D4 BCP For Healthcare Organizations - Amazon Web … · BCP for Healthcare Organizations ... Reduced work value for existing staff & ... – Will do one of the following • (a) ...

1

BCP for Healthcare Organizations – The Next Step

BCP for Healthcare Organizations

• Re-evaluate your program

• Importance of Performing a Business Impact Analysis

• Business Unit participation and training

• GEMS – Why mistakes occur

• Regulations: HIPAA & JCAHO

• Recommendations

Agenda for PresentationAgenda for Presentation

Differences in Healthcare

• Vast number of departments with revenue generation

• Speaking to clinicians – watch your language

• Get their titles correct

• Very busy, under-staffed

• Numerous functions still performed manually

• Funding for new projects is sparse (especially not clinically related funding)

• If a clinician is spending time on BC/DR, they are not healing patients or producing revenue

• Multiple platforms and numerous applications

2

Differences in Healthcare (Con’t)

• “We have our own servers, IS can’t touch them”

• “The vendor used to help us with this, but our maintenance agreement ran out, so IS has to. . . .”

• Insurance Reimbursement differences – timing is an issue

• Many aspects of recovery broken up amongst multitude of departments (HIPAA Security, JCAHO Adherence, State Regulations, Emergency Management, IS DR, etc.) Do you work together?

• Does Sr. Management know the difference between BCP and DR?

• Security issues connected to HIPAA

Business Continuity Program Elements – Best Practices DRII

Pre-Planning

�- Project

Initiation &

Management

�- BIA & Risk

Mitigation

�-Cost Benefit

Analysis &

Selected Strategies

Planning

�- Develop

Disaster Recovery

Strategies (Equipment

& Backups)

�- Emergency

Response &

Operations

�- Develop and

Implement DR

Plans (Teams)

Post-Planning

�-Awareness &

Training

�- Maintaining

and Exercising the

Plan

�- Public

Relations & Crisis

Communication

�- Coordination

with Public

Authorities

Evaluate Your Progress and Future Goals

• List goals you would like to accomplish in next 12-18 months

• If you are new to the organization, evaluate what has already been accomplished

• Every organization has strengths and weaknesses

• Estimate funding for these goals

• List resources for these goals

• Verify that management is on board

• Start implementing steps to achieve goals.

3

Project Initiation & Management

Using a formal project management system can guide your process.

• Has the scope of your program changed?

• Did you create more DR than BC, or visa versa?

• What is the readiness of the business units?

• Has Sr. Mngt’s vision changed? Stronger & weaker?

• If stronger, what do you still need to accomplish?

• Is Sr. Mngt. aware of your accomplishments? If not, make it so.

Risk Evaluation and Control

• Have your risks changed?

• Do you need to re-evaluate your risks and controls?

• Can you expand program to address additional risks with current resources?

• Has new technology replaced manual procedures?

• Are you working with your Security Group?

• Can you work with HIPAA group?

• Can you work with the Environmental Health & Safety Group?

• Do you have policies in place to reduce risk?

Business Impact Analysis

• Does Sr. Management need to be re-introduced to the issues you are facing?

• Has a BIA been performed within last 2 years?

• Are your RTO’s the same as they were?

• Have mission critical systems changed?

• Who established mission criticalities and RTO’s?

• If you re-circulated your BIA, could your questions be worded to be more effective?

• Is there additional data that would be appropriate to reveal at this time?

4

Business Impact Analysis (Con’t)

• Have user departments requirements for recovery changed?

• Do departments have documented downtime procedures in place?

• Some departments will cooperate, some won’t.

• Position yourself to accomplish (Get Sr. Mngt. on your side)

Information Revealed Performing a BIA

Lost opportunity to

render patient care

Identify the

applications that have the largest

financial exposure

Reduced insurance reimbursements

and receivables

Reduced work value for existing staff &

wage costs for additional staff

Risk management

and legal issues in patient care

Cost of additional resources and other

expenses

Contractual penalties

and fines

What to include in the BIA Report:

• Departmental resources required for recovery

• Time sensitivity issues relating to patient care

• Lost opportunity to render patient care

• The applications with largest financial exposure

• Reduced insurance reimbursements and receivables

• Reduced work value for existing staff & wage costs for additional staff

• Risk management and legal issues in patient care

• Critical in-flows & out-flows of productivity

• Cost of additional resources and other expenses

• Contractual penalties and fines

5

Advantages of Performing a BIA:

You will know:– Which departments are better prepared than

others.

– The financial and operational impacts of a significant outage.

– Which departments are reliant on specific applications.

– How much to spend on recovery solutions.

– What systems to include in a hot site or cold site.

– The Recovery Time Objectives (RTO).

It also:– Boosts awareness of importance of BC/DR

Planning to Hospital.

– Gives the data necessary for your Business Continuity/Disaster Recovery Plan to be the best it can be.

Inventory of IS Department

• How much has already been accomplished?

• Develop a separate survey form for the IS Department

• Interview each group leader within IS

• Inventory all equipment, systems, applications

• List each resource associated with each type of technology

• What applications are on all equipment?

• Is there a Tier Structure to recovery?

• Obtain equipment information: model, manuf., disc space, # of CPU’s, location

• Do you have licensed software is data current?

• Has integrity of back up tapes been demonstrated

• What applications are on all equipment? by recovery?

• Obtain network diagrams, scripts, instructions, etc.

• Do they have written recovery procedures for equipment failure?

• Obtain detailed information on Vendor contracts & responsibilities.

Inventory of IS Department

Use this information to update your DR Plan

6

Get buy-in from management

It is important advise senior management of the status of your work:

• The good work that has been accomplished

• The roadblocks you are facing

• Why your recommendations should be approved

• Use examples from other hospitals (BCPWHO)

• Where you need their assistance

Here’s how we did it -

Brochure of History and Goals

Develop a brochure with history of the growth of your organization

Example will be provided at conference.

Justifying Spending for Alternate Site

• Alternate DR site could be used as a lab for testing while not in use for disaster recovery.

• Alternate DR site could be where you place equipment not be currently used so that it could be used for the lab.

• Training for employees on alternate equipment.

• Equipment could be totally configured and waiting (or better).

• Flexible testing schedules

• It’s the right thing to do for the KIDS!

7

Recovery Time Objective (RTO)

Time

Recovery Time Objective

Recovery of

Operations

Business Functions or Application

systems operational w/ current &

accurate data

. . . is the time between the point of disruption and the point at which Business Functions or Applications must

be operational and updated to current status.Point of

Disruption

Recovery Point Objective (RPO): The point in time at which

data must be restored to in order to resume processing transactions

Recovery Tiers

• Vendor quick ship contracts for server/disk equipment (72 Hours)• Ad Hoc ordering of server/disk equipment

(> 72 Hours)• Daily vaulting / tape recovery

36 Hours72 Hours

or Beyond

Warm Site3

• Hot site server/disk available (e.g. test /

development system, spare, vendor)• Mirrored SAN or Daily vaulting / tape recovery

< 1 Minute – 36 Hours

12 – 24 Hours

Hot Site2

• Servers Geographically dispersed

between data centers• Clustered Servers

• Mirrored SAN (shared disk storage)• Database geographically clustered and

failover capable • Application failover capable

< 1 Minute4 HoursHigh Availability1

Technology Solution (where possible)RPORTORecovery TypeTier

Assigning Application Priority

High Availability Recovery: 4 Hours or Better

• Enterprise Applications (SCM, EPIC, IDX)

• Selected Clinical Depts (Radiology, Lab,

Pharmacy)

• Facilities Monitoring and Diagrams

• Remote Support

• Emergency Notification and Paging

• Interfaces

• Various Depts (HIM, ED, Cardio,

Poison Ctl, PING, Long-Term

Monitoring, etc.)

• ERP/Payroll (Lawson)

Hotsite Recovery: 12-24 Hours

• Email (Groupwise)

• Issue Tracking (Magic)

• Remote Users (Netilla);

• Departmental Operational Databases

Coldsite Recovery: 72 Hours and Beyond

• Departmental Informational Databases

• Productivity Tools (CCOW, reference

databases)

• Reporting (EDW, Business Objects)

• Dept Appls (Wincoder, Ansos, PaceArt,

Muse, etc.)

• Non-critical collection/reporting DBs

• Specialized, low user-base applications

8

Pertinent Regulations

• Do you have HIPAA regs for DR covered?

• Do you have the JCAHO for DR requirements covered?

• Are policies in place to further your goals?

Electronic systems must have

process for BC/DR as they

impact the following:

Periodic Testing – assure

back up techniques

are effective;

IS BC/DR Plan, identifying

most critical information

functions;

Plans for scheduled

& unscheduled outages,

w/user training &

d/t procedures

Contingency Procedures

for hardware &

applications

Emergency Service Plan

Data retrieval &

storage information

Scheduled Downtime

Plans

A Back-up

System

(electronic or manual)

Joint Commission – Standards for 2006

HIPAA Specifications

• DR/BCP falls under Security Section of HIPAA Regulations.

• There are 42 Standards; 22 of which are required. A “required” implementation specification must be implemented.

• An “addressable” implementation specification provides flexibility by:– Will do one of the following

• (a) implement the addressable implementation specification,

• (b) implement one or more alternative security measures to accomplish the same purpose;

• (c) not implement either addressable or alternative (must document and justify why you are not taking any action).

9

HIPAA Requirements for Disaster Recovery (Required & Addressable)

Contingency Plan 164.308(a)(7): Establish (and

implement as needed) policies and procedures for

responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural

disaster) that damages systems that contain electronic

protected health information.

(ii) Implementation Specifications:

Data back-up plan (R)

– Disaster Recovery Plan (R)

– Emergency Mode Operation Plan (Downtime Procedures) (R)

– Testing and Revision Procedures (A)

– Applications and Data Criticality Analysis (A)

HIPAA Requirements for Disaster Recovery (Security Management Process)

• Under 164.308.1 is the Standard of Security Management Process, Implementation specifications, include:

• Risk Analysis (R)

• Risk Management (R)

• Sanction Policy (R)

• Information system activity review (R)

• Assigned security responsibility (R)

You will want to speak to your HIPAA Compliance Officer for more details.

Examples of Effective Policies:

Senior management must sign off on all of these policies.

Emergency Preparedness

Procedures- Policy for individual departments

to follow outlining emergency

response (not system related).

Downtime Procedure (BCP) Policy–Policy for individual departments

to follow when computer systems

are not available.

–Policy to outline how department

is to respond to a disaster

–Training and testing requirements

for departmental staffDisaster Recovery Hardware and

Software Policy- Procedures for IT for implementing any new

systems, h/w, s/w, updates, etc.

- Checklist to follow prior to “live” date being

approved.

10

Go-Live Authorization Policy

Standard Phases that must be signed off for prior to GO-LIVE:

1. Appropriate testing has been successfully accomplished, with the approvals of

System Owner. Verified by: _______ Date:_____

2. Sufficient end user training has occurred and the appropriate reference

resources are available for end user use. Verified by: _______ Date:_____

3. Workflows have been analyzed for system impact, and procedures (e.g.,, operating, system use, and/or administrative procedures) have been revised or

developed to document approved practices and protocols. Verified by: _______ Date:_____

4. System HIPAA Compliance is evidenced in system design, system administration policies relating to access and security, and system use

procedures. Verified by: _______ Date:_____

5. Downtime procedures have been developed and approved, and appropriately distributed (including to the Help Desk). Verified by: _______ Date:_____

6. HIP Help Desk Technical staff have been in-serviced on the system and provided with the appropriate documentation (including problem response

scripts) to respond to problem calls. Verified by: _______ Date:_____

7. Disaster recovery procedures have been fully developed, tested, and approved by the DR/BCP Group. Verified by: _______ Date:_____

Approvals: Go Live Authorization is for __/__/__ ___:___ AM/PM

System Owner: _____________________ IS Department: ___________________

Emergency Response – Some issues to think about:

• Is every employee accounted for? Tested?

• Night and day contact numbers for all.

• Designated primary and alternate assembly areas during evacuation?

• Employee emergency info phone line for communication and updates

• Laminated wallet card, brochure, etc.

• Bridge conference line established for BCP/DR?

• Have you accounted for shift requirements?

• Has your Emergency Response been tested?

Why do we need documentation and exercises?Understanding Human Behavior

Generic Error Modeling System (GEMS)

• Skills, Rules & Knowledge based

information

• The degree of conscious control

exercised by the individual of his activities

• Calculates error rate potential for activities

11

Skill, Rule, Knowledge - Error Rates

Makes decisions from experience

Documented rules & procedures

Frequently exercised

1/10 Error Rate1/100 Error Rate1/1000 Error Rate

Use of the knowledge obtained through experience only

Rules to follow, policies, manuals

Skilled, routine, repetitive, muscle memory

Knowledge BasedRule BasedSkill Based

Having exercised BC Plans reduces error rate

• Do you have documented BC Plans for all departments?

• Is there a policy to mandate annual review & testing?

• Do you provide template for BC Plan?

• Do you provide standard testing and signoff form?

• Have you graduated from downtime procedures to BC Plans for departments?

Maintaining and Exercising the Plans - BC

Inventory what you already have in place:

• Use list of departments from BIA

• Categorize departments by functions

• Establish a template for BCP

• Provide assistance to departments by speaking to their staff

• Work with specific individuals to develop BCP

• Assist in training their employees – tabletop

• Send annual notices to update and review.

12

Established Downtime Procedures

80%

57%

51%

43%

27%26%

21%

0%

10%

20%

30%

40%

50%

60%

70%

80%

% of Respondents

Have Manual Procedures

Able to convert immediately to

manuals

Have Tested Manual Procedures

Cannot function more than 3 daysw/o applications

Able to convert within 12 hours to

manuals

Have documented manualprocedures

Have updated manual procedures

Example of why to exercise plans:Relocation of a clinical department – using your downtime procedures

Who needs to be involved:

• Facilities

• Security

• Environmental Health & Safety

• Information Services

• The moving department

• Housekeeping

• Food services

• Other departments

Remember, you are the coach calling the plays

Relocation Study

• Small incident in ED Reception Area

• Interior window pane broke and fell 6 floor in atrium

• Happened at 1:45 am, no one injured

• ED waiting area had to be closed

• BCP manager called in

• Activated Teams – whose in charge???

• Set up alternate location for ED to work for several days

• Coordination of many departments to assist

• Relocated ED back after several days

• Patient Safety primary concern

13

Developing and Implementing DR Plans

• Is your IT DR plan comprehensive?

• Is it tested annually?

• When changes occur, do you test them?

• Are staff members cross-trained on recovery?

• Do you update Plan after it is tested?

• Does all of IT know that they have a Plan?

• Does Sr. Mngt. know what systems are not protected in the DR Plan?

Awareness & Training

• Does Sr. Mngt. perform annual testing (tabletop)?

• Do you meet monthly for training in DR and/or BC with Teams?

• Do you speak annually to whole organization?

• Do you speak to Leadership? (Quarterly?)

• Walk around an area and ask an employee you don’t know personally what they know about their BC/DR Plan. (Be prepared for answers.)

Recovery & Training Aids

• Emergency response Flyer with critical contact numbers

• Laminated contact cards

• Employee listing (for use in evacuations)

• Established emergency contact voice mail

• Monthly group meetings

• Established conference call bridge line

• Listing of all vendors

• Printed (up-to-date) recovery plans

14

Tabletop Exercises: Downtime Workshops

• Design a working session with clinicians and some key Leaders

• Develop patient care scenarios

• No computer systems or network available (Phones and faxes, too?)

• Invite more than you want – they won’t all be able to attend.

• Set up the room so that conversation flows

• Use easel for documenting “issues”

• Provide refreshments

• Show a brief slide show to get them in the mode

Workshop

• Scenario:

– Scenario to physicians/residents

– Scenario to nurses

– Scenario for clerks

• Work through each task

• Document “issues”

• Explain planned deliverables from session:

– Laminated cards

– Updated Downtime Boxes, etc.

Dealing with Internal Audit

• Find out the auditing schedule• Do you have IT/DR/BCP specific

audits?• Do you work with the same auditor?• Some background information

necessary for auditor• Review your policies prior to

meeting with auditor• Make them a friend, they can assist

in your cause• Be cooperative and helpful, they

have a tough job too!

15

Maintaining and Exercising the Plans - DR

• Do you have an alternate site for IT staff not recovery hardware?

• Has Sr. Mngt. been involved or is aware of testing and

results?

• Is Plan tested annually and updated in timely fashion?

• Is equipment in plan up-to-date?

• Do you have individual hardware recovery steps

documented – or is it mostly in the heads of the staff?

• Is Plan mature enough to call an unscheduled test?

• Is updated Plan distributed to key personnel?

• How do you mandate that old Plan materials be destroyed?

• Has distribution list changed?

• Does IT Staff know they have a Plan?

Public Relations and Crisis Communication

• Has Marketing approved Sr. Mngt. Statements?

• Is Sr. Mngt. aware of process and statement?

• Have you tested call tree for hospital(s)?

• Have current contact numbers for all management (day and evening)

• Train on when and where to meet

• Plan to evacuate mobility impaired employees

• Have you created relationship with key groups?

• Do you have a succession plan for key employees?

Summary of How to Get Started?

• If you are new to the organization, do your own assessment of what is needed and what is already in place.

• Make a list of what you want to accomplish to be successful.

• Meet with Sr. Mngt. to obtain commitment and define scope and future objectives.

• Collect a list of all departments and department heads.

• If individual departmental BC plans are not established, develop a template for departments to follow.

• Inventory and/or implement pertinent Policies and get backing to enforce them.

• Compile hardware and software lists.

• Be a promoter!

How do you eat an elephant? One piece at a time. You

can’t get it all done right away.

16

YOU CAN DO IT!