In the following section, use the six listed criteria to indicate at what point in time, the loss of this service would begin to have a significant impact upon the financial well-being of the healthcare organization.
|
POTENTIAL EFFECTS OF DISRUPTION: DURATION OF OUTAGE |
<6 Hr. |
1 Day |
2 Days |
3 Days |
4 Days |
5 Days |
>10 days |
|
Direct loss of Net Operating Income | |||||||
|
Quantify ($): | |||||||
|
Lost Customers/Patients | |||||||
|
Exposure to Contractual Fines/HIPAA and other Regulatory Penalties | |||||||
|
Loss of Staff Productivity | |||||||
|
Exposure to Litigation and Adverse Awards | |||||||
|
Inability to Service Other Organizational Units |
|
RESOURCE ITEMS |
||
|---|---|---|
|
QUANTITY | ||
|
STAFF (Title/Function) | ||
|
Based on your business function today, what disciplines or skills sets would be needed to replace current staff | ||
|
Admissions Technician | ||
|
Claims Adjuster | ||
|
Claims Manager | ||
|
Credit Controller | ||
|
Emergency Room Nurse | ||
|
Emergency Room Practitioner | ||
|
Emergency Room Technician | ||
|
General Practitioner | ||
|
Lab Technician | ||
|
Hospital Administrator | ||
|
Medical Supplies Staff | ||
|
PA/Administrator | ||
|
Personal Assistant | ||
|
Personal Assistant to Hospital Administrator | ||
|
Receptionist/Administration Assistant | ||
|
Registered Nurse | ||
|
Risk Control Manager | ||
|
Senior Technician - PPSR | ||
|
Senior Vice President and Director - Audits & Insp | ||
|
Systems Administrator | ||
|
Systems Analyst | ||
|
Systems Developer | ||
|
Technical Architect | ||
|
Technical Services Manager | ||
|
Technical Support Analyst | ||
|
Technician | ||
|
Technician - PPSR | ||
|
TOTAL Headcount | ||
|
PERSONAL SETUP: Desk w/ 7 drawers, chair, PC, monitor, mouse, mouse pad, keyboard, phone, pen, paperclips, stapler, staples, staple remover, tape dispenser, tape, writing tablet, Surge Protectors, post-its, and power strip. | ||
|
OFFICE FURNITURE | ||
|
Computer Racks | ||
|
File Cabinets | ||
|
Tables | ||
|
System backup | ||
|
Blank Checks | ||
|
LAN backup | ||
|
Critical Paper Backups | ||
|
MEDICAL EQUIPMENT | ||
|
Ambulances | ||
|
CAT scan equipment | ||
|
Dialysis equipment | ||
|
Emergency room setup | ||
|
Wheel Chairs | ||
|
X-ray equipment | ||
|
Typewriter | ||
|
OFFICE FURNITURE | ||
|
Computer Racks | ||
|
File Cabinets | ||
|
Tables | ||
|
System backup | ||
|
Blank Checks | ||
|
LAN backup | ||
|
Critical Paper Backups | ||
|
MEDICAL EQUIPMENT | ||
|
Ambulances | ||
|
CAT scan equipment | ||
|
Dialysis equipment | ||
|
Emergency room setup | ||
|
Wheel Chairs | ||
|
X-ray equipment | ||
|
SOFTWARE | ||
|
Standard PC Setup (Netscape, WinZip, Internet Explorer, Microsoft Access, Excel, Power Point, Outlook, Word, Adobe Acrobat Writer 4.0, Focus, People, Knowledge Network, Manuals, Smart Source, Corporate Directory) | ||
|
Lifelines | ||
|
LifePro | ||
|
Underwriters Work Station (UWS) | ||
|
Underwriting Reviews | ||
|
SUPPLIES | ||
|
Copy Paper | ||
|
Folders | ||
|
Diskettes | ||
|
MICR Cartridge | ||
|
TELECOMMUNICATIONS | ||
|
Mobile Phones | ||
|
Pagers | ||
|
Blackberry | ||
The Resource Item questionnaire should be used in conjunction with a walk-around of the work area. Remember to refer back to the health organization's flow chart and other sections of the BIA. By in-depth probing in the Resource Item section, many bits of information relevant to the recovery can be unearthed.
One critical mistake I have seen by planners in this area is to assume that they believe that they know in advance which areas are critical. They therefore only interview those areas. What you will find by interviewing all functional components contained in the organization chart is that some areas you thought were insignificant have a tremendous impact on the healthcare organization. To avoid the embarrassment of a critical omission during your final presentation, make it a point to include all business units in this assessment.
Armed with the BIA interview form, you should interview all key personnel. The interview process should take about 45 minutes to an hour to complete. (Note: The above interview form that I use is the result of countless iterations. What I have evolved to is using form that will get only information that will be used in the creation of the plan and that will be as painless to the interviewee as possible).
After the interview, it is important to write up the results of the interview and send it back to the interviewee to insure that all that was said was heard. The write-up should look something like the following:
Data/Telecommunications/IS Facilities
Location: Rockford, Illinois
Key Business Functions:
Data Communications acquisition and maintenance
Telecommunications acquisition and maintenance
IS environmental maintenance
Vendors:
Siemens
Intecom
Inrange
Motorola
Fujitsu
Reliable
Thermflow
Mead Electric
Ameritech
AT&T
Cellular One
MCI
Sprint
SkyTel
Bell Atlantic
Focal Communications
Applications:
Siemens
Intecom
Inrange
Centigram
Motorola
Windows Office
Aperture
Integretrack
Visio
Internal Dependencies:
Operations
Accounting
LAN Services
Primary Customers:
Company Operations
Client Firms
External firms
Platforms:
Personal Computers
LAN
VAX
Transactions per Hour:
95,400
Maximum Outage Duration Acceptable to Customers:
1 hour
Available Work-around:
None
Critical Timing:
After Hours
Recovery Window:
1 hour
Respondent: George Foster
Telephone:555-666-7777
Overview of Area:
The Data/Telecomm/IS Facilities function is responsible for data communications, voice communications, and Information Technology environmental controls. They maintain the company's two PBX units. They install all circuitry. They are responsible for all Moves, Adds and Changes (MAC) for the healthcare organization.
This function maintains the integrity of the company's data communications network and ultimately its HIPAA capabilities. They coordinate/monitor/install telecommunication and data-communication networks. They use the Telenex Matrix Switch to monitor failures of the Datacomm networks. When required, they are responsible for reconstructing network cabling and infrastructure.
This function receives invoices from data carriers. When invoices are received, they allocate the appropriate portion of the invoice to the other business units. This function also bills the other business units for maintenance services rendered.
This function is responsible for rewiring the company's critical operation areas, for doing power analyses, for running the telecomm trouble desk, and for providing telecomm technicians to handle communications problems.
Finally, this function is responsible for the IS environmental systems such as the Halon systems and the UPS systems.
Loss of this function would have a $262,360 per day impact upon the financial well-being of the Company. In the event of a loss of the function, the subsequent loss of data and telecommunications would cause the company to cease operations. This rate of loss could not be sustained for more than 3 weeks.
An additional touch that adds to the understanding of the process flow of the business unit is the addition of a process flow chart using a tool such as Microsoft Visio.
Once all the individual reports are completed and confirmed by the business units, a preliminary report (which includes the Risk Assessment and the BIAs) should be prepared and reviewed by the relevant management. The report should contain:
An inventory of critical business processes;
An evaluation of existing risk reduction measures;
Recommendations to enhance risk reduction measures;
An estimate of the potential financial and operational impact of a disruption on the critical business processes;
Identification of Recovery Time Objectives (RTO) for each critical business process; and,
A determination of minimum resources required by critical business functions during recovery operations.
See Appendix 2, "Sample BIA Management Summary Report" for an example of how this type of report might look.
Once you have all the business units for a department, summarize the results and present the results to the head of the department. What this achieves is buy-in from the person who is in charge of that department and, in addition, it will get the perspective of a person who has a better overall understanding of a particular business unit's contribution to the overall workings of the healthcare organization.
I learned this lesson several years ago when my brother, a Navy officer, arrange for a tour of an aircraft carrier. The sailor who gave the tour was in charge of the anchor for the ship. You'll never guess what we came away with as the most important part of the ship, according to the tour guide. Yes, it was the anchor. I suspect that the ship's captain had a slightly different perspective.
Based upon what you have learned in chapter 3:
Conduct a risk analysis of your facility.
Determine if your organization's information technology business unit is addressing cyber threats.
Prepare a questionnaire to be used for collecting data for a business impact analysis.
Conduct business impact analysis interview sessions.
Prepare a business impact analysis management summary report.