STRENGTHS AND CONCERNS
Strengths
Electrical power redundancies.
Communications redundancies.
Internal computerized system redundancies.
Effective crisis management team structure.
Tremendous attention to fire suppression
Outstanding facility security.
Concerns
Procedures needed for viral intrusion team.
Access control to computer room should be strengthened.
All key equipment needs to have fail-over redundancy.
Listed Deductibles:
Earthquake | US$50,000 |
Flood | US$50,000 |
Sewer Backup | US$50,000 |
Loss to Objects | US$2,500 |
Consequential Loss | US$5,000 |
All Other Cause of Loss | US$1,000 |
The Healthcare organization: Royal & Sun Alliance | |
Broker: | Aon Risk Services, Inc of Indiana |
1717 N. Naber Blvd. 3rd Floor | |
Naberland, Ind 46563 | |
111-955-0333 | |
Debbie Camphill, CIC | |
(SOURCE: Brian May …. The Healthcare organization) |
Recovery Window Analysis
The Healthcare organization authorized this Business Continuity Study to identify and develop business continuity strategies for recovery of the Healthcare organization's functionality. Based upon interviews conducted, the sequence in which departments should be recovered in the event of a disaster is listed in the following pages. Recovery priorities are based on respondents' information and both tangible and intangible considerations obtained from the surveys and interview process.
Strategies
As The Healthcare organization responds to the gaps in HIPAA compliance related to business continuity, many components should be considered. The Board of Directors and management understand that a disaster affecting any of the following components could significantly affect The Healthcare organization beyond just compliance issues: Customers, Business Process and Staff, Vendors and Supplies, Information Technology, Power, Facilities, Data Communications and Voice Communications.In the areas of information technology and communications, steps have been taken to provide computer and communication continuity, and these types of activities should be continued.
The hot site capability should be enhanced to provide adequate connectivity to the business units.
The hot site should be able to connect to a temporary worksite if the headquarters location were incapacitated by disaster.
The hot site contract should be reevaluated given the identification of critical applications during Phase One business continuity planning effort.
Voice communication backup plans should be established to address alternate site requirements.
Additional steps are recommended related to vendors and suppliers to become HIPAA compliant and be better prepared in the event of a disaster.
To be compliant with HIPAA, The Healthcare Organization needs to have certain vendors sign chain of trust agreements to help ensure confidentiality of protected patient information during a disaster.
For resources that are critical to recovery, The Healthcare Organization needs to determine if the suppliers of those resources represent single points of failure and if those suppliers are vulnerable to the same threat as The Healthcare Organization. For suppliers that both apply, an alternate source needs to be identified.
The Healthcare Organization should create quick response procedures with critical vendors (e.g., direct access phone numbers).
In the area of customer service, a concern is that documented procedures have not been developed to provide vital services during an extended disruption to the headquarters facility.
Providers and subscribers depend upon The Healthcare Organization for payments and authorizations. Currently there are no procedures in place to address these services in the event of a disaster.
To accommodate the needs of the customer, The Healthcare Organization should develop documented business continuity plans that:
Provide for the continuity of payments to providers
Handle subscriber claim payments
Modify the pre-certification process
For The Healthcare Organization, the probability of losing power is much greater than losing the use of the entire headquarters facility; however alternate power can be costly. The Healthcare Organization should evaluate if the ability to restore power within one business day justifies the estimated costs.In order to mitigate the effect of a sustained power outage, The Healthcare organization should consider implementing the capability to connect to a portable generator sufficient to accommodate both processing and business unit environmental needs of the headquarters facility. The following are estimates of the three cost considerations involved with implementing a portable generator capability to be delivered when needed:
One-time site preparation costs would be approximately $285,000
The annual reservation fee for the generator would be approximately $40,000 (8 hour onsite operational guarantee)
Disaster operating cost would be approximately $12,000 per disaster day
Each major business unit needs to know what their responsibilities and tasks are to support critical business processes in the case of an emergency. In addition to restoring customer related business processes are considerations such as payroll and training.Documented business continuity plans should be developed to assist in the timely, efficient recovery of critical business processes.
Business unit plans should be developed that include the tasks and reference information necessary to resume time critical business processes within pre-established timeframes
Procedure manuals need to be developed to utilize alternate staff in the event key staff are unavailable
Procedures should be written to address staff family needs and continue payroll disbursements without interruption
Facilities is currently a major risk area for The Healthcare Organization. If, for whatever reason, the headquarters facility could not be occupied, and the business units had to be relocated to an alternate facility, The Healthcare Organization would experience significant financial and operational impacts.
The Healthcare Organization's current relocation strategy would be to secure a temporary work site when a disaster occurs (option 1) - recovery could take 30 days to 3 months. This is a concern because management has indicated The Healthcare Organization would be significantly impacted if not up and running in 5 to 10 days after a disaster.
Because of The Healthcare Organization's objective to recover up to 1,000 staff positions during an extended outage, we recommend a recovery strategy utilizing both options 2 and 3: subscribe to a mobile recovery site provider (option 2) for short term recovery, and build out leased space (option 3) in the event the outage is expected to last longer than 30 days.