Proven Strategies for Overcoming Business Continuity Challenges for Healthcare Organizations Kathy Lee Patterson, CBCP Business Continuity & Disaster Recovery Manager Children's Hospital of Philadelphia May 18, 2005 Developing BC/DR for Healthcare Organizations Agenda for Presentation Preparing for the challenges (BC & DR) Initial Plans for BC/DR for your organization A re-evaluation of your program JCAHO & HIPAA Regulations Tips to re-performing a Business Impact Analysis Recommendations Challenges Typical in Healthcare Vast number of departments Speaking to clinicians watch your language Get their titles correct Very busy, under-staffed Numerous functions still performed manually Funding for new projects is sparse (especially not clinically related funding) If a clinician is spending time on BC/DR, they are not healing patients or producing revenue Does Sr. Management want BCP and/or DR? Continued 1
Challenges Typical in Healthcare (Con t) Multiple platforms and numerous applications We have our own servers, IS can t touch them The vendor used to help us with this, but our maintenance agreement ran out, so IS has to.... Insurance Reimbursement differences Many aspects of recovery broken up amongst multitude of departments (HIPAA Security, JCAHO Adherence, State Regulations, Emergency Management, IS DR, etc.) Security issues connected to HIPAA BC is an IT function??? How much preparedness has already been accomplished? Typical Structure: Fragmented Responsibilities Business Continuity vs. Disaster Recovery Business Continuity Adherence to JCAHO Regulations Disaster Recovery Business Strategies HIPAA Compliance Emergency Response Goal: Business Continuity for Entire Organization Adherence to HIPAA Standards Disaster Recovery Business Continuity Business Strategies Adherence to JCAHO Regulations Emergency Response 2
DR Program Elements Pre-Planning Planning Post-Planning Project Initiation & Management BIA & Risk Mitigation Cost Benefit Analysis & Selected Strategies Develop Disaster Recovery Strategies (Equipment & Backups) Emergency Response & Operations Develop and Implement DR Plans (Teams) Awareness & Training Maintaining and Exercising the Plan Public Relations & Crisis Communication Coordination with Public Authorities Evaluate Your Progress and Future Goals List goals you would like to accomplish in next 12-18 months If you are new to the organization, evaluate what has already been accomplished Every organization has strengths and weaknesses Estimate funding for these goals List resources for these goals Verify that management is on board Start implementing steps to achieve goals. Project Initiation & Management Has the scope of your program changed? Did you create more DR than BC, or visa versa? Has Sr. Mngt s vision changed? Stronger & weaker? If stronger, what do you still need to accomplish? Is Sr. Mngt. aware of your accomplishments? If not, make it so. 3
Risk Evaluation and Control Have your risks changed? Do you need to re-evaluate your risks and controls? Can you expand program to address additional risks with current resources? Are you working with your Security Group? Can you work with HIPAA group? Do you have policies in place? Business Impact Analysis Has a BIA been performed within last 2 years? Is you BIA data outdated? Are your RTO s the same as they were? Have mission critical systems changed? Who established mission criticalities and RTO s? Is your asset management up-to-date? If you re-circulated your BIA, could your questions be worded to be more effective? Is there additional data that would be appropriate to reveal at this time? Business Impact Analysis (Con t) Have user departments requirements for recovery changed? Are downtime procedures in place? Are downtime procedures documented? Who keeps copies? Do departments have BC plans in place? Some departments will cooperate, some won t. Position yourself to accomplish (Get Sr. Mngt. on your side) 4
Assessing Risk and Criticalities - Performing a BIA Perform a Business Impact Analysis ( BIA ) to identify risks, criticalities, operational & financial impacts. Customize your survey questions carefully. Find out what Senior Management is hoping to find out (what they want to see in report). Keep survey as precise as possible; know what you need to find out, don t ask unneeded questions. Conduct a BIA Kickoff meeting with department heads and take time to explain terms: Business Continuity and Disaster Recovery Critical Business Functions & RTO (Recovery Time Objective) Recovery Strategies: Hot Site, alternate site, cold site, etc. Information Revealed Performing a BIA Reduced insurance reimbursements and receivables Contractual penalties and fines Lost opportunity to render patient care Risk management and legal issues in patient care Identify the applications that have the largest financial exposure Cost of additional resources and other expenses Reduced work value for existing staff & wage costs for additional staff Suggested Steps to Performing a Hospital-wide Business Impact Analysis I. Preparation Schedule date for Kickoff meeting with senior management If part of a monthly scheduled management meeting, insist you have at least 30 minutes on agenda Work with senior management to develop the list of participants Send out meeting notices (works best of senior management sends this out) Call &/or send email follow up reminders of meeting to all participants 5
Steps to Performing a Hospital-wide Business Impact Analysis II. BIA Kickoff Meeting Arrive early, have slide show & handouts ready Have mandatory sign in sheet for attendees (you will need to know who attended and who did not) Explain Disaster Recovery and BIA Project Show examples of questions Distribute hard copy of survey at the Kickoff Meeting Send out electronic copy to all participants Give them due date to return completed surveys Steps to Performing a Hospital-wide Business Impact Analysis III. Interview Process Schedule interviews with all respondents Review each survey when received - writing a list of your own concerning missed data to ask at interview Meet with exact person who filled out survey (not a representative) Introduce yourself and thank them for their time Mention upfront that you are not going over the entire survey, only the specific issues that you have flagged Keep interview brief, do not argue Record their answers clearly so that you can revise their original survey; asking them to revise will take extra time Steps to Performing a Hospital-wide Business Impact Analysis IV. Validation & Report Send revised survey back to participants for validation Have them sign validation statement as to revisions Compile all data into data reports Use data from IS Department to develop your recommendations Draft Report and review with management Presentation and hardcopy of report to Senior Management 6
What to include in the BIA Report: Departmental resources required for recovery Time sensitivity issues relating to patient care Lost opportunity to render patient care The applications with largest financial exposure Reduced insurance reimbursements and receivables Reduced work value for existing staff & wage costs for additional staff Risk management and legal issues in patient care Critical in-flows & out-flows of productivity Cost of additional resources and other expenses Contractual penalties and fines Recovery Time Objective (RTO) Point of Disruption Recovery of Operations Business Functions or Application systems operational w/ current & accurate data Time Recovery Time Objective... is the time between the point of disruption and the point at which Business Functions or Applications must be operational and updated to current status. Inventory IS Department Develop a separate survey form for the IS Department Interview each group leader within IS Inventory all equipment, systems, applications Obtain equipment information: model, manuf., disc space, # of CPU s, location What applications are on this equipment? Do you have licensed software is data current? Has integrity of back up tapes been demonstrated by recovery? Obtain network diagrams, scripts, instructions, etc. Do they have written recovery procedures for equipment failure? Is there a Tier Structure to recovery? Obtain detailed information on Vendor contracts & responsibilities. This information can be used with BIA Survey responses to formulate recommendations for your BIA Report. 7
Advantages of Performing a BIA: You will know: Which departments are better prepared than others. The financial and operational impacts of a significant outage. How much to spend on recovery solutions. What systems to include in a hot site or cold site. Your Recovery Time Objective (RTO). What is needed to comply with HIPAA & JCAHO regulations. It also: Boosts awareness of importance of BC/DR Planning to Hospital. Gives the data necessary for your Business Continuity/Disaster Recovery Plan to be the best it can be. BC/DR Strategies Do you need to re-evaluate your strategies? Do you have HIPAA regs for DR covered? Do you have the JCAHO for DR requirements covered? Are policies in place to further your goals? Do you have established & trained DR/BC Teams? Does Sr. Mngt. consider themselves part of a Team? Joint Commission New Standards for 2005 IS BC/DR Plan, identifying most critical information functions; Plans for scheduled & unscheduled outages, w/user training & d/t procedures Contingency Procedures for hardware & applications Periodic Testing assure back up techniques are effective; Scheduled Downtime Plans Emergency Service Plan Electronic systems must have process for BC/DR as they impact the following: A Back-up System (electronic or manual) Data retrieval & storage information 8
HIPAA Specifications DR/BCP falls under Security Section of HIPAA Regulations. Security Standards Compliance Date: April 21, 2005. There are 42 Standards; 22 of which are required. A required implementation specification must be implemented. An addressable implementation specification provides flexibility by: Will do one of the following (a) implement the addressable implementation specification, (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either addressable or alternative (must document and justify why you are not taking any action). HIPAA Requirements for Disaster Recovery (Required & Addressable) Contingency Plan 164.308(a)(7): Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (ii) Implementation Specifications: Data back-up plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (Downtime Procedures) (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) HIPAA Requirements for Disaster Recovery (Security Management Process) Under 164.308.1 is the Standard of Security Management Process, Implementation specifications, include: Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information system activity review (R) Assigned security responsibility (R) You will want to speak to your HIPAA Compliance Officer for more details. 9
Examples of Effective Policies: Emergency Preparedness Procedures - Policy for individual departments to follow outlining emergency response (not system related). Disaster Recovery Hardware and Software Policy - Procedures for IT for implementing any new systems, h/w, s/w, updates, etc. - Checklist to follow prior to live date being approved. Downtime Procedure (BCP) Policy Policy for individual departments to follow when computer systems are not available. Policy to outline how department is to respond to a disaster Training and testing requirements for departmental staff Senior management must sign off on all of these policies. Emergency Response Some issues to think about: Is every employee accounted for? Tested? Night and day contact numbers for all. Designated primary and alternate assembly areas during evacuation? Employee emergency info phone line for communication and updates Laminated wallet card, brochure, etc. Bridge conference line established for BCP/DR? Has your Emergency Response been tested? Developing and Implementing BC Plans Do you have BC Plans for all departments? Is there a policy to mandate annual review? Do you provide template for BC Plan? Do you provide standard testing and signoff form? Have you graduated from downtime procedures to BC Plans for departments? 10
Established Downtime Procedures 80% 80% 70% Have Manual Procedures 60% 50% 40% 57% 51% 43% Able to convert immediately to manuals Have Tested Manual Procedures Cannot function more than 3 days w/o applications 30% 20% 27% 26% 21% Able to convert within 12 hours to manuals Have documented manual procedures Have updated manual procedures 10% 0% % of Respondents Business Continuity/DR Plans for Departments with own equipment JCAHO mandates they also have BC/DR Plans Develop a BC Plan template for departments Identify responsible Manager or Director Work with them to broaden their scope on why it is important to have BC/DR Assist with Plan, but do not write it for them Get Department to sign off on Plan Encourage testing and documentation Provide testing signoff form and keep copy for your records. Developing and Implementing DR Plans Is your IT DR plan comprehensive? Is it tested annually? When changes occur, do you test them? Are staff members cross-trained on recovery? Do you update Plan after it is tested? Does all of IT know that they have a Plan? Does Sr. Mngt. know what systems are not protected in the DR Plan? 11
Justifying Spending for Alternate Site Alternate DR site could be used as a lab for testing while not in use for disaster recovery. Alternate DR site could be where you place equipment not be currently used so that it could be used for the lab. Training for employees on alternate equipment. Equipment could be totally configured and waiting (or better). Flexible testing schedules. Cost Comparison of Recovery Strategies Details of comparison quotes can be found in BIA Report $4,010,000 $3,510,200 $3,510,000 $3,010,000 $2,510,000 $2,010,000 $1,510,000 Annual Cost of Drop Ship with 48 Hr. Delivery Annual Cost of Hotsite with 48 Hr. Recovery Financial Impact of an Unplanned IS Outage for 2 days $1,010,000 $510,000 $37,560 $96,620 $10,000 Costs & Impacts Awareness & Training Does Sr. Mngt. perform annual testing (tabletop)? Do you meet monthly for training in DR and/or BC with Teams? Do you speak annually to whole organization? Do you speak to Leadership? (Quarterly?) Walk around an area and ask an employee you don t know personally what they know about their BC/DR Plan. (Be prepared for answers.) 12
Recovery & Training Aids Emergency response Flyer with critical contact numbers Laminated contact cards Employee listing (for use in evacuations) Established emergency contact voice mail Established conference call bridge line Listing of all vendors Printed (up-to-date) recovery plans Convincing Senior Management Meet separately with senior management and explain high level reasons for BC/DR find out their motivation levels exactly they want to accomplish help them if they do not know. Send copies of appropriate BC/DR articles monthly with highlights of what you want them to read. Keep your information at a level they can absorb. Ask to meet with them monthly or at least quarterly for updates. Explain reasons for performing tabletop exercises with senior management. Make sure they understand that a BC/DR Program is a continuing project. Giving presentations to Senior Management Know your audience; talk at their level Keep slides simple; 5-6 slides Handouts can be more involved than slides Do not rush through your presentation Don t become too technical Explain hot site and other recovery terms Don t B.S. them, if you don t know tell them you will research and find out the answer. Rehearse, rehearse, rehearse. 13
Dealing with Internal Audit Find out the auditing schedule Do you have IT/DR/BCP specific audits? Do you work with the same auditor? Some background information necessary for auditor Review your policies prior to meeting with auditor Make them a friend, they can assist in your cause Be cooperative and helpful, they have a tough job too! Maintaining and Exercising the Plans - BC Use list of departments from BIA Use list of applications from the BIA Categorize departments by functions Establish a template for BCP Work with specific individuals to develop BCP Assist in training their employees Send annual notices to update and review. Maintaining and Exercising the Plans - DR Do you have an alternate site for IT staff not recovery hardware? Has Sr. Mngt. been involved or is aware of testing and results? Is Plan tested annually and updated in timely fashion? Is equipment in plan up-to-date? Do you have individual hardware recovery steps documented or is it mostly in the heads of the staff? Is Plan mature enough to call an unscheduled test? Is updated Plan distributed to key personnel? How do you mandate that old Plan materials be destroyed? Has distribution list changed? Does IT Staff know they have a Plan? 14
Public Relations and Crisis Communication Has Marketing approved Sr. Mngt. Statements? Is Sr. Mngt. aware of process and statement? Have you tested call tree for hospital(s)? Have current contact numbers for all management (day and evening) Train on when and where to meet Plan to evacuate mobility impaired employees Have you created relationship with key groups? Do you have a succession plan for key employees? Have you established relation with Police and Fire authorities in your area? Get involved with local BC/DR groups. Ask your in-house fire marshal who they speak with in the event of a fire. Meet with Environmental Health, learn regulations and who are the contacts in your Region. Coordination with Public Authorities Get to know facilities and their contacts. Get involved with Emergency Preparedness Group within Hospital. Summary of How to Get Started? If you are new to the organization, do your own assessment of what is needed and what is already in place. Meet with Sr. Mngt. to obtain commitment and define scope and future objectives. Collect a list of all departments and department heads. Contact Department Heads and introduce BC/DR Program. If individual departmental BC plans are not established, develop a template for departments to follow. Inventory and/or implement pertinent Policies and get backing to enforce them. Compile hardware and software lists. Establish justification for alternate site(s). Be a promoter! 15
Strategic Planning Phased Recovery Planning Tier Application Structure Assessment Commitment Assessment -Data gathering Roadmap BIA Recovery Strategies Planning -Completion of Roadmap -Client validation via BIA -Recovery Strategies confirmed & developed DR Plans BC Plans Training & Testing Execution -Development of DR & BC Plans -Implementation -Training -Testing -Maintenance Jan-June 05 July Dec. 05 Jan June 06 Time Line Protect your Health System in the event of a disaster by preparing now! YOU CAN DO IT! Your Business Continuity Plan Questions? 16