Post on 04-Mar-2020
1
BCP and DR Planning for Healthcare Organizations
Advancing your BCP Program
• Stick to the basics
• Know your crucial technology
• Get your clients input - BIA
• Obtaining senior management support
• Training and awareness
• Summary
Agenda for PresentationAgenda for Presentation
DRII-Business Continuity Program Elements
Pre-Planning
- Project Initiation
& Management
�- BIA & Risk
Mitigation
�-Cost Benefit
Analysis &
Selected Strategies
Planning
- Develop Disaster
Recovery
Strategies (Equipment
& Backups)
�- Emergency
Response &
Operations
�- Develop and
Implement DR
Plans (Teams)
Post-Planning
�-Awareness &
Training
�- Maintaining
and Exercising the
Plan
�- Public
Relations & Crisis
Communication
�- Coordination
with Public
Authorities
2
Business Continuity• Client Preparedness –Downtime Procedures• Adherence to Regulations• Emergency Preparedness• Command Center preparation and staffing•Business Impact Analysis• Awareness & Training to Clients• Awareness & Training for IS teams• Business Strategies• Presentations to clients and Sr. Management• BC Vendors• Conduct DTTF Meetings• Overall Plan development & maintenance
Combined Efforts• Risk Analyses• BC/DR Training for IS Staff• Coordination of DR Testing• Workspace Recovery Testing• Confirmation of RTO’s and RPO’s & Redundancy testing• Preparation for BIA Survey• Establishment of BC/DR Teams within Plan• Training & Cross-training of Teams• Conduct monthly DR/BCP meetings• Audit Compliance• Consultant to PM’s for DR needs in applications projects
Disaster Recovery• Knowledge of all technical recovery• Risk Mitigation• Hardware & systems documentation and recovery• Application documentation and recovery• Network diagrams & documentation• Data Center OperationsBackup and Restoration
• Coordination of technical aspects of DR Testing• Maintaining and exercising the DR portion of the Plan• Coordination of DR Vendors
Business Continuity Disaster Recovery
Business Continuity and Disaster Recovery – Who’s doing what?
Positioning for Advancement
• Where is your program right now?
• What is your current disaster
readiness?
•Do you know your current resources
and assets?
•Have you done a BIA of client
environment getting clinical buy-in?
• Do you need to re-evaluate your risks
and controls?
Here are some suggestions to get this done.
Assess Your Progress and Set Future Goals
• List goals you would like to accomplish in next 9-12 months
• If you are new to the organization, evaluate what has already been accomplished
• Every organization has strengths and weaknesses, build on them
• Estimate funding for these goals
• List resources for these goals
• Verify that management is on board
• Start implementing steps to achieve goals.
3
Evaluate IS Preparedness - How much has already
been accomplished?
• Do you have a current application and hardware inventory?
• Assess the current state of your application and hardware recovery
• An IS survey could be used to obtain critical information:– Develop a separate survey form for the IS Department
– Interview each group leader within IS
– Inventory all equipment, systems, applications
– List each resource associated with each type of technology
– What applications are on all equipment?
– Which applications can be made Tier 1 high availability?
• Define Tier Level and recovery strategy
• Has integrity of back up tapes been demonstrated?
• Obtain network diagrams and telecom information.
• Do they have written recovery procedures for equipment failure?
• Which IT staff work directly with clients and clinicians?
• Obtain detailed information on Vendor contracts & responsibilities.
Questions to ask the Technical Staff w/survey
Use this information to update your DR Plan
Define your Recovery Tiers with Strategies
• Vendor quick ship contracts for
server/disk equipment (72 Hours)
• Ad Hoc ordering of server/disk
equipment (> 72 Hours)
• Daily vaulting / tape recovery
36 Hours72 Hours
or
Beyond
Warm Site3
• Hot site server/disk available (e.g. test /
development system, spare, vendor)
• Mirrored SAN or Daily vaulting / tape
recovery
< 1 Minute
– 36 Hours
12 – 24
Hours
Hot Site2
• Servers Geographically dispersed
between data centers
• Clustered Servers
• Mirrored SAN (shared disk storage)
• Database geographically clustered and
failover capable
• Application failover capable
< 1 Minute4 HoursHigh Availability1
Technology Solution (where possible)RPORTORecovery TypeTier
4
BIA – Making it Worthwhile
• Obtain senior management support for a BIA
• Meet with senior management to find out what they really want to learn from a BIA
• Set objectives before you customize questions
• Make questions as to the point as possible
• Don’t ask a question if you don’t need the data
• Plan to present a report to match senior management’s expectations.
More reasons to perform a BIA• Is there additional data that would be
appropriate to reveal at this time - patient safety impacts?
• Have user departments requirements for recovery changed?
• Do departments have documented downtime procedures in place?
• Are their gaps in client/clinical needs?
• Position yourself to accomplish (Get Sr. Mgmt. on your side)
Questions for BIA relating to Patient Care - Examples• List the applications that you use for patient
care.
• When those applications are not available, how quickly is patient care affected (0-4)?
• Are the manual procedures sufficient to render excellent patient care for more than 8 hours?
• List your concerns when each application is not available
• Provide an application list so that participants use the same name for applications; i.e., Exchange, Outlook, email, etc.
5
Impact to Patient Safety during a Tier 1 Application Disruption
48%52%
61%
67%
75% 78%
0%
10%
20%
30%
40%
50%
60%
70%
80%
4 Hrs 8 Hrs 24 Hrs 48 Hrs 72 Hrs 7 Days
Participants were asked how quickly patient safety would be affected in the
event that the Tier 1 Applications experienced a significant disruption.
Additional Patient Care Questions for BIA
• Is there a paper process for inputting data into system?
• How long can your department render patient care using downtime procedures?
• Do you require additional staff when systems are not available?
• Who (Doctors or nurses?) and how many?
Advantages of Performing a BIA:
You will know:
– Which departments are better prepared than others?
– Which systems when down directly affect patient safety?
– The financial and operational impacts of a significant outage.
– Which departments are reliant on specific applications
– Which applications require High Availability solutions
– The Recovery Time Objectives (RTO) and Tier level.
It also:
– Boosts awareness of importance of BC/DR Planning to Hospital.
6
Now that you have your Technical System Information . . .
• Let’s move to getting the future funded by
Senior Management
Get buy-in from managementIt is important to advise senior management of the
status of your work:
• The good work that has been accomplished
• A brief history of all that has been done to date
• The roadblocks you are facing
• Why your recommendations should be approved
• Use examples from other hospitals (BCPWHO)
• Where you need their assistance
Here’s how we did it -
Brochure of History and Goals
Now you can take all of this
information and develop a marketing tool to Advance your Program ----
Develop a brochure with history of the growth of your organization
Example will be provided at conference.
7
Awareness & Training
• Establish a Downtime Task Force with key departments to discuss their concerns. Start with:
– ED
– Admissions/Bed Management
– Lab
– Pharmacy
– Other outspoken departments
• Show progress by developing job aids and workshops
Tabletop Exercises for IS Disruption
• Provide guidance and rules at the beginning
• Chose a scenario that has relevance
• Develop slides to walk through the scenario
• Don’t give all the directives; make them figure out what to do
• Use envelopes and announcements
• Make it challenging but not ridiculous
• Finish on a positive note.
Example of a IS Tabletop Exercise
• To be provided at conference
8
Patient Safety is Utmost Concern in Healthcare –
Bridging the gap between clinicians and IT
• If you are part of IT, there are ways to
incorporate Patient Safety into your IT
BCP
• Hospital Timetable
• Quick Reference Guide
• Downtime Procedures & Task Force
• Downtime Containers
• Clinical Workshops
Clinical Downtime Workshop
• Design a working session with clinicians and some key Leaders
• Develop patient care scenarios
• Scenario - No computer systems or network available (Phones and faxes, too?)
• Invite more than you want – they won’t all be able to attend.
• Set up the room so that conversation flows
• Use easel for documenting “issues”
• Provide refreshments and give promotional items (if poss.)
• Start the session with a brief slide show can get them motivated to participate
Clinical Downtime Workshop• Scenario:
– All systems are unavailable due to a Data Center fire
– 8 Mth Old Sick Baby arrives at ED
– Ask clinicians to step you through how to render patient care without systems, ordering labs, medications, food, etc.
– Document the gaps and issues
• Explain planned deliverables from session:
– Laminated cards and quick reference guides
– Updated Downtime policies and procedures
– Improved Downtime Materials
9
Anticipated Results of Workshop
• A better understanding of how patient care is administered (different roles in different departments)
• Gaps in available information and responsibilities
• How well the downtime procedures are used
• Gaps in training
• The champions in clinical environment to help you get things done
(Example: Discovered that there was 1 fax machine for all 5 pharmacy units. When system down, can everyone use same fax?)
Downtime Procedures for Departments
• Each department has separate customized downtime procedures
• Listing each application that they use
• Listing manual procedures for each application
• Include telephone instructions for receptionist to handle downtime
• Include pager downtime procedures
Summary• If you are new to the organization, assess what is already in
place and what needs to be accomplished with priority
• Meet with clinicians and get support for moving forward
• Meet with Sr. Mgmt. to obtain commitment and define scope
and future objectives
• Work with individual departments to build their downtime
procedures (BC plans) – provide a template
• Establish the IT recovery strategy and Tier Structure
• Serve the clinical staff by bridging the gap between the
clinical environment and IS technical environment.
• Be a promoter!
10
Remember why you are doing this!
YOU CAN DO IT!