuity program that is integrated with existing efforts. The business continuity program should focus on:
The HICS framework is flexible and can incorporate business continuity program elements, while serving as the overarching incident response framework. In fact, HICS has pre-defined roles for business continuity, which means integrating the two can be a natural evolution. The following section describes how to implement business continuity and integrate with current efforts to achieve a holistic hospital preparedness program.
When creating your hospital’s business continuity program, ensure that it is properly integrated with existing HICS, IT disaster recovery, and information security planning processes by following the 6-step model below:
Create a Cross-Functional Steering Committee
The first key to successfully implementing an integrated preparedness program is to create an integrated, cross-functional group of management (i.e. steering committee) to oversee the preparedness effort of the hospital. Typically, the emergency management program will already have a management group that it reports to, so it may make sense to first look at this group to oversee the overall preparedness program. However, it is important to keep in mind that this group should truly be cross-functional, meaning it should have representation from emergency management, business continuity (clinical and support areas), IT disaster recovery, and information security.
Set Program Scope and Objectives
After the cross-functional steering committee is created, this group should set hospital-wide program objectives and priorities. These priorities may include:
Note: The priorities established by the steering committee can easily serve as the scoping mechanism for the business continuity business impact analysis (see next bullet).
Execute Business Impact Analysis
After the steering committee determines the program’s scope and objectives, the business continuity team should perform a business impact analysis (BIA) and risk assessment for in-scope departments throughout the hospital (see Ultimate Guide to the Business Impact Analysis for more information on how to properly scope your BIA). The BIA and risk assessment determine the department’s critical activities and the impact of a disruption on them. In addition, the BIA identifies all dependencies relevant to critical activities, including technology, personnel, suppliers, equipment, and facilities. For all dependencies, the BIA/risk assessment identifies likely sources of risk, current-state controls to mitigate risk, and risk treatment options. The key outcome of the BIA is to set recovery time objectives for the resumption of critical activities to ensure the hospital’s capabilities align to requirements.
Develop Response and Recovery Strategies
Following the BIA and risk assessment, all teams should determine/review capabilities and strategies that enable the hospital to recover its critical activities and resources (including technology) within the recovery time objectives identified in the BIA.
Develop and Update Plans
Following the identification and implementation of strategies, all teams should use analysis outputs to develop/update emergency response, business continuity, IT disaster recovery, and information security plans. Together, these plans should ensure the hospital can respond and recover to the following scenarios:
Test and Exercise Plans
After all plans have been developed/updated, an integrated method should be used to test the plans. Since there is likely already a testing cycle in place for the emergency management team/plan, a key success factor for breaking down the silos between the preparedness programs is to integrate the business continuity exercises into the existing emergency management exercises. If possible, the hospital should also consider including IT disaster recovery tests and information security exercises within the scope of the emergency management tests.
Hospitals are experts at planning for and responding to community and facility emergency events using the HICS framework. Additionally, in recent years, hospitals have built increasingly mature IT disaster recovery and information security programs. However, most hospitals and healthcare providers do not account for business continuity in their preparedness programs, which can be a recipe for disaster. To ensure a holistic hospital preparedness program inclusive of business continuity, healthcare providers should use the following recipe:
How to build a hospital business continuity program:
We help companies around the world build strong business continuity programs.
If you’re ready to get hands-on help to quickly get results, please book a strategy session with a member of my team today to:
Are you ready? Book a meeting here.