US hospital preparedness: the intersection of HICS, business continuity and IT disaster recovery
By Jacque Rupert.
The number one priority for hospitals is to provide continuous, superior care to patients, regardless of circumstance. This principle results in the need to invest time and resources in preparing for disruptive events. In addition, a number of external parties require hospitals to invest in preparedness measures:
Further, since hospitals are becoming more reliant on IT applications to store patients’ EMRs, robust IT disaster recovery programs are needed to ensure application uptime.
Until recently, the focus of many hospitals has solely been on establishing and maintaining robust HICS and IT disaster recovery programs. However, many hospitals have not involved clinical departments in preparing for a business interruption (e.g. loss of a facility, loss of personnel, loss of key supplier). In addition, many hospitals have not focused on preparing support departments (e.g., payroll, accounts receivable, call centers) for business or technology interruptions. These gaps can cause significant issues during a business interruption, including financial hardship for the hospital, inconsistencies between clinical and IT expectations, and a fundamental failure to continue providing quality care.
The solution to these challenges is integrating HICS and IT disaster recovery into a hospital-wide business continuity program that addresses all preparedness activities and prepares all hospital departments (clinical and support) for business and technology interruptions.
To ensure everyone has a common understanding of the terminology used throughout this article, I’ve provided definitions here:
How to create an integrated approach to preparedness – hospital preparedness lifecycle
When creating your hospital’s business continuity program, ensure that it is properly integrated with existing HICS and IT DR planning processes by following the six-step model below:
1. Create a cross functional steering committee
The first key to successfully implementing an integrated preparedness program is to create an integrated, cross functional group of management (i.e. steering committee) to oversee the preparedness effort of the hospital. Typically, the emergency management program will already have a group of management that it reports program status to, so it may make sense to first look at this group to oversee the overall preparedness program. However, it is important to keep in mind that this group should truly be cross functional, meaning it should have representation from emergency management, business continuity (clinical and support areas), and IT disaster recovery.
2. Set program scope and objectives
After the cross functional steering committee is created, this group should set hospital-wide program objectives and priorities. These priorities may include:
- Protect employees and patients (emergency management);
Note: the priorities established by the emergency management steering committee can easily serve as the scoping mechanism for the business continuity team’s BIA (see #3).
3. Execute business impact analysis
After the emergency management committee determines the program’s scope and objectives, the business continuity team should perform a business impact analysis (BIA) and risk assessment for in-scope departments throughout the hospital. A BIA and risk assessment determines the department’s critical activities and the impact of a disruption on them. In addition, the BIA identifies all dependencies relevant to critical activities, including technology, personnel, suppliers, equipment, and facilities. For all dependencies, the BIA/risk assessment identifies likely sources of risk, current-state controls to mitigate risk, and risk treatment options. The key outcome of the BIA is to set recovery time objectives for the resumption of critical activities to ensure the hospital’s capabilities align to requirements.
4. Develop response and recovery strategies
Following the BIA and risk assessment all teams should determine/review capabilities and strategies that enable the hospital to recover its critical activities and resources (including technology) within the recovery time objectives identified in the BIA.
5. Develop/update plans
Following the identification and implementation of strategies, all teams should use analysis outputs to develop/update emergency response, business continuity, and IT disaster recovery plans. Together, these plans should ensure the hospital can respond and recover to the following scenarios:
- Facility inaccessibility
6. Test/exercise plans
After all plans have been developed/updated, an integrated method should be used to test the plans. Since there is likely already a testing cycle in place for the emergency management team/plan, a key success factor for breaking down the silos between the preparedness programs is to integrate the business continuity exercises into the existing emergency management exercises. If possible, the hospital should also consider including IT disaster recovery tests within the scope of the emergency management test.
Implementing this integrated approach will allow your organization to establish common terminology and planning approaches, realize efficiencies caused by business-wide collaboration, and ensure that the hospital is prepared to provide care to patients, regardless of circumstance.
Author: Jacque Rupert is a senior consultant with Avalution Consulting: Business Continuity Consulting. http://www.avalution.com/Pages/default.aspx
•Date: 30th March 2012 • Region: US •Type: Article • Topic: Health sector