As a CIO of a health system for 15 years, I understand the value of business continuity. Last year alone, the U.S. experienced numerous adverse events, including 14 different natural disasters, ranging from hurricanes to wildfires to winter storms. What’s more, healthcare is one of the most targeted industries for malware attacks, such as the ransomware attack impacting 85,000 patients in California, or the misconfigured FTP server exposing data of 205,000 patients.
Business continuity and disaster recovery planning remains a top-of-mind concern for hospitals. In fact, last year 67 percent of CISOs believed a cybersecurity attack would happen at their organization.
The threat is real and healthcare leaders know it. Here are two crucial tasks that I’ve found every healthcare IT leader/professional should complete to ensure their organization is prepared.
1. Have you calculated the cost of downtime?
Every organization has a unique set of disaster recovery and business continuity requirements. Yet many are expected to have 99.999 percent availability, which equates to approximately 5 minutes of unscheduled downtime annually.
This expectation of near-zero downtime poses challenges when justifying IT budgets and the costs associated with ensuring this level of availability and/or recovery. According to a 2016 report from the Ponemon Institute, the total cost of a single, unplanned outage for healthcare organizations is $918,000. Your budget might never be large enough to invest in resources and redundancy for every system and application, or to prevent every possible disaster.
How to quantify the cost of downtime
Quantifying the cost of downtime is a good strategy to defend budgeting for these costs, especially for resources that you’ve prioritized for mission-critical applications. Here are a few cost factors to consider:
- Employee productivity: You can calculate the labor cost, including overtime (during downtime and recovery) for employees who would be impacted using the formula below. (Factor this at 50 percent if your employees could work on other tasks during downtime).
- Loss of business/revenue: Some calculate this using average revenue per minute (ARPM), or as shown, by estimating the total annual cost of outage (multiplying lost revenue by the total expected annual hours of outage).
- IT recovery costs and restoring systems (out-of-warranty acquisition costs).
- Costs associated with potential compliance violations.
- Outside vendor and consulting costs.
Some hidden costs you may not have thought about include customer dissatisfaction, damage to your brand/reputation (including negative press), and lowered employee morale or turnover.
- P= number of people affected, E= average percentage they’re affected, R= average employee cost per hour, H= number of hours of outage
- GR= gross yearly revenue, TH=total yearly business hours, I= percentage impact (high % means billing stops, lose customers, negative press, etc.), H=number of hours of outage
2. Develop a plan by identifying risk
Every day hospital care teams respond to emergency situations requiring immediate action— often when a minute can mean the difference between life and death. As physicians, nurses, and caregivers respond to code calls and other important notifications, your hospital is most likely tracking response times, evaluating workflows and current technology, and identifying areas you could improve. This type of analysis can allow care teams to respond more efficiently and quickly to patient events, such as a code STEMI (ST-elevated myocardial infarction) for heart attack patients.
Each of these common code calls and alerts may be put at risk by events ranging from natural disaster, terror and security threats, power outages, and more. Every organization is vulnerable to potential disasters. Every organization should prepare their business continuity plan to be adaptable to a wide range of possible risks. Here are some common code calls, disaster events, and other disruptions that a business continuity plan should address.
Types of Risk
In addition, outcomes from some of these events can lead to loss of access to your physical building, medical equipment, paper or electronic health records (including billing, scheduling, and patient charts); unavailable staff members; and third-party data breach.
Developing your plan is the first step to successful business continuity—the second step involves testing your plan.
Woman’s Hospital confronted a disaster scenario in early August 2016, when Louisiana faced a severe weather system resulting in record-level flooding.
Your next step
Our advice is to use your position as a healthcare IT leader to ensure your organization is prepared.
Murphy’s Law reminds us that however much we invest in and prepare our business continuity plan—we never eliminate all risk. Emergent cybersecurity risks, and the increasing complexity of hospital IT systems have raised the alarm among healthcare leaders, who can no longer leave management of business continuity to IT departments alone. Disruptive and adverse events are no longer events of chance, and healthcare leaders must face the changing needs of business continuity.