The Ultimate Guide to Business Continuity in Healthcare

While hospitals are well-equipped to respond to certain disasters, oftentimes healthcare organizations are missing a critical ingredient in the recipe for preparedness: business continuity.

This guide looks at hospital preparedness in terms of what hospitals do well, what’s missing, and how to achieve a wholistic program to ensure hospitals can continue to perform critical functions (like saving lives!) in the face of any disruptive event.

Before we dive in, let’s define a few key terms that we will further explore in this article:

• Business Continuity (BC) – responsible for developing and implementing department-specific recovery requirements, strategies, and plans in order to successfully respond to and recover from a disruptive event impacting required resources (facility, technology, supplier, personnel, equipment, etc.).
• Emergency Management / Hospital Incident Command System (HICS) – responsible for the overall, hospital-wide management of an event, including decision making and objective/priority setting.
• Information Security (InfoSec) – responsible for developing and implementing security around IT systems and data and responding to events that may impact the confidentiality of information or availability due to compromised environments.
• IT Disaster Recovery (IT DR) – responsible for developing and implementing infrastructure and application-specific recovery strategies and plans in order to successfully respond to and recover from an interruption to the hospital’s data center or other technology assets.

REQUIREMENTS FOR HOSPITALS

The number one priority for hospitals is to provide continuous, superior care to patients, regardless of circumstance. This principle results in the need to invest time and resources in preparing for disruptive events. In addition, a number of external parties require hospitals to invest in preparedness measures, specifically the following:

• The Joint Commission (the group that evaluates hospitals to ensure high-quality care), and other accreditation bodies, require hospitals to implement emergency preparedness programs.
• The Centers for Medicare & Medicaid Services (CMS) requires the following for all Medicare and Medicaid providers:
  • Risk Assessment and Emergency Planning – Requires the development of an emergency plan based on an “all-hazards” risk assessment, focusing on capacities and capabilities.
  • Policies and Procedures – Requires the development and implementation of policies and procedures that support the execution of the emergency plan, including evacuation and shelter-in-place plans, tracking patients and staff during an incident, and ensuring the confidentiality of patient data.
  • Communications Planning – Requires hospitals to maintain updated contact information for staff and third-party resources and identify means to communicate with patients and other key stakeholders.
  • Training and Testing – Requires providers to conduct two exercises: one that is community-based, which can include responding to an actual event, and the other at the provider’s choice (e.g. an exercise for one facility).
• Hospitals that receive federal preparedness and response grants are required to implement an incident response framework that aligns with the National Incident Management System (NIMS; a FEMA initiative designed to achieve holistic community response to various threats and hazards).
• Government regulations (such as HIPAA) require hospitals to protect all medical information, including electronic medical records (EMRs), which requires a robust information security program.

To achieve these goals, most hospitals implement a Hospital Incident Command System (HICS).

HOSPITAL INCIDENT COMMAND SYSTEM (HICS)

What is a Hospital Incident Command System (HICS)? Per the HICS Guidebook (Fifth Edition, 2014), HICS is an incident management system that can be used by any hospital to manage threats, planned events, or emergency incidents. HICS is not a singular activity or plan; it is an overarching program or framework that helps to design, implement, maintain, and improve an emergency preparedness program. HICS is closely related to the National Incident Management System (NIMS) Incident Command System (ICS) mentioned above; however, HICS is specially adapted to meet the needs of hospitals, while ICS can be applied broadly to almost any public and private organization.

To implement HICS or find out more about the specific HICS framework and requirements, check out the HICS Guidebook and HICS forms. Per the HICS Guidebook, HICS forms are intended to “provide guidance for incident documentation, resource tracking, safety information, cost collection, and other critical activities within the Hospital Command Center.” The forms alone are not the solution to implement an emergency management program, but they are an excellent resource.

Most hospitals frequently use their HICS frameworks to effectively respond to emergency situations and continue delivering patient care. Ideally, HICS programs incorporate related disciplines, such as IT disaster recovery, information security, and business continuity. However, most organizations have implemented HICS with a focus on dealing with external disasters and mass casualty events, thus investing little time into planning for other events that could occur.

Increasing Focus on IT Disaster Recovery and Information Security

In addition to HICS, hospitals are focusing increasingly on IT disaster recovery capabilities and information security preparedness. Since hospitals are becoming more reliant on IT applications to store patients’ medical information, robust IT disaster recovery programs are needed to ensure applications are available to support medical professionals in treating patients. Technology is so engrained in providing patient care that oftentimes any amount of downtime for key systems would result in impacts to patient care. Therefore, hospitals focus on IT disaster recovery strategies to reduce downtime of systems and data loss. Furthermore, hospitals put in place “downtime procedures,” or manual workarounds, for critical systems where possible. This includes storing some patient information locally so that providers can access the information if the primary data source were unavailable. Additionally, hospitals have retained paper procedures, such as patient charting and ordering prescriptions, as backups to critical systems. Of note, although these workarounds are typically available at hospitals, oftentimes younger staff and day-shift staff are not adequately trained on these manual processes due to never having to use them. (Night-shift staff are typically required to use manual processes during system upgrades and older staff typically used the manual processes before the systems were installed.) Therefore, it is critical that hospitals’ IT disaster recovery programs encompass downtime procedure development and training.

Hospitals and healthcare providers are also focusing heavily on information security for several reasons:

1. The Health Insurance Portability and Accountability Act (HIPPA; 1996) requires patient data to be confidential. Information security is responsible for ensuring this confidentiality.
2. Information security incidents, such as ransomware, can cause system downtime and can directly result in patient harm. Hospitals continue to be a target for ransomware attacks, as hospitals are greatly impacted by system downtime.

To address information security, most hospitals have established information security programs. These programs implement and manage preventative measures, such as policies, training, and “hardening” environments, and response plans.

WHAT’S MISSING?

Until recently, the focus of many hospitals has solely been on establishing and maintaining a robust HICS program. In the past several years, hospitals have put significant efforts towards IT disaster recovery and information security programs. With these programs in place, are hospitals fully prepared to respond to any type of disruption? Oftentimes not.

The gap in preparedness comes from hospitals tending to use a narrow lens when considering the areas that should be in scope for preparedness efforts and the types of disruptions that could occur. HICS does a great job preparing for natural disasters and other community-wide events. IT disaster recovery and information security both reduce downtime of technology and prepare to respond and recover from these events. So, what’s missing?

Current hospital preparedness efforts neglect a few key disruptions that could occur. For example, HICS plans typically do not address strategies for a loss of third-party suppliers. The typical hospital preparedness measures and programs also tend to focus exclusively on patient care departments and neglect back-office or support departments. In doing so, support departments, such as Call Centers, Payroll, and Accounts Receivable, may have significant risks of downtime with no plans to recover. Sometimes these departments, if unavailable, can impact patient care. For example, downtime of the Call Center could prevent patients from scheduling appointments.

To address these gaps and ensure a complete preparedness program, hospitals implement a business continuity program that is integrated with existing efforts. The business continuity program should focus on:

1. Properly scoping program efforts to include departments supporting high-priority activities,
2. Assessing risks for in-scope departments in terms of likelihood and impact of resource downtime, and
3. Preparing in-scope departments to respond to any event impacting the availability of resources by documenting resource loss-based plans. Resources include facilities, technology, suppliers, equipment, personnel, and internal departments.

The HICS framework is flexible and can incorporate business continuity program elements, while serving as the overarching incident response framework. In fact, HICS has pre-defined roles for business continuity, which means integrating the two can be a natural evolution. The following section describes how to implement business continuity and integrate with current efforts to achieve a holistic hospital preparedness program.

HOW TO BUILD BUSINESS CONTINUITY IN HEALTHCARE

When creating your hospital’s business continuity program, ensure that it is properly integrated with existing HICS, IT disaster recovery, and information security planning processes by following the 6-step model below:

Create a Cross-Functional Steering Committee
The first key to successfully implementing an integrated preparedness program is to create an integrated, cross-functional group of management (i.e. steering committee) to oversee the preparedness effort of the hospital. Typically, the emergency management program will already have a management group that it reports to, so it may make sense to first look at this group to oversee the overall preparedness program. However, it is important to keep in mind that this group should truly be cross-functional, meaning it should have representation from emergency management, business continuity (clinical and support areas), IT disaster recovery, and information security.

Set Program Scope and Objectives
After the cross-functional steering committee is created, this group should set hospital-wide program objectives and priorities. These priorities may include:

• Protect employees and patients (emergency management)
• Provide care for patients in residence (e.g. hospitals, rehab, long-term care)
• Provide centralized, patient-facing activities
• Deliver outpatient services
• Execute critical back-office activities

Note: The priorities established by the steering committee can easily serve as the scoping mechanism for the business continuity business impact analysis (see next bullet).

Execute Business Impact Analysis
After the steering committee determines the program’s scope and objectives, the business continuity team should perform a business impact analysis (BIA) and risk assessment for in-scope departments throughout the hospital (see Ultimate Guide to the Business Impact Analysis  for more information on how to properly scope your BIA). The BIA and risk assessment determine the department’s critical activities and the impact of a disruption on them. In addition, the BIA identifies all dependencies relevant to critical activities, including technology, personnel, suppliers, equipment, and facilities. For all dependencies, the BIA/risk assessment identifies likely sources of risk, current-state controls to mitigate risk, and risk treatment options. The key outcome of the BIA is to set recovery time objectives for the resumption of critical activities to ensure the hospital’s capabilities align to requirements.

Develop Response and Recovery Strategies
Following the BIA and risk assessment, all teams should determine/review capabilities and strategies that enable the hospital to recover its critical activities and resources (including technology) within the recovery time objectives identified in the BIA.

Develop and Update Plans
Following the identification and implementation of strategies, all teams should use analysis outputs to develop/update emergency response, business continuity, IT disaster recovery, and information security plans. Together, these plans should ensure the hospital can respond and recover to the following scenarios:

• Facility Inaccessibility
• Personnel Unavailability
• Technology Outage
• Equipment Outage
• Patient Surge
• Supplier/Vendor Loss
• Information Security Event

Test and Exercise Plans
After all plans have been developed/updated, an integrated method should be used to test the plans. Since there is likely already a testing cycle in place for the emergency management team/plan, a key success factor for breaking down the silos between the preparedness programs is to integrate the business continuity exercises into the existing emergency management exercises. If possible, the hospital should also consider including IT disaster recovery tests and information security exercises within the scope of the emergency management tests.

CONCLUSION

Hospitals are experts at planning for and responding to community and facility emergency events using the HICS framework. Additionally, in recent years, hospitals have built increasingly mature IT disaster recovery and information security programs. However, most hospitals and healthcare providers do not account for business continuity in their preparedness programs, which can be a recipe for disaster. To ensure a holistic hospital preparedness program inclusive of business continuity, healthcare providers should use the following recipe:

BLUEPRINT FOR PREPAREDNESS

Components:

• Emergency Management / Hospital Incident Command System (HICS)
• IT Disaster Recovery (IT DR)
• Business Continuity (BC)
• Information Security (InfoSec)

How to build a hospital business continuity program:

1. Create cross-functional steering committee
2. Set program scope and objectives
3. Execute business impact analysis
4. Develop response and recovery strategies
5. Develop/update plans
6. Test/exercise plans

CONNECT WITH OUR TEAM

We help companies around the world build strong business continuity programs.

If you’re ready to get hands-on help to quickly get results, please book a strategy session with a member of my team today to:

• Discuss your program goals
• Explore your current challenges
• Discuss how to achieve your goals

Are you ready? Book a meeting here.