“When you are conducting a business impact analysis and interviews, you need to talk to the clinicians in terms ‘patients’ and ‘patient care’ instead of ‘clients’ or ‘customers’ or you are going to turn them off quickly,” said Patterson. “You can’t just talk to them with the typical DR/BCP language speaking only of business processes or profits and losses. Patients are the first priority to the clinical staff so you have to listen carefully to their concerns and speak to them from a patient caring aspect in order to obtain operational and financial impacts.”
Angela Devlen, team leader of corporate disaster recovery planning for Boston-based Partners HealthCare which includes Brigham and Women’s/Faulkner Hospitals, Dana-Farber/Partners CancerCare, and Massachusetts General Hospital, came to BCP in 1995. Prior to that, Devlen worked as an emergency medical technician (EMT) in ambulances and emergency rooms throughout Canada. While an EMT, Devlen took part in the mass casualty disaster planning drills as required by the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). This regulation dictates that all hospitals must, “have an emergency management program so that patient care can be continued effectively in the event of a disaster.”
“My background helps me in the day-to-day communication with the clinical staff,” says Devlen. “I have enough of a fundamental medical background that I find I have a better understanding of a specific department’s needs.”
Not every BCP professional in the healthcare industry has a history of working in trauma centers or emergency rooms. Skip Skivington worked in several of Kaiser Permanente’s medical centers as an environmental health and safety director before becoming department director of healthcare continuity for the entire enterprise. Currently, his job responsibilities include creating in excess of 30,000 plans that cover every one of Kaiser Permanente’s departments and business units. As the nation’s largest not-for-profit health maintenance organization serving more than 8 million people in nine states, these plans contain the means and methods for the continuation of healthcare for both the patients and the communities we serve.
Skivington explains that serving the local community is central in Kaiser Permanente’s social mission. “We have a strong belief that we’re not just a healthcare provider but that we have to give back to the communities we serve.”
The importance of supporting the local community was recently emphasized when President George W. Bush signed a $4.6 billion bill requiring public health organizations to bolster their ability to respond to a terrorist attack. Health facilities are now mandated to have bioterror advisory committees that review potential risks and create failsafe emergency restoration plans.
The Technology Factor
If patients and the local community are No. 1, then technology is a close second in the healthcare industry. In just the past five to seven years, hospitals and clinicians have become considerably more dependent on computer systems to assist with the daily business operations. This presents both an opportunity and a challenge to business continuity planners.
In many cases, the increased reliance on computers has been the driving force behind the creation of comprehensive BCP plans within hospitals. For hospitals operating during a regional disaster, continuity of operations becomes even more critical because the patient load increases dramatically. Therefore, it is important that the technical infrastructure and critical applications the clinicians rely on to deliver service are uninterrupted. In 1996, the Health Insurance
Portability and Accountability Act (HIPAA) was created requiring healthcare organizations to produce documented recovery plans for all computer systems, software applications, and advanced medical technology.
“When selling senior management of a hospital on incorporating BCP into their mission, I always hope that there are some clinicians in the conference room,” said Patterson. “I ask them what they would do if they didn’t have those systems for an extended period of time, and all of the sudden they realize that they couldn’t enter patient menu requests electronically, couldn’t schedule appointments electronically, the pharmacy couldn’t dispense drugs as efficiently, they couldn’t see x-rays as easily, or get blood results as quickly. And that’s just the beginning. Once you get the clinicians thinking about how their patient care is related to computers, you’ll have their undivided attention and support.”
However, unlike a typical business entity, different hospital departments may work on separate computer networks or systems. In many cases, departments will purchase their own equipment without informing information system management or the business continuity planners. These systems, therefore, are not backed up by information systems nor incorporated into the information systems BCP.
“These independent systems and applications may be extremely critical to the department’s mission and would be revealed upon performing a BIA,” explains Patterson.
Multiple computer systems aren’t the only technology BCP professionals must take into consideration. Hospitals rely daily on a multitude of highly specialized equipment from bone density scanners to electrocardiogram machines – all of which business continuity planners must take into account.
“Technology is helping to drive this industry,” said Skivington. “Everyone wants more advanced technological procedures because that equates to living longer, better lives. As consumers, we’re driving that technological need. But being on the other side trying to plan for that is incredibly complex.”
The Start of a Healthy Plan
Determining risks in an organization that has hundreds of unique departments, thousands of employees, and countless patients and visitors in the facility at any one time is no easy task.
“At Kaiser Permanente we’ve developed three tiers of potential risks,” explains Skivington. “At the uppermost level we look at the overall risk of something like a bioterrorism attack that will affect the entire nation. Then we evaluate our risks by region. Finally, we look at it from a local perspective which includes the department level through a business impact analysis.”
Patterson says she prefers to start the BCP process for every hospital she works with by conducting a business impact analysis (BIA).
“A BIA is one of the best tools for uncovering risks, impacts and critical applications because important dependencies will be revealed once you start asking questions,” she says. “It is also an excellent method of initiating the training and awareness process within the hospital regarding BCP.”
While healthcare organizations and typical business corporations use many of the same BCP methodologies to determine and mitigate risk, there is a slightly different twist in the healthcare industry. Unless a BCP professional starts pulling up patient records to learn the exact cost of specific procedures for every individual, it is almost impossible to ascertain the financial impact of a department being down. More important is how that department’s unavailability is going to impact patient care.
Many BCP professionals integrate a walk-through into the BIA process to determine which departments have documented work-around procedures that explain how to continue providing care without computers, telephones, or vital medical machines. Some departments like the emergency room typically have comprehensive, up-to-date work-around procedures in place because of the numerous walk-ins, drive-ins, and ambulances arriving at their door every day. A department without work-around procedures could potentially disrupt patient care throughout the hospital. For example, a laboratory that is responsible for providing results to key departments could easily disrupt hospital operations if its computers go down and there are no documented work-around procedures.
The Price of Planning
Even though hospitals and senior management within the hospitals have long been focused on contingency planning, finding the money to support a continuity program is a tough task. According to a recent survey, 46 percent of hospitals spend between $100,000 to $500,000 per year on business continuity planning.
Frequently the team responsible for developing and updating the plans is significantly smaller than those found in other industries. The same survey indicates that two-thirds of hospitals and healthcare organizations employ less than 10 full-time BCP professionals and only 3 percent have more than 50 planners on staff. In contrast, 50 percent of companies across all industries have more than 10 full-time planners, 18 percent of which employ more than 50 planners.
According to Bill Rider, manager of data security and disaster recovery at Johns Hopkins Hospital, his organization has always been seriously committed to BCP. Even with this commitment, Rider, who has 17 years of disaster recovery planning experience, says that he is always interested in garnering even more support from all areas of the hospital. One way he accomplishes this is by starting small and publicizing the results as he goes to create awareness about the program. “What happens is that as you do work on the plans and communicate out your results, it becomes easier to look for funding and support,” Rider says.
Assessing and compiling the data from a completed BIA into a plan can be a complicated process due to the size and complexity of healthcare organizations. Most large organizations today use automated BCP software to assist with the organization of information into a sound plan. This type of software is designed by top BCP experts and can reduce the amount of time and money required to build and maintain plans – making it especially useful for organizations with limited resources to dedicate to BCP.
With business continuity plans in place, the next step is testing the plans.
Fortunately, in the healthcare industry, testing is nothing new. To be in accordance with JCAHO, hospitals must conduct disaster drills a minimum of twice a year. Some organizations, like Kaiser Permanente, are planning on incorporating their BCP tests into those existing bi-annual tests. Other organizations perform tests during documented down times or planned events like a scheduled power shutdown.
“We’re taking a crawl, walk, run approach,” says Johns Hopkins’ Rider. “We started with a very basic eight-hour hot site test. The next test was 16 hours and we restored a few applications and fine-tuned a few results. The most recent test was 24 hours long and we were able to successfully bring up several clinical applications and re-established our network connection.”
While that was going on, Rider also developed a contingency plan in the event that Johns Hopkins’ data center had to be evacuated but not shut down in order to address things like biochemical alerts.
“We recognize the need for continued service and the currency of data so we created an alternate operations support center – a dark site – so that we can operate our data center remotely,” he says. “Now we’re looking at the possibility of mirroring and journaling to create localized redundant systems to help improve our recovery point objectives.”
Insuring Against the Worst
According to the US Industry and Trade Outlook, more than 85 percent of employed adults in America rely on some form of health insurance to assist with medical expenses. This reliance makes BCP as important for healthcare insurance companies as it is for hospitals.
“People want to make sure that the company insuring their health is going to be there when they need the help,” says Jerald Ness, corporate data security and business continuity planner for Wellmark Blue Cross and Blue Shield, the largest provider of health insurance in Iowa and South Dakota. “Healthcare is one of the most important things to each and every one of us. People want to make sure they don’t have any issues regarding their health insurance. We can’t afford to let our customers down.”
Ness made the jump from audit services to business continuity planning more than 10 years ago because of the need he saw within the company. Shortly after he began work on the company’s plans, Wellmark’s corporate headquarters in Des Moines, Iowa was hit by heavy rainfall and floodwaters. Local rivers crested to 28 feet above normal and the city was left without safe drinking water. Though at that time many of the detailed plans weren’t yet written, Wellmark was able to provide uninterrupted service to their customers because they had taken the time to sit down and conceptualize what they would do in an emergency. The flooding disaster only intensified Wellmark’s commitment to solid business continuity planning.
The New World Order
Although hospitals and health insurance companies across the country were already working on continuity plans in accordance with JCAHO and HIPAA, the events of Sept. 11, 2001 and the ensuing anthrax attacks highlighted the importance of business continuity planning for the healthcare industry. Since then, there has been increased pressure to ensure that hospitals can withstand any attack, emergency, or disaster.
In the last year, Rider indicates that he has seen a significant increase in interest in how he is planning for the uninterrupted continuity of service for Johns Hopkins. In fact, Rider says that two other hospitals within the Johns Hopkins organization have approached him for more information about building comprehensive BCP programs for their facilities.
“I think that there is just now beginning to be a recognition in the healthcare industry that there needs to be BCP/DR plans for every department in the enterprise,” Rider says. “It’s a new and exciting evolution in both the healthcare and disaster recovery industries and I think we’re just at the tip of this iceberg.”
Jennifer Lewis has worked as a writer and communications professional for the past five years. Her work, including articles about business, health and fitness, and adventure-travel, has been published in national consumer and trade publications. Currently she works as a writer for Strohl Systems, the global leader in the business continuity planning software and services market. She can be reached at firstname.lastname@example.org.