Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

RESOURCE ITEM MATRIX

This report lists the minimum resources required to reestablish a function. For each item listed, look in the right-hand column to find the total amount of an item required. This should be used when making an order with a vendor.

The columns to the left of the Total column are the departmental requirements. These will be used for the distribution of the item once the vendor has delivered them.

The BIA DURATION ASSESSMENT line represents the amount of time the healthcare organization can continue without the service before severe financial consequences occur. This, then, is the recovery time objective for each service/department. It also establishes the recovery order for the plan.

DETAIL STAFF LIST

Storage Location Detail Report

STAFF DETAIL BY DEPARTMENT

National Underground Storage

On-site Backup: Full backups weekly, with nightly incrementals. Tapes: 124 4mm, 96 8mm, 48 Compaqlll, 72 Compaq IV. Storage location: IT filing cabinet, top drawer.

Off-site Backup: Previous week's full backup goes to NUS after the weekly backup. Tapes: 2 4mm, 4 8mm, 6 Compaqlll, 8 CompaqIIIXT, 10 Compaq IV.

Backup Frequency: Nightly

Authorized to retrieve tapes: Fred Smith, John Allen, and Pete Jones.

Detail Vendor Listing

The Vendor List is one of the most important schedules in a disaster recovery. This list should include direct telephone numbers for the vendor representative that can help your healthcare organization (you do not want to have to go through a series of button pushing and elevator music trying to get to the right person). It should also contain critical information in the "Notes" section such as account numbers and descriptions of services/products provided. A well-documented "notes" section makes the Vendor List powerful.

Notes

IT Text pagers; systems programmed to automatically send SMC personnel backup statuses; also used to send urgent help desk

Request messages to IT staff

Asset Recovery Technologies, Inc.

2625 American Lane

Elk Grove Village IL 60007-

Notes

AKA The Price-Hollingsworth Company, Inc. Recovery of Electrical/Electronic and mechanical Equipment. Mitigates and recovers disasters arising from fire and flood.

Insurance Vendor Listing

Company Name

Adjusters International

Address 126 Business Park Drive, Utica NY 13503

Notes

Aligned with Globe Midwest in a national confederation of insurance adjusters.

Plan Purpose and Scope

Within each plan should be a statement of purpose and scope of the plan. The purpose statement might be as follows: "The purpose of this plan is to recovery the productive capacity of all critical functions within the facility in a timeframe that will avoid severe financial damage to the healthcare organization".

The scope statement will probably be more extensive and should address the facility for which the plan was designed, what is to be recovered, and what constitutes the use of the plan.

While both these statements should be part of the plan, they are best left to the rear portion of the document since they address theoretical issues and are not crucial to the actual execution of the recovery plan.

There are numerous other lists that can be included such as Customer lists, Computer Software and Hardware inventories, Communication Schematics, etc. During the BIA interview process, ask each interviewee to imagine standing outside their burning building and thinking what valuable piece of information is still located inside that they didn't have time to rescue (probably located in their right top drawer of their desk). These are many times the "cheat sheets" that managers use to manage their departments. These are the types of information that rightfully belong as part of the plan.

Documentation Rules

There are several documentation rules that will make the plan much more effective. The first rule is: one building, one plan. Much of the plan revolves around reconstructing a facility and replenishing it with production contents. If more than one facility is involved the reader of the plan will find it difficult to identify quantities and specifications of replacement resource items. It is possible to have multiple plans for a single building, but those plans must be linked so that the identification and ordering of resource items is centralized.

The second rule is to begin each Task statement with an action verb. Tasks are supposed to be predetermined actions that are to be taken by the teams. Along this line of thought, there should not be requirements to form a committee to decide on a course of action. These decisions should be made ahead of time and incorporated into the plan.

Third, refer to functions, not a specific person in procedures/tasks. Instead of "Contact Joe Smith for assistance with…" write "Contact the Network Administrator for assistance with…" The second statement will then be valid in the event Joe Smith leaves the company.

Fourth, call critical vendors ahead of time. If the plan assumes that 40 servers can be obtained from a certain computer equipment supplier, a call should be made to that supplier to verify that 40 servers could be delivered in the required time frame. The supplier should also be questioned about who would get priority in the event of an area-wide disaster.

Fifth, avoid re-keying whenever possible. Ask business unit managers if the data you seek (staff lists, vendor lists, customer lists, etc.) already exist in an electronic form. If they exist in Access or Excel then it should be quite easy to load the database and transform it into reports that can be used in the plan. Otherwise, plan on a good deal of time being spent on data input.

Sixth, anticipate delays, get large item requests in early. The four items that tend to be the most difficult to get in a timely manner are the Staff List, the Vendor List, the Customer List, and Information Systems information (equipment and software inventories, communications inventories and schematics, and equipment schematics). Once this information is obtained, it is important to interview each of the respondents to verify the currency and accuracy of the information.

Seventh, utilize the straw-man technique wherever possible. The straw-man technique entails presenting a prepared document to the user and allowing the user to make modifications and changes to the document. The technique can be used with strategies, team lists, and action plans. This method is very efficient with the user's time and will get the user to focus quickly on his/her thoughts and buy-in to the plan document. When creating the action plan, have the team members who will be performing the recovery procedures gather around your PC's CRT and go through each task line by line. Let the team decide how the tasks are worded and structured. At the end, this will be an action plan that the team has created and can execute.

Eighth, insure those who will be executing the plan take ownership of the plan. It is tempting as the author of the plan to avoid confrontation and enter data, decisions and procedures that you feel are appropriate. This then becomes your plan and not the healthcare organization's plan which could result in the plan being discarded during a crisis.

Based on what you have learned in chapter 5:

Work with management to develop a team structure and team leadership.

Work with team leaders to identify team members.

Develop an emergency management team procedure.

Work with team members to develop recovery procedures and additional appendices as required. Follow the guidelines presented in the plan documentation rules.

Prepare a resource item matrix.