1 BCP for Healthcare Organizations – The Next Step BCP for Healthcare Organizations • Re-evaluate your program • Importance of Performing a Business Impact Analysis • Business Unit participation and training • GEMS – Why mistakes occur • Regulations: HIPAA & JCAHO • Recommendations Agenda for Presentation Agenda for Presentation Differences in Healthcare • Vast number of departments with revenue generation • Speaking to clinicians – watch your language • Get their titles correct • Very busy, under-staffed • Numerous functions still performed manually • Funding for new projects is sparse (especially not clinically related funding) • If a clinician is spending time on BC/DR, they are not healing patients or producing revenue • Multiple platforms and numerous applications
16
Embed
D4 BCP For Healthcare Organizations - Amazon Web … · BCP for Healthcare Organizations ... Reduced work value for existing staff & ... – Will do one of the following • (a) ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
BCP for Healthcare Organizations – The Next Step
BCP for Healthcare Organizations
• Re-evaluate your program
• Importance of Performing a Business Impact Analysis
• Business Unit participation and training
• GEMS – Why mistakes occur
• Regulations: HIPAA & JCAHO
• Recommendations
Agenda for PresentationAgenda for Presentation
Differences in Healthcare
• Vast number of departments with revenue generation
• Speaking to clinicians – watch your language
• Get their titles correct
• Very busy, under-staffed
• Numerous functions still performed manually
• Funding for new projects is sparse (especially not clinically related funding)
• If a clinician is spending time on BC/DR, they are not healing patients or producing revenue
• Multiple platforms and numerous applications
2
Differences in Healthcare (Con’t)
• “We have our own servers, IS can’t touch them”
• “The vendor used to help us with this, but our maintenance agreement ran out, so IS has to. . . .”
• Insurance Reimbursement differences – timing is an issue
• Many aspects of recovery broken up amongst multitude of departments (HIPAA Security, JCAHO Adherence, State Regulations, Emergency Management, IS DR, etc.) Do you work together?
• Does Sr. Management know the difference between BCP and DR?
• Security issues connected to HIPAA
Business Continuity Program Elements – Best Practices DRII
Pre-Planning
�- Project
Initiation &
Management
�- BIA & Risk
Mitigation
�-Cost Benefit
Analysis &
Selected Strategies
Planning
�- Develop
Disaster Recovery
Strategies (Equipment
& Backups)
�- Emergency
Response &
Operations
�- Develop and
Implement DR
Plans (Teams)
Post-Planning
�-Awareness &
Training
�- Maintaining
and Exercising the
Plan
�- Public
Relations & Crisis
Communication
�- Coordination
with Public
Authorities
Evaluate Your Progress and Future Goals
• List goals you would like to accomplish in next 12-18 months
• If you are new to the organization, evaluate what has already been accomplished
• Every organization has strengths and weaknesses
• Estimate funding for these goals
• List resources for these goals
• Verify that management is on board
• Start implementing steps to achieve goals.
3
Project Initiation & Management
Using a formal project management system can guide your process.
• Has the scope of your program changed?
• Did you create more DR than BC, or visa versa?
• What is the readiness of the business units?
• Has Sr. Mngt’s vision changed? Stronger & weaker?
• If stronger, what do you still need to accomplish?
• Is Sr. Mngt. aware of your accomplishments? If not, make it so.
Risk Evaluation and Control
• Have your risks changed?
• Do you need to re-evaluate your risks and controls?
• Can you expand program to address additional risks with current resources?
• Has new technology replaced manual procedures?
• Are you working with your Security Group?
• Can you work with HIPAA group?
• Can you work with the Environmental Health & Safety Group?
• Do you have policies in place to reduce risk?
Business Impact Analysis
• Does Sr. Management need to be re-introduced to the issues you are facing?
• Has a BIA been performed within last 2 years?
• Are your RTO’s the same as they were?
• Have mission critical systems changed?
• Who established mission criticalities and RTO’s?
• If you re-circulated your BIA, could your questions be worded to be more effective?
• Is there additional data that would be appropriate to reveal at this time?
4
Business Impact Analysis (Con’t)
• Have user departments requirements for recovery changed?
• Do departments have documented downtime procedures in place?
• Some departments will cooperate, some won’t.
• Position yourself to accomplish (Get Sr. Mngt. on your side)
Information Revealed Performing a BIA
Lost opportunity to
render patient care
Identify the
applications that have the largest
financial exposure
Reduced insurance reimbursements
and receivables
Reduced work value for existing staff &
wage costs for additional staff
Risk management
and legal issues in patient care
Cost of additional resources and other
expenses
Contractual penalties
and fines
What to include in the BIA Report:
• Departmental resources required for recovery
• Time sensitivity issues relating to patient care
• Lost opportunity to render patient care
• The applications with largest financial exposure
• Reduced insurance reimbursements and receivables
• Reduced work value for existing staff & wage costs for additional staff
• Risk management and legal issues in patient care
• Critical in-flows & out-flows of productivity
• Cost of additional resources and other expenses
• Contractual penalties and fines
5
Advantages of Performing a BIA:
You will know:– Which departments are better prepared than
others.
– The financial and operational impacts of a significant outage.
– Which departments are reliant on specific applications.
– How much to spend on recovery solutions.
– What systems to include in a hot site or cold site.
– The Recovery Time Objectives (RTO).
It also:– Boosts awareness of importance of BC/DR
Planning to Hospital.
– Gives the data necessary for your Business Continuity/Disaster Recovery Plan to be the best it can be.
Inventory of IS Department
• How much has already been accomplished?
• Develop a separate survey form for the IS Department
• Interview each group leader within IS
• Inventory all equipment, systems, applications
• List each resource associated with each type of technology
• Do you have the JCAHO for DR requirements covered?
• Are policies in place to further your goals?
Electronic systems must have
process for BC/DR as they
impact the following:
Periodic Testing – assure
back up techniques
are effective;
IS BC/DR Plan, identifying
most critical information
functions;
Plans for scheduled
& unscheduled outages,
w/user training &
d/t procedures
Contingency Procedures
for hardware &
applications
Emergency Service Plan
Data retrieval &
storage information
Scheduled Downtime
Plans
A Back-up
System
(electronic or manual)
Joint Commission – Standards for 2006
HIPAA Specifications
• DR/BCP falls under Security Section of HIPAA Regulations.
• There are 42 Standards; 22 of which are required. A “required” implementation specification must be implemented.
• An “addressable” implementation specification provides flexibility by:– Will do one of the following
• (a) implement the addressable implementation specification,
• (b) implement one or more alternative security measures to accomplish the same purpose;
• (c) not implement either addressable or alternative (must document and justify why you are not taking any action).
9
HIPAA Requirements for Disaster Recovery (Required & Addressable)
Contingency Plan 164.308(a)(7): Establish (and
implement as needed) policies and procedures for
responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural
disaster) that damages systems that contain electronic
protected health information.
(ii) Implementation Specifications:
Data back-up plan (R)
– Disaster Recovery Plan (R)
– Emergency Mode Operation Plan (Downtime Procedures) (R)
– Testing and Revision Procedures (A)
– Applications and Data Criticality Analysis (A)
HIPAA Requirements for Disaster Recovery (Security Management Process)
• Under 164.308.1 is the Standard of Security Management Process, Implementation specifications, include:
• Risk Analysis (R)
• Risk Management (R)
• Sanction Policy (R)
• Information system activity review (R)
• Assigned security responsibility (R)
You will want to speak to your HIPAA Compliance Officer for more details.
Examples of Effective Policies:
Senior management must sign off on all of these policies.
Emergency Preparedness
Procedures- Policy for individual departments
to follow outlining emergency
response (not system related).
Downtime Procedure (BCP) Policy–Policy for individual departments
to follow when computer systems
are not available.
–Policy to outline how department
is to respond to a disaster
–Training and testing requirements
for departmental staffDisaster Recovery Hardware and
Software Policy- Procedures for IT for implementing any new
systems, h/w, s/w, updates, etc.
- Checklist to follow prior to “live” date being
approved.
10
Go-Live Authorization Policy
Standard Phases that must be signed off for prior to GO-LIVE:
1. Appropriate testing has been successfully accomplished, with the approvals of
System Owner. Verified by: _______ Date:_____
2. Sufficient end user training has occurred and the appropriate reference
resources are available for end user use. Verified by: _______ Date:_____
3. Workflows have been analyzed for system impact, and procedures (e.g.,, operating, system use, and/or administrative procedures) have been revised or
developed to document approved practices and protocols. Verified by: _______ Date:_____
4. System HIPAA Compliance is evidenced in system design, system administration policies relating to access and security, and system use
procedures. Verified by: _______ Date:_____
5. Downtime procedures have been developed and approved, and appropriately distributed (including to the Help Desk). Verified by: _______ Date:_____
6. HIP Help Desk Technical staff have been in-serviced on the system and provided with the appropriate documentation (including problem response
scripts) to respond to problem calls. Verified by: _______ Date:_____
7. Disaster recovery procedures have been fully developed, tested, and approved by the DR/BCP Group. Verified by: _______ Date:_____
Approvals: Go Live Authorization is for __/__/__ ___:___ AM/PM
System Owner: _____________________ IS Department: ___________________
Emergency Response – Some issues to think about:
• Is every employee accounted for? Tested?
• Night and day contact numbers for all.
• Designated primary and alternate assembly areas during evacuation?
• Employee emergency info phone line for communication and updates
• Laminated wallet card, brochure, etc.
• Bridge conference line established for BCP/DR?
• Have you accounted for shift requirements?
• Has your Emergency Response been tested?
Why do we need documentation and exercises?Understanding Human Behavior
Generic Error Modeling System (GEMS)
• Skills, Rules & Knowledge based
information
• The degree of conscious control
exercised by the individual of his activities
• Calculates error rate potential for activities
11
Skill, Rule, Knowledge - Error Rates
Makes decisions from experience
Documented rules & procedures
Frequently exercised
1/10 Error Rate1/100 Error Rate1/1000 Error Rate
Use of the knowledge obtained through experience only
Rules to follow, policies, manuals
Skilled, routine, repetitive, muscle memory
Knowledge BasedRule BasedSkill Based
Having exercised BC Plans reduces error rate
• Do you have documented BC Plans for all departments?
• Is there a policy to mandate annual review & testing?
• Do you provide template for BC Plan?
• Do you provide standard testing and signoff form?
• Have you graduated from downtime procedures to BC Plans for departments?
Maintaining and Exercising the Plans - BC
Inventory what you already have in place:
• Use list of departments from BIA
• Categorize departments by functions
• Establish a template for BCP
• Provide assistance to departments by speaking to their staff
• Work with specific individuals to develop BCP
• Assist in training their employees – tabletop
• Send annual notices to update and review.
12
Established Downtime Procedures
80%
57%
51%
43%
27%26%
21%
0%
10%
20%
30%
40%
50%
60%
70%
80%
% of Respondents
Have Manual Procedures
Able to convert immediately to
manuals
Have Tested Manual Procedures
Cannot function more than 3 daysw/o applications
Able to convert within 12 hours to
manuals
Have documented manualprocedures
Have updated manual procedures
Example of why to exercise plans:Relocation of a clinical department – using your downtime procedures
Who needs to be involved:
• Facilities
• Security
• Environmental Health & Safety
• Information Services
• The moving department
• Housekeeping
• Food services
• Other departments
Remember, you are the coach calling the plays
Relocation Study
• Small incident in ED Reception Area
• Interior window pane broke and fell 6 floor in atrium
• Happened at 1:45 am, no one injured
• ED waiting area had to be closed
• BCP manager called in
• Activated Teams – whose in charge???
• Set up alternate location for ED to work for several days
• Coordination of many departments to assist
• Relocated ED back after several days
• Patient Safety primary concern
13
Developing and Implementing DR Plans
• Is your IT DR plan comprehensive?
• Is it tested annually?
• When changes occur, do you test them?
• Are staff members cross-trained on recovery?
• Do you update Plan after it is tested?
• Does all of IT know that they have a Plan?
• Does Sr. Mngt. know what systems are not protected in the DR Plan?
Awareness & Training
• Does Sr. Mngt. perform annual testing (tabletop)?
• Do you meet monthly for training in DR and/or BC with Teams?
• Do you speak annually to whole organization?
• Do you speak to Leadership? (Quarterly?)
• Walk around an area and ask an employee you don’t know personally what they know about their BC/DR Plan. (Be prepared for answers.)
Recovery & Training Aids
• Emergency response Flyer with critical contact numbers
• Laminated contact cards
• Employee listing (for use in evacuations)
• Established emergency contact voice mail
• Monthly group meetings
• Established conference call bridge line
• Listing of all vendors
• Printed (up-to-date) recovery plans
14
Tabletop Exercises: Downtime Workshops
• Design a working session with clinicians and some key Leaders
• Develop patient care scenarios
• No computer systems or network available (Phones and faxes, too?)
• Invite more than you want – they won’t all be able to attend.
• Set up the room so that conversation flows
• Use easel for documenting “issues”
• Provide refreshments
• Show a brief slide show to get them in the mode
Workshop
• Scenario:
– Scenario to physicians/residents
– Scenario to nurses
– Scenario for clerks
• Work through each task
• Document “issues”
• Explain planned deliverables from session:
– Laminated cards
– Updated Downtime Boxes, etc.
Dealing with Internal Audit
• Find out the auditing schedule• Do you have IT/DR/BCP specific
audits?• Do you work with the same auditor?• Some background information
necessary for auditor• Review your policies prior to
meeting with auditor• Make them a friend, they can assist
in your cause• Be cooperative and helpful, they
have a tough job too!
15
Maintaining and Exercising the Plans - DR
• Do you have an alternate site for IT staff not recovery hardware?
• Has Sr. Mngt. been involved or is aware of testing and
results?
• Is Plan tested annually and updated in timely fashion?
• Is equipment in plan up-to-date?
• Do you have individual hardware recovery steps
documented – or is it mostly in the heads of the staff?
• Is Plan mature enough to call an unscheduled test?
• Is updated Plan distributed to key personnel?
• How do you mandate that old Plan materials be destroyed?
• Has distribution list changed?
• Does IT Staff know they have a Plan?
Public Relations and Crisis Communication
• Has Marketing approved Sr. Mngt. Statements?
• Is Sr. Mngt. aware of process and statement?
• Have you tested call tree for hospital(s)?
• Have current contact numbers for all management (day and evening)
• Train on when and where to meet
• Plan to evacuate mobility impaired employees
• Have you created relationship with key groups?
• Do you have a succession plan for key employees?
Summary of How to Get Started?
• If you are new to the organization, do your own assessment of what is needed and what is already in place.
• Make a list of what you want to accomplish to be successful.
• Meet with Sr. Mngt. to obtain commitment and define scope and future objectives.
• Collect a list of all departments and department heads.
• If individual departmental BC plans are not established, develop a template for departments to follow.
• Inventory and/or implement pertinent Policies and get backing to enforce them.
• Compile hardware and software lists.
• Be a promoter!
How do you eat an elephant? One piece at a time. You