Appendix 2: Sample Bia Management Summary Report - Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] - نسخه متنی

Jim Barnes

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Appendix 2: Sample Bia Management Summary Report


OVERVIEW


THE HEALTHCARE ORGANIZATION (THO) is committed to the development of a Business Continuity Plan that will develop strategies for the recovery of the healthcare organization's functionality. While THO has procedures in place to keep its computerized systems continuously running, it requires a plan to recover from a wider range of disasters. Accordingly, a planning project was started on the 30th of June, 20xx for The Healthcare organization. The plan will be designed to document the recovery of THE HEALTHCARE ORGANIZATION's functionality at the 40 South Street, South Bend, Indiana facility.

In our initial examination, we found the following major threats/risks that could delay a recovery:



THE HEALTHCARE ORGANIZATION does not have an emergency generator to provide electrical power in the event commercial power becomes unavailable. This risk is somewhat mitigated by the Healthcare organization's access to two independent power grids and an extensive battery power reserve. However, in the event of an area-wide disaster, access to electrical power and the ability to maintain the operating capacity of THE HEALTHCARE ORGANIZATION would be at risk.



An alternative, production-ready site is currently not available in the event the 40 South Street, South Bend, Indiana facility becomes incapacitated. Without a pre-arranged site, the acquisition of an alternative site complete with adequate space, computer equipment, and communications connectivity would require several months of focused effort.



We have completed our initial Risk Assessment and Business Impact Analysis. We offer the following high level recommendations:



Utilize the existing Disaster Recovery Plan as a reference for Business Continuity Planning. Continue the Business Continuity Process by enhancing the Business Continuity Plan as new technologies are incorporated by THE HEALTHCARE ORGANIZATION.



Act on risk mitigation recommendations from this document.



Institute a recovery alternative/facility that will enable business resumption of THE HEALTHCARE ORGANIZATION's critical functions as emerging technologies permit.



Commit to annual recovery plan exercises upon initial completion of plan(s) documentation.



Foster and actively promote business-wide awareness of Business Continuity/Disaster Recovery and encourage active participation by employees at all levels.



Protect documents and magnetic media from water damage.



Remove Housekeeping related hazards from computer rooms and other work areas.



Document procedures for the recovery of computerized operating systems.



Maintain the proactive attention to risk mitigation.



For a more detailed explanation of our recommendations, please see the recommendations section of this document.

We have identified processes that are critical. During our interviews with each of THE HEALTHCARE ORGANIZATION's departments, we asked the question "After what period of time (duration), would the loss of your function have a critical impact upon the financial well-being of THE HEALTHCARE ORGANIZATION?" The outage durations considered were 0-2 days, 2-5 days, 5-10 days, and more than 10 days. The following "Recovery Window Analysis" identifies the relative criticality of functions and their implied recovery windows:












































































Recovery Window Analysis


DIVISION


DURATION OF OUTAGE UNTIL CRITICAL IMPACT


0-2 DAYS


2-5 DAYS


5-10 DAYS


>10 DAYS


Marketing/Ops


Customer Service & Systems Support


National Sales


Marketing/ Public Relations


operations


Market Regulation/Legal


Market Structure


Legal & Office of the Secretary


Regulation


Market Surveillance


Listing


Financial Services


Accounting Services


Human Resources


Facilities


Facilities Security


Information Systems


Applications Development


IS Support Services



Risk Assessment Objectives




Quantify, to the extent possible, the potential business impacts to THE HEALTHCARE ORGANIZATION from a disruption to normal business activities.



Reassess current disaster recovery strategies and established recovery time frames.



Simplify decision-making process during a stressful situation.



Suggest procedural change where necessary.



Identify legal and regulatory issues related to a business interruption.



Identify and address critical business functions, operations, facilities, departments and their respective resource support systems and requirements.



Continuing Project Objectives



Outline the steps required to minimize the length of an interruption to critical business functions. This implies strategies that will be explored in the next phase of this project. At this point, potential strategies identified for examination include:



Acquisition of a functional alternate facility.



Acquisition of an emergency electric generator.



Recover TC functionality as efficiently as possible without the aid of a functional alternate facility or electric generator.



Describe the resources required for the recovery of THE HEALTHCARE ORGANIZATION's systems and business units subsequent to a disruption.



Identify THE HEALTHCARE ORGANIZATION's requirements to continue its mission to provide quality service on a timely basis.



Identify other viable resource recovery alternatives.



Develop and implement an efficient and effective business continuity plan for each business component.



Develop an efficient plan maintenance scheme and effectively automate the documentation process.



Communicate and keep all employees current on plan information and individual responsibilities.



Protect THE HEALTHCARE ORGANIZATION employees.




Project Scope and Assumptions


The following assumptions pertain to the business continuity project, as a whole:



This project addresses the risk involved with a disruption to business operations of THE HEALTHCARE ORGANIZATION South Bend facility.



The analysis is based on business operations as of June 1999.



The Plan will be written to address worst case scenarios.



This phase of the project includes assessing business risks and determining THE HEALTHCARE ORGANIZATION's vulnerability to a loss of computing resources or business units that the healthcare organization depends on for daily operation.



The following assumptions pertain specifically to the development of the business continuity plan:



The affected location will be rendered inoperative and inaccessible.



Some personnel will survive the disaster and will be available for recovery implementation.



Only the 6700 South Street facility is considered.



Recovery of the services provided by THE HEALTHCARE ORGANIZATION is the sole focus of the Business Continuity Plan.



Once developed, guidelines for off-site storage of data, supplies and documentation have been strictly followed. Items stored off site are intact and accessible.



Recovery team leaders have accepted and acted upon their responsibilities.



The business continuity plan will serve as a set of guidelines, not absolute rules. It is not all-inclusive. Decisions not expressly documented within are to be made by the Management team during the recovery process.




Project Activities


The Business Impact Analysis project included interviewing key individuals to gain a better understanding of what functions are performed in each department and what the financial impact on THE HEALTHCARE ORGANIZATION would be if a disaster occurred. We sought to understand the impacts on THE HEALTHCARE ORGANIZATION if these departments ceased to function. To accomplish this, we examined the effects upon: net income, customer service, operating expenses, adverse awards and penalties, productivity, and collateral departmental effects.

To conduct this analysis, we conducted interviews with representatives of all major departments of THE HEALTHCARE ORGANIZATION (see BIA RESULTS). It was through this process the business impact of a disaster was assessed.

We have positioned THE HEALTHCARE ORGANIZATION personnel to work with us on future steps of the project, such as the identification of recovery resourcerequirements, development of disaster recovery teams and a review of potential recovery sites. Additionally, we made immediate mitigation recommendations intended to reduce exposures and enhance disaster preparedness. The recommendations are listed in the "Strengths and Concerns" section of this document.

We conducted a walk-through inspection of THE HEALTHCARE ORGANIZATION to understand business operations better and to identify potential areas of risk resulting from physical control weaknesses.

We have provided THE HEALTHCARE ORGANIZATION with a Physical Security Assessment document that was completed by THE HEALTHCARE ORGANIZATION personnel under our guidance. Recommendations were noted.

We have analyzed the accumulated information and have formulated suggested recovery time frames. We have also performed a vulnerability and threat analysis for the facilities and have identified the departmental recovery priorities.


Initial Findings


From our initial project activities, we have identified the following findings regarding disaster history, disaster threats and specific vulnerabilities.


Disaster History


THE HEALTHCARE ORGANIZATION has not, in recent memory, been forced to close. The South Bend flood of 1992 did not have an affect on the operations of the Healthcare organization.

/ 90