Hospital Preparedness: The Intersection of HICS, Business Continuity and IT Disaster Recovery

Avalution Team Avalution Team | Mar 26, 2012

The number one priority for hospitals is to provide continuous, superior care to patients, regardless of circumstance. This principle results in the need to invest time and resources in preparing for disruptive events. In addition, a number of external parties require hospitals to invest in preparedness measures:


  • The Joint Commission (and other accreditation bodies) requires hospitals to have an emergency preparedness (HICS) program; and
  • Government regulations (such as HIPAA) require hospitals to protect all medical information, including electronic medical records (EMRs), which requires a robust information security program.

Further, since hospitals are becoming more reliant on IT applications to store patients’ EMRs, robust IT disaster recovery programs are needed to ensure application uptime.

Until recently, the focus of many hospitals has solely been on establishing and maintaining robust HICS and IT disaster recovery programs. However, many hospitals have not involved clinical departments in preparing for a business interruption (e.g. loss of a facility, loss of personnel, loss of key supplier). In addition, many hospitals have not focused on preparing support departments (e.g., payroll, accounts receivable, call centers) for business or technology interruptions. These gaps can cause significant issues during a business interruption, including financial hardship for the hospital, inconsistencies between clinical and IT expectations, and a fundamental failure to continue providing quality care.

The solution to these challenges is integrating HICS and IT disaster recovery into a hospital-wide business continuity program that addresses all preparedness activities and prepares all hospital departments (clinical and support) for business and technology interruptions.


To ensure everyone has a common understanding of the terminology used throughout this article, I’ve provided definitions here:

  • Emergency Management / Hospital Incident Command System (HICS)– responsible for the overall, hospital-wide management of an event, including decision making and objective/priority setting.At its best, emergency management and HICS programs incorporate IT disaster recovery and business continuity as defined below (HICS has predefined roles for business continuity coordinators). However, most organizations have implemented HICS with a focus on dealing with external disasters and mass casualty events, thus investing little time into planning for disasters that could affect the organization’s facility, people or technology.
  • IT Disaster Recovery (IT DR) – responsible for developing and implementing infrastructure and application-specific recovery strategies and plans in order to successfully respond to and recover from an interruption to the hospital’s data center.
  • Business Continuity (BC) – responsible for developing and implementing department-specific recovery requirements, strategies and plans in order to successfully respond to and recover from a disruptive event that impacts department-level staff, patients, and deliverables.


When creating your hospital’s business continuity program, ensure that it is properly integrated with existing HICS and IT DR planning processes by following the 6-step model below:

Hospital Preparedness Lifecycle

  1. Create a Cross Functional Steering Committee
    The first key to successfully implementing an integrated preparedness program is to create an integrated, cross functional group of management (i.e. steering committee) to oversee the preparedness effort of the hospital. Typically, the emergency management program will already have a group of management that it reports program status to, so it may make sense to first look at this group to oversee the overall preparedness program. However, it is important to keep in mind that this group should truly be cross functional, meaning it should have representation from emergency management, business continuity (clinical and support areas), and IT disaster recovery.
  2. Set Program Scope and Objectives
    After the cross functional steering committee is created, this group should set hospital-wide program objectives and priorities. These priorities may include:
    – Protect employees and patients (emergency management)
    – Continue operations for facilities with “patients in residence” (e.g. hospitals, rehab, long-term care)
    – Continue centralized patient facing activities Execute critical back-office activities
    – Deliver outpatient services
    Note: the priorities established by the Emergency Management steering committee can easily serve as the scoping mechanism for the Business Continuity team’s BIA (see #3).
  3. Execute Business Impact Analysis
    After the Emergency Management Committee determines the program’s scope and objectives, the Business Continuity team should perform a business impact analysis (BIA) and risk assessment for in-scope departments throughout the hospital (see Achieving Meaningful Results: Establishing the Context for Your BIA for more information on how to properly scope your BIA).A BIA and risk assessment determines the department’s critical activities and the impact of a disruption on them. In addition, the BIA identifies all dependencies relevant to critical activities, including technology, personnel, suppliers, equipment, and facilities. For all dependencies, the BIA/risk assessment identifies likely sources of risk, current-state controls to mitigate risk, and risk treatment options. The key outcome of the BIA is to set recovery time objectives for the resumption of critical activities to ensure the hospital’s capabilities align to requirements.
  4. Develop Response and Recovery Strategies
    Following the BIA and risk assessment, all teams should determine/review capabilities and strategies that enable the hospital to recover its critical activities and resources (including technology) within the recovery time objectives identified in the BIA.
  5. Develop/Update Plans
    Following the identification and implementation of strategies, all teams should use analysis outputs to develop/update emergency response, business continuity, and IT disaster recovery plans. Together, these plans should ensure the hospital can respond and recover to the following scenarios:
    – Facility Inaccessibility
    – Personnel Unavailability
    – Technology Outage Equipment Outage
    – Patient Surge
    – Supplier/Vendor Loss
  6. Test/Exercise Plans
    After all plans have been developed/updated, an integrated method should be used to test the plans. Since there is likely already a testing cycle in place for the emergency management team/plan, a key success factor for breaking down the silos between the preparedness programs is to integrate the business continuity exercises into the existing emergency management exercises. If possible, the hospital should also consider including IT disaster recovery tests within the scope of the emergency management test.


Implementing this integrated approach will allow your organization to establish common terminology and planning approaches, realize efficiencies caused by business-wide collaboration, and ensure that the hospital is prepared to provide care to patients, regardless of circumstance. For more information on how to incorporate business continuity into your existing emergency management program, see our perspective The Four Missing Keys to Business Continuity Management in Healthcare.


Jacque Rupert
Avalution Consulting: Business Continuity Consulting