Appendix 6: Management Presentation - Business Continuity and HIPAA Business Continuity Management in the Health Care Environment [Electronic resources] نسخه متنی

Appendix 6: Management Presentation

Slide 1

BUSINESS CONTINUITY PLANNING IMPLEMENTATION METHODS FOR HIPAA COMPLIANCE

Slide 2

TOPICS

WHAT IS A DISASTER?

THE IMPACT OF A DISASTER

CAUSES OF A DISASTER CONDITION

WHAT IS A BUSINESS CONTINUITY PLAN?

BUSINESS CONTINUITY PLANNING METHODOLOGY

We start with the general information and methodically drill down to the essence of Business Continuity Planning. This is done so that regardless of the level of understanding, we shouldn't lose anyone in the presentation.

Slide 3

WHAT IS A DISASTER?

A disruption of business operations that stops the healthcare organization from providing its critical services for an extended period of time.

Caused by the absence of critical resources:

Facilities

Communications

Power

Medical staff and skill sets

Information access

A disaster, from a healthcare organizational point of view, stops the production of product or service for an amount of time great enough to do severe damage. A disaster can be caused by the absence of any critical component of production.

Slide 4

CAUSES OF A DISASTER CONDITION

NATURAL DISASTERS

STORMS

TORNADOES

FLOODS

FIRES

UTILITIES

ELECTRIC

WATER

COMMUNICATIONS

GAS

HUMAN CAUSES

STRIKES

ABOTAGE

TERRORISM

VIRUSES

EQUIPMENT FAILURES

INFORMATION SYSTEM

TELECOMMUNICATION

PRODUCTION LINE

MANMADE

NUCLEAR/BIOCHEMICAL

TRANSPORTATION

CONTAMINATION

Nature and man provide numerous causes for a disaster condition. The lack of electricity accounts for nearly 1/3 of all disaster declarations.

Slide 5

THE IMPACT OF A DISASTER

(A FINANCIAL PERSPECTIVE)

NORMAL OPERATING EXPENSES CONTINUE

(Salaries, Rent)

LARGE EXTRAORDINARY EXPENSES OCCUR

(Equipment and facility replacement)

REVENUE/CASH FLOW STOPS

LEADS TO A RAPIDLY WEAKENING EQUITY POSITION

When a disaster occurs, money starts draining from the healthcare organization. The whole point of, having a plan is to stop the financial bleeding after a disaster event

Slide 6

In order to protect the healthcare organization, you must first understand the total flow through a healthcare organization starting with raw materials from internal or external vendors through the delivery of the final product to the vendor. This entire flow is referred to as the supply chain. A breakdown in any of the components of the supply chain can stop the flow of goods and services. The objective of sound planning is to eliminate single points of failure

Slide 7

LIABILITIES ASSOCIATED WITH BUSINESS INTERRUPTONS

HIPAA REGULATORY REQUIREMENT VIOLATIONS

PENALTIES INCURRED BY NOT MEETING CLAIM PAYMENT SCHEDULES

FIDUCIARY RESPONSIBILITY TO PROTECT THE HEALTHCARE ORGANIZATION'S ASSETS

SHAREHOLDER / BOARD OF DIRECTORS NEW EXPECTATIONS

Disasters have a more devastating impact today. New liabilities are associated with not being able to recover

Slide 8

IMPLEMENTATION SPECIFICATION REQUIREMENTS OF HIPAA

Data backup plan (Required). Establish and implement procedures to create and maintain retrievable, exact copies of electronic protected health information.

Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

Applications and data criticality analysis (Addressable).

Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information

Slide 9

HUMAN RESOURCES

DOWNSIZING

REENGINEERING

OUTSOURCING

Loss of a staff member's productive services has a greater impact today than it did in the past.

We have made our people more productive through technology. Today's employee tends to wear several hats. The loss of an employee has a greater impact on the continuity of business than ever before.

Slide 10

INCREASING COMPETITION IN A GLOBAL ECONOMY

SERVICE LEVELS ATTRACT AND KEEP CUSTOMERS

LOST CUSTOMERS DON'T RETURN

In the global economy, we compete on service levels. We promise a product of a given level of quality delivered within a certain time frame. Disasters causing a loss of the ability to deliver as promised can have a direct effect on the loss of customer base. Once a customer is lost, it is difficult to convince them to return

Slide 11

WHAT IS A BUSINESS CONTINUITY PLAN?

AN INTEGRATED SET OF PROCEDURES AND RESOURCE INFORMATION USED TO RECOVER FROM A

DISASTER THAT HAS CAUSED A DISRUPTION IN BUSINESS OPERATIONS.

IT ANSWERS THE QUESTIONS:

WHO?

WHAT?

WHEN?

WHERE?

A business continuity plan, if well written, will identify who does what actions in what sequence and in which location. It should avoid assumptions that someone else or another department is going to be performing a critical recovery action

Slide 12

BUSINESS CONTINUITY PLAN

UPON THE DECLARATION OF A DISASTER, IT ACTIVATES PREAPPROVED POLICIES AND AUTHORITIES

IT RESTORES THE OUTFLOW OF SERVICES WITH THE LEAST POSSIBLE COST TO THE HEALTHCARE ORGANIZATION

By declaring a disaster, pre-approved policies may be set in motion. The IT director's spending authority may jump from $25,000 to $1,500,000 upon the declaration of a disaster

The plan is designed to restore functionality as opposed to exactly replacing the affected resource. If a flat surface is required, a folding table can replace a mahogany desk

Slide 13

BCP PREREQUISITES FOR SUCCESS

MANAGEMENT COMMITMENT

PLAN ADMINISTRATOR IDENTIFIED

PROJECT PLAN

KEY STAFF INVOLVEMENT

Establishing a solid foundation to a plan is critical for its success. The most critical component is management commitment at the CEO level. In an examination done by one of the "big 5" on why projects fail, the 4 components identified above emerged as the leading causes

Slide 14

BCP MANAGEMENT CONCERNS

PLAN INSTALLATION AS QUICKLY AS POSSIBLE

MINIMAL COST AND DISRUPTION TO THE HEALTHCARE ORGANIZATION

CONSISTENCY AMONG BUSINESS UNITS

QUALITY PROJECT LEADERSHIP

TRAINING FOR STAFF

REGULATORY COMPLIANCE

A QUALITY, WORKABLE PLAN

A PLAN THAT CAN BE EASILY UPDATED

INTERDEPENDENCIES ADDRESSED

The above list is the result of 15 years of conversations with CEOs from all over the country

Slide 15

BCP PLANNING TOOLS

EMERGENCY PROCEDURES

RISK ASSESSMENT

BUSINESS IMPACT ANALYSIS METHOD

PLANNING SOFTWARE

Planning tools make the planning process efficient. However, be aware and cautious of tool sales people who try to oversell the benefits of their products. Regardless of the tools used, creating a plan still requires a lot of hard work (despite what software salesman may tell you).

Slide 16

BCP METHODOLOGY

RISK ASSESSMENT

BUSINESS IMPACT ANALYSIS

RECOVERY REQUIREMENTS

STRATEGY SELECTION

PLAN DOCUMENTATION

TRAINING

TESTING

Σ MAINTENANCE

The number of phases or steps is irrelevant. The tasks embodied in the listing above must be completed in order to have a viable plan

Slide 17

RISK ASSESSMENT

EVALUATES RISK PRESENT IN THE LOCAL ENVIRONMENT

IDENTIFIES MEASURES TAKEN TO MITIGATE THE RISK

IDENTIFIES MEASURES THAT NEED TO BE TAKEN

WILL IMPACT THE CREATION OF THE ACTION PLAN

Risk assessment examines threats from the environment and what steps are in place to mitigate those risks

Slide 18

BUSINESS IMPACT ANALYSIS

IDENTIFIES WHICH SERVICES ARE ESSENTIAL

RANKS SERVICES TO AVOID INTER-ORGANIZATIONAL DISPUTES

ESTABLISHES RECOVERY TIME OBJECTIVES (RTO)

IDENTIFIES $ IMPACT IF PRODUCTION STOPS

Identifies how soon critical resources have to be restored before severe damage is done to the healthcare organization

Slide 19

BUSINESS IMPACT ANALYSIS

IDENTIFIES LOSS IMPACT AT VARIOUS DURATIONS

Legal and Regulatory

Income

Customer Service

Operating Expense

Staff Productivity

Service to other Business Units

Many different facets of risk are assessed in order to identify the impact to the healthcare organization.

Slide 20

STRATEGIES

Financial Impacts of Interruption

Different functions within the healthcare organization will have different recovery requirements based on their relative impact on the healthcare organization's overall profitability.

Slide 21

IT STRATEGIES

(SEE GRAPH IN STRATEGY SECTION)

The more rapidly that you require the healthcare organization be recovered, the more expensive the solution will be.

Slide 22

STRATEGY SELECTION

(SEE GRAPH IN STRATEGY SECTION)

The object of strategy selection is to minimize the sum of the cost of the impact and the cost of the solution.

Slide 23

STRATEGIES

CUSTOMER CONTACT

CUSTOMER SERVICE

CUSTOMER PERCEPTION

INCLUDE ENTIRE HEALTHCARE ORGANIZATION, NOT JUST THE COMPUTER ROOM.

CUSTOMER/VENDOR KNOWLEDGE

DETERMINE AND PLAN FOR LOCAL AUTHORITIES SERVICE LEVELS

Strategies must include not only the components of production of a good or service, but also the sources of input and the customers who receive the output.

Slide 24

STRATEGIES

FACILITIES

HOTSITE/COLDSITE

ACQUIRE REPLACEMENT BUILDING

STAFF

LAYOFFS

DAYCARE / HOUSING

WHO PERFORMS RECOVERY

OTHER RESOURCES

MINIMAL EQUIPMENT

ELECTRICITY

COMMUNICATIONS

FUNCTIONALITY

VENDOR SELECTION

Strategies should address not only the components of production but also the way in which the plan should be put together.

Slide 25

EMERGENCY PROCEDURES

PREVENTS A SITUATION FROM BECOMING A DISASTER

HUMAN SAFETY

ACTION STEPS

DAMAGE CONTROL

PLANS AROUND THE LIMITATIONS OF THE LOCAL AUTHORITIES

INTEGRATE WITH DISASTER RECOVERY PLAN

The first component of the plan is the emergency procedures. These procedures are the actions that will be taken immediately after the disaster event occurs.

Slide 26

PLAN DEVELOPMENT

COMMAND STRUCTURE

TEAM STRUCTURE/STAFFING

MODIFY PROVEN PROCEDURES

MANAGEMENT FEEDBACK AND REVISIONS

RESOURCE LINKAGES

Once all the preliminary data gathering and analyses have been completed, writing the plan is fairly straight forward. Too many healthcare organizations try to begin write a plan by buying software and trying to create a plan without having done the preliminary data gathering.

Slide 27

This concept has team healthcare organization following the healthcare organizational chart. Instead of trying to recover processes, the focus is to recover the critical components of production. If the critical components have been correctly identified, their recovery will also be the recovery of critical processes.

Slide 28

PLAN CONTENT

INSTRUCTIONS

ACTION PLAN

PROCEDURES

RESOURCES

RESPONSIBLE TEAMS

VENDORS

INVENTORIES

PLAN LOCATIONS

SUCCESSION LISTS

APPENDICES

ACTION PLAN EXPANSIONS

REGULATORY REQUIREMENTS

MAPS, NEWS RELEASE, ETC.

The layout of the plan should follow the logical progression that would occur in a recovery if the plan had not been developed and there was sufficient time to consider all required actions.

Slide 29

TRAINING, TESTING, MAINTENANCE

PLAN REVIEW

STAFF TRAINING

PLAN TESTING

Plan Familiarization

Simulation

Component Testing

Full Business Test

PLAN MAINTENANCE

Each step of the plan must be tested and maintained to insure its currency. Recovery team members must be trained in the execution of the plan.

Slide 30

WHAT TO LOOK FOR IN A CONSULTANT

Experience

Methodology

Hands-on training and assistance

Plans for success

Respect for your most valuable resource, time.