What Every Healthcare Leader Should Know About Business Continuity  

 Think about the way your hospital handles business continuity and disaster recovery.

  • Do your plans distinguish between business continuity and disaster recovery?
  • Has your recovery budget increased or decreased and was that decision based on calculated costs of downtime (or other factors)?
  • Does your continuity plan address all types of risk and threats?
  • Is your plan regularly reviewed and tested so it’s ready when needed?
  • Have you discussed disaster preparedness and business continuity with your vendors and business partners?
     

The Difference Between Disaster Recovery and Business Continuity

Over a decade ago, business continuity started evolving at a rapid pace, moving beyond the tried-and-true disaster recovery methods developed during the 1960s and ‘70s. IT departments developed redundancies to recover their systems and data from onsite data centers should a disaster render that technology unavailable. But as technology advances, and more applications and data move to the cloud, it’s crucial that recovery priorities be reassessed and take on a broader view of business continuity. What was considered the norm a few years ago may not support new systems, threats and risks, or changing business goals. Healthcare organizations must look beyond disaster recovery to assess the larger picture of business continuity.

Business continuity is more than just having redundant systems. It’s a comprehensive approach that enables critical services to be delivered without interruption. Instead of focusing on how you’ll resume business after operations have ceased (or recovery begins), business continuity is the plan by which you keep your hospital operational during and after a disaster.


Are Hospitals Using Disaster Recovery as a Service (DRaaS) or Cloud-based Services?

A Spok survey of CHIME CIOs revealed only 30 percent are using cloud-based disaster recovery services.
 

Chart, 30 percent “yes”, 70 percent “no”

HOW TO PROVE THE VALUE OF BUSINESS CONTINUITY

Today the total cost of a single, unplanned outage for healthcare organizations is $918,000. This eBrief gathers industry insights to help you answer the tough (but necessary) business continuity questions.

Get the Guide»

Business continuity eBrief cover

How Would You Describe Your Business Continuity Budget?

More CIOs say they’re cutting costs than increasing investments

Chart, 61 percent are cutting costs without adding risk, 29 percent increased their budget

Healthcare organizations must approach business continuity with a new mindset: focusing on overall business risks, not just IT systems. Knowing the cost of downtime for each of your systems and applications is crucial. This will help you determine recovery time objectives (the maximum length of time within which each business process must be restored). This is especially important for your mission critical applications. Once you’ve identified the systems requiring the most protection, you’ll know how to prioritize your resources and where to invest in additional backup, disaster recovery as a service (DRaaS), fault-tolerance servers, etc.

When developing a business continuity plan, it’s important for healthcare leaders to consider intangible losses, such as damage to hospital brand and reputation, loss of customers, impact to credit rating, or loss of contracts.


How to Calculate Downtime

Quantifying the cost of downtime is a good strategy to defend budgeting for these costs, especially for resources that you’ve prioritized for mission-critical applications. Here are a few cost factors to consider:

  • Employee productivity: The labor cost, including overtime (during downtime and recovery) for employees who would be impacted can be calculated as shown below (you can factor this at 50 percent if your employees could work on other tasks during downtime).
  • Loss of business/revenue: Some calculate this using average revenue per minute (ARPM), or as shown, by estimating the total annual cost of outage (multiplying lost revenue by the total expected annual hours of outage).
  • IT recovery costs and restoring systems (out-of-warranty acquisition costs)
  • Costs associated with potential compliance violations
  • Outside vendor and consulting costs

Woman writing equation PxExRxH= Labor Costs, (GR/TH)xIxH= Lost Revenue on whiteboard


Taking an Enterprise Risk Management Approach to Disaster Planning

Every day, hospital care teams respond to emergency situations requiring immediate action—often when a minute can mean the difference between life and death. As physicians, nurses, and caregivers respond to code calls and other important notifications, your hospital is most likely tracking response times, evaluating workflows and current technology, and identifying areas that could be improved. This type of analysis has allowed care teams to respond more efficiently and quickly to patient events, such as a code STEMI (ST-elevated myocardial infarction) for heart attack patients.

Each of these common code calls and alerts may be put at risk by events ranging from natural disaster, terror and security threats, power outages, and more. Every organization is vulnerable to potential disasters. Every organization should prepare their business continuity plan to be adaptable to a wide range of possible risks. Developing your plan is the first step to successfully managing the risk of these events. The second step involves testing your plan.

7 Must-Ask Questions for Healthcare Leaders

See how CIOs responded to these 7 must-ask questions and discover why continuity plans are not just an IT security issue.

View the Infographic»

business continuity infographic

Testing Your Business Continuity Plan

Developing your business continuity plan may have been an overwhelming task: Practicing how to respond to adverse events isn’t any easier. Every crisis is different—unexpected and unpredictable circumstances will arise. Testing your plan and repeatedly practicing your response will help your organization, employees, and patients be more resilient.

Organizations should test their plans periodically, as needed to ensure their plan is complete, effective, and allows staff to get hands-on practice executing it. A test schedule outlines when tests are performed, what systems are tested, and how they are tested, including testing mandated by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 164.308 (a) (7) (i) under administrative safeguards.
 

Consider Your Vendor’s Business Continuity Plans

How many vendors and business partners does your organization use for basic services or supply chain—and who has access to your network? Do you know which vendors have recovery plans in place, and is their support part of your plan?

A Spok survey of CHIME CIOs asked respondents if they know which vendors have recovery plans in place to support their hospital’s operations in a disaster scenario, and whether their support is part of their business continuity plan? Here’s how CIOs responded:
 

Four pie charts, 56 percent “yes” vendor support part of plan, 24 percent “no” but would use their support, 15 percent “yes” but vendor support not part of plan, 5 percent “no” we would not use their support

Last year, healthcare was the most targeted industry for malware attacks, accounting for 40 percent of all security incidents in the third quarter, and the U.S. experienced 15 natural disasters with losses exceeding $1 billion each.

The headlines in 2018 indicate these adverse events will continue, which has experts warning “it’s not a question of if, it’s a question of when” an organization will experience a threat to business operations.
 

Looking for more information about business continuity?

Check out these resources:

Case Study:  Read how Woman’s Hospital put their communication infrastructure to the test»

Blog Post: Healthcare IT Recovery: 4 Business Continuity Myths Debunked»

Brochure: The Value of a Test Environment»