BUSINESS CONTINUITY PLANNING IMPLEMENTATION METHODS FOR HIPAA COMPLIANCE
Slide 2
TOPICS
WHAT IS A DISASTER?
THE IMPACT OF A DISASTER
CAUSES OF A DISASTER CONDITION
WHAT IS A BUSINESS CONTINUITY PLAN?
BUSINESS CONTINUITY PLANNING METHODOLOGY
We start with the general information and methodically drill down to the essence of Business Continuity Planning. This is done so that regardless of the level of understanding, we shouldn't lose anyone in the presentation.
Slide 3
WHAT IS A DISASTER?
A disruption of business operations that stops the healthcare organization from providing its critical services for an extended period of time.
Caused by the absence of critical resources:
Facilities
Communications
Power
Medical staff and skill sets
Information access
A disaster, from a healthcare organizational point of view, stops the production of product or service for an amount of time great enough to do severe damage. A disaster can be caused by the absence of any critical component of production.
Slide 4
CAUSES OF A DISASTER CONDITION
NATURAL DISASTERS
STORMS
TORNADOES
FLOODS
FIRES
UTILITIES
ELECTRIC
WATER
COMMUNICATIONS
GAS
HUMAN CAUSES
ABOTAGE
TERRORISM
VIRUSES
EQUIPMENT FAILURES
INFORMATION SYSTEM
TELECOMMUNICATION
PRODUCTION LINE
MANMADE
NUCLEAR/BIOCHEMICAL
TRANSPORTATION
CONTAMINATION
Nature and man provide numerous causes for a disaster condition. The lack of electricity accounts for nearly 1/3 of all disaster declarations.
Slide 5
THE IMPACT OF A DISASTER
(A FINANCIAL PERSPECTIVE)
NORMAL OPERATING EXPENSES CONTINUE
(Salaries, Rent)
LARGE EXTRAORDINARY EXPENSES OCCUR
(Equipment and facility replacement)
REVENUE/CASH FLOW STOPS
LEADS TO A RAPIDLY WEAKENING EQUITY POSITION
When a disaster occurs, money starts draining from the healthcare organization. The whole point of, having a plan is to stop the financial bleeding after a disaster event
In order to protect the healthcare organization, you must first understand the total flow through a healthcare organization starting with raw materials from internal or external vendors through the delivery of the final product to the vendor. This entire flow is referred to as the supply chain. A breakdown in any of the components of the supply chain can stop the flow of goods and services. The objective of sound planning is to eliminate single points of failure
Slide 7
LIABILITIES ASSOCIATED WITH BUSINESS INTERRUPTONS
HIPAA REGULATORY REQUIREMENT VIOLATIONS
PENALTIES INCURRED BY NOT MEETING CLAIM PAYMENT SCHEDULES
FIDUCIARY RESPONSIBILITY TO PROTECT THE HEALTHCARE ORGANIZATION'S ASSETS
SHAREHOLDER / BOARD OF DIRECTORS NEW EXPECTATIONS
Disasters have a more devastating impact today. New liabilities are associated with not being able to recover
Slide 8
IMPLEMENTATION SPECIFICATION REQUIREMENTS OF HIPAA
Data backup plan (Required). Establish and implement procedures to create and maintain retrievable, exact copies of electronic protected health information.
Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
Applications and data criticality analysis (Addressable).
Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information
Slide 9
HUMAN RESOURCES
DOWNSIZING
REENGINEERING
OUTSOURCING
Loss of a staff member's productive services has a greater impact today than it did in the past.
We have made our people more productive through technology. Today's employee tends to wear several hats. The loss of an employee has a greater impact on the continuity of business than ever before.
Slide 10
INCREASING COMPETITION IN A GLOBAL ECONOMY
SERVICE LEVELS ATTRACT AND KEEP CUSTOMERS
LOST CUSTOMERS DON'T RETURN
In the global economy, we compete on service levels. We promise a product of a given level of quality delivered within a certain time frame. Disasters causing a loss of the ability to deliver as promised can have a direct effect on the loss of customer base. Once a customer is lost, it is difficult to convince them to return
Slide 11
WHAT IS A BUSINESS CONTINUITY PLAN?
AN INTEGRATED SET OF PROCEDURES AND RESOURCE INFORMATION USED TO RECOVER FROM A
DISASTER THAT HAS CAUSED A DISRUPTION IN BUSINESS OPERATIONS.
IT ANSWERS THE QUESTIONS:
WHO?
WHAT?
WHEN?
WHERE?
A business continuity plan, if well written, will identify who does what actions in what sequence and in which location. It should avoid assumptions that someone else or another department is going to be performing a critical recovery action
BUSINESS CONTINUITY PLAN
UPON THE DECLARATION OF A DISASTER, IT ACTIVATES PREAPPROVED POLICIES AND AUTHORITIES
IT RESTORES THE OUTFLOW OF SERVICES WITH THE LEAST POSSIBLE COST TO THE HEALTHCARE ORGANIZATION
By declaring a disaster, pre-approved policies may be set in motion. The IT director's spending authority may jump from $25,000 to $1,500,000 upon the declaration of a disaster
The plan is designed to restore functionality as opposed to exactly replacing the affected resource. If a flat surface is required, a folding table can replace a mahogany desk
Slide 13
BCP PREREQUISITES FOR SUCCESS
MANAGEMENT COMMITMENT
PLAN ADMINISTRATOR IDENTIFIED
PROJECT PLAN
KEY STAFF INVOLVEMENT
Establishing a solid foundation to a plan is critical for its success. The most critical component is management commitment at the CEO level. In an examination done by one of the "big 5" on why projects fail, the 4 components identified above emerged as the leading causes
Slide 14
BCP MANAGEMENT CONCERNS
PLAN INSTALLATION AS QUICKLY AS POSSIBLE
MINIMAL COST AND DISRUPTION TO THE HEALTHCARE ORGANIZATION
CONSISTENCY AMONG BUSINESS UNITS
QUALITY PROJECT LEADERSHIP
TRAINING FOR STAFF
REGULATORY COMPLIANCE
A QUALITY, WORKABLE PLAN
A PLAN THAT CAN BE EASILY UPDATED
INTERDEPENDENCIES ADDRESSED
The above list is the result of 15 years of conversations with CEOs from all over the country
Slide 15
BCP PLANNING TOOLS
BUSINESS IMPACT ANALYSIS METHOD
PLANNING SOFTWARE
Planning tools make the planning process efficient. However, be aware and cautious of tool sales people who try to oversell the benefits of their products. Regardless of the tools used, creating a plan still requires a lot of hard work (despite what software salesman may tell you).
BCP METHODOLOGY
RISK ASSESSMENT
BUSINESS IMPACT ANALYSIS
RECOVERY REQUIREMENTS
STRATEGY SELECTION
PLAN DOCUMENTATION
TRAINING
TESTING
Σ MAINTENANCE
The number of phases or steps is irrelevant. The tasks embodied in the listing above must be completed in order to have a viable plan
Slide 17
EVALUATES RISK PRESENT IN THE LOCAL ENVIRONMENT
IDENTIFIES MEASURES TAKEN TO MITIGATE THE RISK
IDENTIFIES MEASURES THAT NEED TO BE TAKEN
WILL IMPACT THE CREATION OF THE ACTION PLAN
Risk assessment examines threats from the environment and what steps are in place to mitigate those risks
Slide 18
BUSINESS IMPACT ANALYSIS
IDENTIFIES WHICH SERVICES ARE ESSENTIAL
RANKS SERVICES TO AVOID INTER-ORGANIZATIONAL DISPUTES
ESTABLISHES RECOVERY TIME OBJECTIVES (RTO)
IDENTIFIES $ IMPACT IF PRODUCTION STOPS
Identifies how soon critical resources have to be restored before severe damage is done to the healthcare organization
Slide 19
BUSINESS IMPACT ANALYSIS
IDENTIFIES LOSS IMPACT AT VARIOUS DURATIONS
Legal and Regulatory
Income
Customer Service
Operating Expense
Staff Productivity
Service to other Business Units
Many different facets of risk are assessed in order to identify the impact to the healthcare organization.
STRATEGIES
Financial Impacts of Interruption
Different functions within the healthcare organization will have different recovery requirements based on their relative impact on the healthcare organization's overall profitability.
Slide 21
IT STRATEGIES
(SEE GRAPH IN STRATEGY SECTION)
The more rapidly that you require the healthcare organization be recovered, the more expensive the solution will be.
Slide 22
STRATEGY SELECTION
(SEE GRAPH IN STRATEGY SECTION)
The object of strategy selection is to minimize the sum of the cost of the impact and the cost of the solution.
Slide 23
STRATEGIES
CUSTOMER CONTACT
CUSTOMER SERVICE
CUSTOMER PERCEPTION
INCLUDE ENTIRE HEALTHCARE ORGANIZATION, NOT JUST THE COMPUTER ROOM.
CUSTOMER/VENDOR KNOWLEDGE
DETERMINE AND PLAN FOR LOCAL AUTHORITIES SERVICE LEVELS
Strategies must include not only the components of production of a good or service, but also the sources of input and the customers who receive the output.
Slide 24
STRATEGIES
FACILITIES
HOTSITE/COLDSITE
ACQUIRE REPLACEMENT BUILDING
STAFF
LAYOFFS
DAYCARE / HOUSING
WHO PERFORMS RECOVERY
OTHER RESOURCES
MINIMAL EQUIPMENT
ELECTRICITY
COMMUNICATIONS
VENDOR SELECTION
Strategies should address not only the components of production but also the way in which the plan should be put together.
Slide 25
PREVENTS A SITUATION FROM BECOMING A DISASTER
HUMAN SAFETY
ACTION STEPS
DAMAGE CONTROL
PLANS AROUND THE LIMITATIONS OF THE LOCAL AUTHORITIES
INTEGRATE WITH DISASTER RECOVERY PLAN
The first component of the plan is the emergency procedures. These procedures are the actions that will be taken immediately after the disaster event occurs.
Slide 26
PLAN DEVELOPMENT
COMMAND STRUCTURE
TEAM STRUCTURE/STAFFING
MODIFY PROVEN PROCEDURES
MANAGEMENT FEEDBACK AND REVISIONS
RESOURCE LINKAGES
Once all the preliminary data gathering and analyses have been completed, writing the plan is fairly straight forward. Too many healthcare organizations try to begin write a plan by buying software and trying to create a plan without having done the preliminary data gathering.
Slide 27
This concept has team healthcare organization following the healthcare organizational chart. Instead of trying to recover processes, the focus is to recover the critical components of production. If the critical components have been correctly identified, their recovery will also be the recovery of critical processes.
Slide 28
PLAN CONTENT
INSTRUCTIONS
ACTION PLAN
PROCEDURES
RESOURCES
RESPONSIBLE TEAMS
VENDORS
INVENTORIES
PLAN LOCATIONS
SUCCESSION LISTS
APPENDICES
ACTION PLAN EXPANSIONS
REGULATORY REQUIREMENTS
MAPS, NEWS RELEASE, ETC.
The layout of the plan should follow the logical progression that would occur in a recovery if the plan had not been developed and there was sufficient time to consider all required actions.
Slide 29
TRAINING, TESTING, MAINTENANCE
PLAN REVIEW
STAFF TRAINING
PLAN TESTING
Plan Familiarization
Simulation
Full Business Test
PLAN MAINTENANCE
Each step of the plan must be tested and maintained to insure its currency. Recovery team members must be trained in the execution of the plan.
Slide 30
WHAT TO LOOK FOR IN A CONSULTANT
Experience
Methodology
Hands-on training and assistance
Plans for success
Respect for your most valuable resource, time.