Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] - نسخه متنی

Jim Barnes

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







PRE-PROJECT QUESTIONNAIRE

The Pre-Project questionnaire is the initial data mining operation of the project. It will identify the components of the healthcare organization, the number of interviews required, the assistance and cooperation available, and the expectations of management. I have used the following questionnaire to ascertain how much time and efforts was going to be necessary in order to complete a business continuity planning project:























































QUESTIONS/REQUESTS


COMMENTS




How many employees would fall within the scope of this endeavor (generally, this is the number of your employees working at above facility)?




This will give you an idea of the relative magnitude of the planning effort and the number of planners it will take. The number of employees listed should be compared to the healthcare organization's staff list.




Provide an organization chart with names and positions.




The Org Chart is a critical document. It will ensure you have included all parts of the healthcare organization in your plan. It will also give you a hierarchy for conflict resolution.




Beneath the Chief Executive level of the healthcare organizational chart is the 2nd level of executives. Other than the second level executives, identify key staff members who should be interviewed in order to obtain an understanding of this healthcare organization's process flows.




Here you identify the number of staff that you will be interviewing. Also, you are letting the business know that you wish to interview the senior management of the healthcare organization and those that have highly technical skills such as the IT and Communications experts.




Do Business Continuity Documents and Procedures currently exist (e.g. IPL procedures, evacuation procedures)? If yes, specify




If reasonable and appropriate, these should be included in the recovery plan.




Will this project require us to meet with vendors whom your healthcare organization relies upon for various business processes or resources? If so, how many?




This will determine any additional interviews that will be required.




Will this project require us to meet with major customers to determine their needs? If so, how many customers will we need to interview?




This will determine any additional interviews that will be required.




Are current Staff lists (which include an employee's home phone, address, and department) available?




This can be quite time consuming if you have to compile this list yourself. You will find that in most healthcare organizations, the staff contact list is at least 40% inaccurate. If possible, have Human Resources verify the list's integrity before they give it to you. Also, try to get the data in a format that is compatible with your plan software.




Is a current Vendor list which includes the vendor's address (not PO Box), phone number, emergency contact, and explanation of services provided available?




This list can also be quite time consuming to compile. You may find yourself copying information from all over the healthcare organization. This list will be a critical component of the recovery document.




Will a knowledgeable staff member be assigned to assist in this project?




For each of the healthcare organization's divisions, you must have a knowledgeable staff member assisting you. Do not let the manager assign a low-level clerk to the project as your assistant. This can kill your project.




Will adequate workspace be made available for work on this project?




It is important that you have adequate workspace and tools (printer, paper, telephone, data link, etc) if you are to be efficient in producing the plan.




Are key individuals readily accessible, or must appointments be made to discuss BCP matters?




This has a tremendous bearing on the amount of time the project will take. The question sends the message that you expect your requests to be responded to promptly. The answer to this will assist you in assigning a value to the "Complexity Factor" component of the "BCP Timing Estimate."




Would recovery team members (to be appointed later) be available for assisting in the development of recovery plans?




If the answer is no, the plan will be less than effective. This question is a good indication of the overall commitment to the planning process by the healthcare organization.




What do you hope to achieve from a Business Impact Analysis?




What are the expectations? Many times the success or failure of a project is measured by




What are the main objectives you hope to receive from a BCP Strategy activity?




Expectations again.




Is there a software preference for the development of the Business Continuity Plan?




You will want to use software with which you are familiar; but if the client insists, you may have to learn new software.


These questions are the result of lessons learned from a number of consulting projects that did not turn out as well as was expected. When the problems that were encountered were analyzed, it was found that setting expectations would have avoided many painful situations later in the plan development process.

The information gathered here will allow you to complete a time estimating worksheet:













































































































































































































































































































































































BCP TIMING ESTIMATE


Company Name


Date___day___I_mo___I___year___


Number of BIA Interviews (NBIA)


109


Number of Sites (NS)


1


Number of RFP Recipients


0


Number of BCP Recovery Teams (TMS)


12


Complexity Factor (CF)


1


Task


Phases and Task Descriptions


Estimating Feature


Hours




BEST PRACTICES REVIEW / RISK ASSESSMENT / BIA ANALYSIS




ORGANIZE




Meet with plan manager. Assemble management team and present overview of project.




3


3.0




Identify reason for doing project.




0


0.0




Define project scope.




0


0.0




Obtain management support.




0


0.0




Determine staff to be interviewed. Schedule interviews.




0


0.0




Meet with plan Coordinator and determine healthcare organizational structure. Prepare organization chart (If not previously prepared).




1


1.0




Determine desires of management for Progress Reporting (Format, dates, i.e., weekly, daily, every other day, etc.)




0


0.0




Determine Service Outage Durations.




0


0.0




Review the healthcare organization's strategic plans if available.




2


2.0


TOTAL


6


6.0


BEST PRACTICES REVIEW




Meet with plan coordinator and explain overall methodology and




1XCF


1.0




Identify key staff to be interviewed.




1XCF


1.0




Conduct interview with plan coordinator. Identify others to interview. Identify documents to be verified.




20XCF


20.0




Conduct other interviews (IT representative, recovery team members, etc.)




4XCF


4.0




Obtain identified documentation.




1XCF


1.0




Review and verify documentation.




10XCF


10.0




Create report on findings.




10XCF


10.0




Review preliminary report with Sr. Management.




5XCF


5.0




Present report findings 5XCF




5.0


TOTAL


57.0


RISK ASSESSMENT




Identify exposures that could impact operations.




8XCFXNS


8.0




List containment measures used to mitigate impact.




4XCFXNS


4.0




Identify and document back-up methodology.




1XCFXNS


1.0




Obtain existing contracts and store off-site.




1XCFXNS


1.0




Identify and document change control procedures.




1XCFXNS


1.0




Obtain vital records schedule and retention records.




2XCFXNS


2.0




Obtain insurance coverage documents and store off site.




2XCFXNS


2.0




Review all Risk Assessment information.




2XCFXNS


2.0




Prepare recommendations for enhanced containment.




1XCFXNS


1.0


TOTAL


22.0


BUSINESS IMPACT ANALYSIS (BIA)




Meet with selected Business Unit Managers to complete BIA.




((NBIA/4)X10)XCF


272.5




Review and document business process flows.




1XNBIAXCF


109.0




Complete item input sheet immediately following BIA.




0.5XNBIAXCF


54.5




If possible, get dollar values of outage at various durations.




3XNSXCF


3.0




Interview dependent business units (if required) to determine RTO, RPO.




0.25XNBIA


27.3




Rank Critical Services.




2XCF


2.0




Prepare BIA report and review preliminary report with management.




10XCF


10.0




Present BIA report to management.




5XCF


5.0


TOTAL


483.3


II. STRATEGIES




Compare recovery requirements to recovery capabilities.




3XNSXCF


3.0




Identify negative gaps in recovery capabilities.




0


0.0




Prepare a list of potential strategies to reduce or eliminate negative gaps.




2XCF


2.0




Discuss potential strategies with appropriate staff.




3XNSXCF


3.0




Develop advantages and disadvantages for select proposed strategies.




4XCFXNS


4.0




Prepare strategy selection report and review with management.




6XNS


6.0




Present Strategy Selection findings to management.




8


8.0


TOTAL


26.0


III. BUSINESS CONTINUITY PLANNING (BCP) DEVELOPMENT




Prepare and disseminate RFP for hot-site (A hot-site is a computer center in a ready state in case of disaster).




4XRFP


0.0




Help client select best hot-site.




3XRFP


0.0




Enter facilities data into plan.




0


0.0




Enter department information.




0


0.0




Load staff information.




4XNSXCF


4.0




Print Staff Report and pass out copies to Business Unit Managers for verification.




1


1.0




Contact critical vendors to determine their service commitment during a disaster situation (IT Vendors, Communications Vendors, Commercial Real Estate Broker, Insurance Co., Off-site Storage Facility).




3XNSXCF


3.0




Gather information and input data on Vendors, Customers, Regulators, Insurance Company, and Storage Locations.




2XNSXCF


2.0




Complete the resource item matrix for inclusion into the plan.




1XNS


1.0




Obtain service commitments from critical internal dependencies.




3XNSXCF


3.0




Prepare Procedures to Tasks Worksheets.




1


1.0




Prepare Procedures.




1


1.0




Prepare Tasks.




1


1.0




With management, determine team composition.




1XNSXCF


1.0




Link Procedures to teams.




0.25xNS


0.3




Review Procedures and Tasks with Teams.




3XTMSXCF


36.0




Identify vendors linked to procedures.




0.25XTMSXCF


3.0




Identify vendors linked to tasks.




1XTMSXCF


12.0




Insert identified vendors into plan.




0


0.0




Link Backup Storage facilities to appropriate Resource Items.




1XNS


1.0




Meet with management to determine the management succession




0.25XNSXCF


0.3




Print the Plan.




1XNS


1.0




Review the plan and make changes as necessary.




4XNSXCF


4.0




Distribute the edited plan to the appropriate members of




0


0.0




Make changes to the plan as necessary.




0.5XNS


0.5




Print the final copy of the Plan.




1XNS


1.0


TOTAL


77.0


PREPARE APPENDICES




Load vendor information into mapping software.




3XNSXCF


3.0




Prepare Recovery Center procedure.




1XNSX.1


0.1




Prepare Public Relations News Release form.




1


1.0




Prepare any other appendices that might be required for hehealthcare organization.




2XCFXNS


2.0




Create "print ready" proof copy of manual.




1XNS


1.0




Have requisite number of copies of the Disaster Recovery Manual




1


1.0


TOTAL


8.1


MAINTENANCE




Develop and Communicate Guidelines for Plan Maintenance.




1XNS


1.0




Develop maintenance triggers.




1


1.0




Develop and Communicate Schedule for Plan Maintenance to




1


1.0


TOTAL


3.0


IV. PLAN TRAINING and TESTING


TRAINING




Prepare training materials and develop training presentation.




3XNS


3.0




Train Recovery Team Members in use of the Plan.




3XNS


3.0




Document attendees to training session.




.25


0.3


TOTAL


6.3


TESTING




Develop objectives and scope.




2XNSXCF


0.0




Develop measurement criteria.




2XNSXCF


0.0




Prepare Test script.




6XNSXCF


0.0




Conduct Tests.




1XNS


1.0




Modify BCP based upon results of test.




4XNS


0.0




Document results.




1XNS


0.0


TOTAL


1.0


TOTAL HOURS


689.6


Probably the most important component of this matrix is the complexity factor. From the interview sheet that preceded it, you can get an idea if the Complexity Factor (CF) is going to be 1 (easy) or 4 (from hell). One of the 4's that I have experienced, the client would only allow me the top of a bookcase for my work space. That was a definite 4.

This time estimating sheet can also be used as the basis for your work plan.

A word of caution is in order on announcing your estimated time of completion. Success is many times determined by whether you have or have not met expectations. So, a rule of thumb that I often use is to go through a rigorous assessment as is presented above, double check your figures, reassess every work step, and when you are all done, add 50% to the total. This methodology is usually right on and has served me well during my career.

/ 90