1

BCP and DR Planning for Healthcare Organizations

Advancing your BCP Program

• Stick to the basics

• Know your crucial technology

• Get your clients input - BIA

• Obtaining senior management support

• Training and awareness

• Summary

Agenda for PresentationAgenda for Presentation

DRII-Business Continuity Program Elements

Pre-Planning

- Project Initiation

& Management

�- BIA & Risk

Mitigation

�-Cost Benefit

Analysis &

Selected Strategies

Planning

- Develop Disaster

Recovery

Strategies (Equipment

& Backups)

�- Emergency

Response &

Operations

�- Develop and

Implement DR

Plans (Teams)

Post-Planning

�-Awareness &

Training

�- Maintaining

and Exercising the

Plan

�- Public

Relations & Crisis

Communication

�- Coordination

with Public

Authorities

2

Business Continuity• Client Preparedness –Downtime Procedures• Adherence to Regulations• Emergency Preparedness• Command Center preparation and staffing•Business Impact Analysis• Awareness & Training to Clients• Awareness & Training for IS teams• Business Strategies• Presentations to clients and Sr. Management• BC Vendors• Conduct DTTF Meetings• Overall Plan development & maintenance

Combined Efforts• Risk Analyses• BC/DR Training for IS Staff• Coordination of DR Testing• Workspace Recovery Testing• Confirmation of RTO’s and RPO’s & Redundancy testing• Preparation for BIA Survey• Establishment of BC/DR Teams within Plan• Training & Cross-training of Teams• Conduct monthly DR/BCP meetings• Audit Compliance• Consultant to PM’s for DR needs in applications projects

Disaster Recovery• Knowledge of all technical recovery• Risk Mitigation• Hardware & systems documentation and recovery• Application documentation and recovery• Network diagrams & documentation• Data Center OperationsBackup and Restoration

• Coordination of technical aspects of DR Testing• Maintaining and exercising the DR portion of the Plan• Coordination of DR Vendors

Business Continuity Disaster Recovery

Business Continuity and Disaster Recovery – Who’s doing what?

Positioning for Advancement

• Where is your program right now?

• What is your current disaster

readiness?

•Do you know your current resources

and assets?

•Have you done a BIA of client

environment getting clinical buy-in?

• Do you need to re-evaluate your risks

and controls?

Here are some suggestions to get this done.

Assess Your Progress and Set Future Goals

• List goals you would like to accomplish in next 9-12 months

• If you are new to the organization, evaluate what has already been accomplished

• Every organization has strengths and weaknesses, build on them

• Estimate funding for these goals

• List resources for these goals

• Verify that management is on board

• Start implementing steps to achieve goals.

3

Evaluate IS Preparedness - How much has already

been accomplished?

• Do you have a current application and hardware inventory?

• Assess the current state of your application and hardware recovery

• An IS survey could be used to obtain critical information:– Develop a separate survey form for the IS Department

– Interview each group leader within IS

– Inventory all equipment, systems, applications

– List each resource associated with each type of technology

– What applications are on all equipment?

– Which applications can be made Tier 1 high availability?

• Define Tier Level and recovery strategy

• Has integrity of back up tapes been demonstrated?

• Obtain network diagrams and telecom information.

• Do they have written recovery procedures for equipment failure?

• Which IT staff work directly with clients and clinicians?

• Obtain detailed information on Vendor contracts & responsibilities.

Questions to ask the Technical Staff w/survey

Use this information to update your DR Plan

Define your Recovery Tiers with Strategies

• Vendor quick ship contracts for

server/disk equipment (72 Hours)

• Ad Hoc ordering of server/disk

equipment (> 72 Hours)

• Daily vaulting / tape recovery

36 Hours72 Hours

or

Beyond

Warm Site3

• Hot site server/disk available (e.g. test /

development system, spare, vendor)

• Mirrored SAN or Daily vaulting / tape

recovery

< 1 Minute

– 36 Hours

12 – 24

Hours

Hot Site2

• Servers Geographically dispersed

between data centers

• Clustered Servers

• Mirrored SAN (shared disk storage)

• Database geographically clustered and

failover capable

• Application failover capable

< 1 Minute4 HoursHigh Availability1

Technology Solution (where possible)RPORTORecovery TypeTier

4

BIA – Making it Worthwhile

• Obtain senior management support for a BIA

• Meet with senior management to find out what they really want to learn from a BIA

• Set objectives before you customize questions

• Make questions as to the point as possible

• Don’t ask a question if you don’t need the data

• Plan to present a report to match senior management’s expectations.

More reasons to perform a BIA• Is there additional data that would be

appropriate to reveal at this time - patient safety impacts?

• Have user departments requirements for recovery changed?

• Do departments have documented downtime procedures in place?

• Are their gaps in client/clinical needs?

• Position yourself to accomplish (Get Sr. Mgmt. on your side)

Questions for BIA relating to Patient Care - Examples• List the applications that you use for patient

care.

• When those applications are not available, how quickly is patient care affected (0-4)?

• Are the manual procedures sufficient to render excellent patient care for more than 8 hours?

• List your concerns when each application is not available

• Provide an application list so that participants use the same name for applications; i.e., Exchange, Outlook, email, etc.

5

Impact to Patient Safety during a Tier 1 Application Disruption

48%52%

61%

67%

75% 78%

0%

10%

20%

30%

40%

50%

60%

70%

80%

4 Hrs 8 Hrs 24 Hrs 48 Hrs 72 Hrs 7 Days

Participants were asked how quickly patient safety would be affected in the

event that the Tier 1 Applications experienced a significant disruption.

Additional Patient Care Questions for BIA

• Is there a paper process for inputting data into system?

• How long can your department render patient care using downtime procedures?

• Do you require additional staff when systems are not available?

• Who (Doctors or nurses?) and how many?

Advantages of Performing a BIA:

You will know:

– Which departments are better prepared than others?

– Which systems when down directly affect patient safety?

– The financial and operational impacts of a significant outage.

– Which departments are reliant on specific applications

– Which applications require High Availability solutions

– The Recovery Time Objectives (RTO) and Tier level.

It also:

– Boosts awareness of importance of BC/DR Planning to Hospital.

6

Now that you have your Technical System Information . . .

• Let’s move to getting the future funded by

Senior Management

Get buy-in from managementIt is important to advise senior management of the

status of your work:

• The good work that has been accomplished

• A brief history of all that has been done to date

• The roadblocks you are facing

• Why your recommendations should be approved

• Use examples from other hospitals (BCPWHO)

• Where you need their assistance

Here’s how we did it -

Brochure of History and Goals

Now you can take all of this

information and develop a marketing tool to Advance your Program ----

Develop a brochure with history of the growth of your organization

Example will be provided at conference.

7

Awareness & Training

• Establish a Downtime Task Force with key departments to discuss their concerns. Start with:

– ED

– Admissions/Bed Management

– Lab

– Pharmacy

– Other outspoken departments

• Show progress by developing job aids and workshops

Tabletop Exercises for IS Disruption

• Provide guidance and rules at the beginning

• Chose a scenario that has relevance

• Develop slides to walk through the scenario

• Don’t give all the directives; make them figure out what to do

• Use envelopes and announcements

• Make it challenging but not ridiculous

• Finish on a positive note.

Example of a IS Tabletop Exercise

• To be provided at conference

8

Patient Safety is Utmost Concern in Healthcare –

Bridging the gap between clinicians and IT

• If you are part of IT, there are ways to

incorporate Patient Safety into your IT

BCP

• Hospital Timetable

• Quick Reference Guide

• Downtime Procedures & Task Force

• Downtime Containers

• Clinical Workshops

Clinical Downtime Workshop

• Design a working session with clinicians and some key Leaders

• Develop patient care scenarios

• Scenario - No computer systems or network available (Phones and faxes, too?)

• Invite more than you want – they won’t all be able to attend.

• Set up the room so that conversation flows

• Use easel for documenting “issues”

• Provide refreshments and give promotional items (if poss.)

• Start the session with a brief slide show can get them motivated to participate

Clinical Downtime Workshop• Scenario:

– All systems are unavailable due to a Data Center fire

– 8 Mth Old Sick Baby arrives at ED

– Ask clinicians to step you through how to render patient care without systems, ordering labs, medications, food, etc.

– Document the gaps and issues

• Explain planned deliverables from session:

– Laminated cards and quick reference guides

– Updated Downtime policies and procedures

– Improved Downtime Materials

9

Anticipated Results of Workshop

• A better understanding of how patient care is administered (different roles in different departments)

• Gaps in available information and responsibilities

• How well the downtime procedures are used

• Gaps in training

• The champions in clinical environment to help you get things done

(Example: Discovered that there was 1 fax machine for all 5 pharmacy units. When system down, can everyone use same fax?)

Downtime Procedures for Departments

• Each department has separate customized downtime procedures

• Listing each application that they use

• Listing manual procedures for each application

• Include telephone instructions for receptionist to handle downtime

• Include pager downtime procedures

Summary• If you are new to the organization, assess what is already in

place and what needs to be accomplished with priority

• Meet with clinicians and get support for moving forward

• Meet with Sr. Mgmt. to obtain commitment and define scope

and future objectives

• Work with individual departments to build their downtime

procedures (BC plans) – provide a template

• Establish the IT recovery strategy and Tier Structure

• Serve the clinical staff by bridging the gap between the

clinical environment and IS technical environment.

• Be a promoter!

10

Remember why you are doing this!

YOU CAN DO IT!