BUSINESS CONTINUITY PLANNING IN THE HEALTHCARE ENVIRONMENT
Practical Guidelines

By Paul Coleman

For the first time in the healthcare industry in the United States, business continuity planning and disaster recovery capability will become mandatory for all healthcare organizations. The Health Insurance Portability and Accountability Act (HIPAA), passed by the US Congress in 1996, has as part of its phased implementation "Security Guidelines," (referring to information security), which mandate that all healthcare organizations using healthcare data comply with data security and business continuity standards within two years. The final regulations were published in the Federal Register at the end of 2000. The "Security Guidelines", with business continuity requirements, are expected in early 2001. The penalties and fines for noncompliance will be substantial. Any organization not showing due diligence in starting this process will be in noncompliance. This legislative mandate has a strategic goal of reducing costs in healthcare by standardizing data processing, as a prelude to establishing a centralized clearinghouse for claims processing, similar to the financial industry. The financial industry is highly regulated and audited for business recovery capability by both the federal and state governments.

Currently, healthcare providers in the US are visited approximately every three years (pressure is being exerted to make this more often and even surprise) by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), which grades the entire environment of care. It is voluntary for a healthcare organization to submit to a JCAHO inspection (a high grade confers prestige), but the JCAHO does not have enforcement power and also does not consider business recovery during the inspection. It is not clear at this time which agency will be the enforcement arm of the federal government for HIPAA.

Medical centers in the US, especially in California, have well documented and well practiced emergency response plans. Healthcare providers in California have experience in "battlefield medicine," due to a high level of societal violence and the regular occurrence of natural disasters such as earthquakes. Business recovery is different in that it considers what happens when the emergency response triage period of 24 or 48 hours is over. The business continuity plans that start implementation at the time of the disaster come to fruition while the triage period is happening, enabling the recovery of critical business functions and supporting information technology within the specified Recovery Time Objective (RTO). In healthcare, business recovery planning by definition has an automated systems focus and works with the information technology dependent business functions in the planning process. Medical care can be provided without computers or technology of any kind in triage mode, but in a matter of days when the emergency response phase is winding down, dependency on information technology increases because the goal is to return to as close to normal operations as possible. Imagine the difficulty in scheduling appointments over a diverse and geographically dispersed healthcare system without information technology.

Business Continuity According to HIPAA

The Health Care Financing Agency, part of the US Department of Health and Human Services, convened a task force to write the "Security Guidelines," which contains a section on Business Continuity Planning and Disaster Recovery. This task force, composed of experts in information security and business recovery from healthcare and other industries, utilized standard business continuity methodology in writing "to-the-point" guidelines.

The primary "bullet" points are shown below. The detailed sub-points are available at www.disaster-resource.com.

Contingency Planning General Elements
• Mapping of critical business functions to specific computer applications.
• Mapping the computer applications to the platform technologies.
• Impact of the business cycles (quarter end, year end) to contingency plans.
• Regular update and review of contingency plans.
• Clear statement of risk assumption.
• Definition of minimum acceptable level of service and detailed actions to get to that level.
• Management prioritization and signoff on prioritization recommendations.

Manual Procedures
• Local (desktop) transaction capture and tracking.
• Customer interface procedures.
• Work in progress recovery procedures.
• Transaction flows.
• Supply chain procedures.
• Forms controls: negotiable documents, records retention, forms inventories.

Work Around Procedures
• Hardcopy.
• Reference manuals.
• Contact information.
• Procedures.
• Paper transactions.
• Inventories: transactions, equipment, forms, personnel, services, communications.

Documented Strategies
• Emergency Operations Center (EOC).
• Crisis management guidelines.
• Public relations/media interaction guidelines.
• Emergency notification process and responsibilities.
• Hardcopy of local backup strategies.
• Key vendor information.
• Recovery logistics.
• Human elements.
• Teams composition: skill set match, training, testing.
• Specific procedures for activation and deactivation, including triggers.
• Responsibilities/accountabilities during contingency operations.

Voice communications recovery planning must be done related to the overall contingency plan as well as the specific critical business units.

Business Continuity Plan Controls
• Plan distribution.
• Plan maintenance.
• Plan testing.
• Responsibilities.
• Authorities.

Critical Computer Applications
• Strategy for prioritization.
• Change in prioritization based on shift in business cycle.
• Management review/signoff.
• Application dependencies/interdependencies.
• Application downtime procedures, including time thresholds for invoking.
• Data backup procedures.
• Offsite storage capabilities.
• Restoration teams and documentation.
• Analysis of Recovery Time Objectives.
• Analysis of Recovery Point Objectives.
• Hardware backup strategies.
• Software backup strategies.
• Network backup strategies.
• Testing procedures.
• Maintenance procedures.
• Business Impact Analysis and risk assessment.
• Asset management inventory.

Hospital Emergency Incident Command System (HEICS)

History of HEICS
In the 1980s, an inter-agency cooperative effort was formed to develop a common organizational system which fire protection agencies could use in response to a very large incident, as well as smaller, day to day operations. The cooperative plan, known as Firescope, produced a management system that has become standard operating procedure across the United States - Incident Command System (ICS).

In 1987, the Hospital Council of Northern California completed work on an adaptation of ICS to hospital emergency response functions. This work served as the cornerstone of the original version of HEICS (1991) developed by Orange County Emergency Medical Services.

HEICS Attributes
• Responsibility oriented chain of command, which provides a manageable scope of supervision.
• Wide acceptance through commonality of mission and language in both the public and private sectors.
• Prioritization of duties with the use of Job Action Sheets, position job descriptions which have a prioritized list of emergency response tasks that promote documentation of the incident.
• Applicability to varying types and magnitudes of emergency events, a flexible program which can be expanded or scaled back to meet the particular needs of a specific crisis.
• Thorough documentation of actions taken in response to the emergency, which may improve recovery of financial expenditures.

HEICS Structure
The HEICS structure is a chain of command which incorporates four sections under the overall leadership of the Emergency Incident Commander (IC). Each of the four sections - Operations, Logistics, Planning and Finance - has a Section Chief. The hospital or organization's disaster/emergency plan must be modified to incorporate the newly developed business recovery team structure.

There should be an Emergency Operations Center (EOC) and emergency management system in place that incorporates business recovery teams and the infrastructure necessary to support recovery. HEICS must therefore be modified to incorporate business recovery concerns. Existing HEICS job action sheets (checklists) should be expanded. Disaster drills and exercises should include business recovery elements.

General Infrastructure Functions that Enable Business Recovery
• Emergency management.
• Administrative support.
• Damage assessment.
• Facilities preparation.
• Site restoration.
• Human resources.
• Security.

These functions are part of the HEICS framework and are included in the Emergency Response/Disaster Plan required by JCAHO. The checklists for HEICS need to be expanded in these areas to include business recovery detailed tasks. For more details related to HEICS and business recovery as well as Business Impact Analysis and detailed action steps related to recovery, For more details see www.disaster-resource.com.

Activation of the Business Recovery Team Structure

The activation of the business recovery team structure should occur in the same manner that HEICS and the command center are activated. The disaster is declared and the command structure/emergency management system activated by documented disaster telephone calling procedures using up to date confidential telephone lists. The Incident Commander usually makes the decision whether or not to declare a disaster, activating the Section Chiefs, including the Operations Section Chief.

The Operations Section Chief supervises:
• Medical Staff Director.
• Medical Care Director.
• Ancillary Services Director.
• Human Services Director.

The Business Recovery Director, a newly created position responsible for directing the business recovery process, should report as well to the Operations Section Chief. The Team Leaders for each of the critical business functions as well as the Information Technology (IT) Team should report directly to the Business Recovery Director. The Business Recovery Director should be physically located in the command center, while the Critical Business Function Team Leaders and the Information Technology Team should be physically located in a "war room" close to the command center. In many organizations, HEICS Sections are separated into different adjacent conference rooms to allow for more efficient operations. For example, the Planning Section often functions better with its own space, serving situation status, documentation, message center, and tracking functions. The Operations, Logistics, and Finance Sections can be co-located in the same large conference room.

Documented calling procedures should be used for the Business Recovery Director to activate the Business Recovery Team Leaders and IT Team. In the event that the telephones are not usable, documented procedures should direct the Business Recovery Teams to activate and physically meet using a predetermined location (and alternate) and predetermined criteria for activation.

Business Impact Analysis and Risk Assessment

The key to developing an effective business continuity plan is to perform a Business Impact Analysis (BIA) which identifies the critical business functions and supporting information technology and support functions necessary to meet the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is how fast the business units need to have that function up and running. RPO is the most recent point in time to which systems can be restored, reflecting the amount of data that can be lost without adversely affecting the organization. The RPO reflects the timeliness of the data stored offsite, and all critical business functions' data that interfaces must be synchronized to the same point in time or the databases may become corrupted. The shorter the RTO and RPO, the more complex, technological, and expensive the recovery plans become.

Financial institutions require services back online in hours, not days, while most healthcare providers require emergency response immediately but business recovery within 48 hours. Financial institutions cannot afford to lose more than minutes worth of data, so develop recovery plans that include electronic mirroring or shadowing, where online data is captured real time in both the production and backup environments. In the healthcare environment, the critical business functions are not likely to be Emergency Medicine, Surgery, and Orthopedics since they are not particularly technology dependent, especially during the triage period.

Business Impact Analysis
• Description of business function.
• Employees and locations.
• Hours of operation and peak periods.
• Internal/External dependencies.
• Potential financial impacts if quantifiable.
• Computer applications needed for business function.
• Platforms applications run on.
• Hardware location.
• Terminals/PCs needed to perform function.
• Terminals/PCs needed in disaster mode.
• Telecommunications/voice requirements for recovery.
• Telecommunications/network/data requirements for recovery.
• Special forms.
• Special supplies.
• Special equipment.
• Space/physical resource requirements.
• Key vendors.
• Normal transaction volume for function.
• Vital electronic records.
• Vital records in other forms.
• Are vital records backed up? Where is backup stored? How often? What form? Critical data on PCs?
• Processing online or batch mode? If online, can it be performed in batch mode?
• Can work be performed remotely? Has it ever been tried?
• Critical documentation needed to process.
• Any business recovery plans in place? Even informal? Has there been any thought given to what would happen if the primary site were not available? Is there any material developed for Y2K that would be useful in this process? If the disaster were to occur tomorrow and your primary work site were not available, what would you do?
• Can this function be performed manually? Do materials exist that would enable this? How would this be done and how long could it be done for? If your primary site were disabled, how would your function "pick up the slack" until the function could be physically relocated?
• How many employees would be necessary in disaster mode?

Typical Critical Business Functions in Healthcare
• Admitting/Registration.
• Dietary.
• Finance.
• Human Resources.
• Laboratory.
• Managed Care/Reporting.
• Materials Management.
• Outpatient Clinics.
• Order Processing.
• Patient Accounting/Billing.
• Patient Care Services.
• Payroll.
• Pharmacy.
• Plant Services.
• Radiology.
• Respiratory Therapy.

Assumptions
Assumptions that are used in the planning process have to be documented using risk management methodology. The worst case scenario should be planned for, especially in areas prone to large magnitude earthquakes. The assumption that should be made for planning purposes is that the primary work site is unusable and has to be relocated. Also, the assumption has to be made that anything that was in the primary work site is also unavailable. Obviously, if the medical center is so badly damaged that it cannot provide any medical care at the primary site, such as occurred in the Mexico City 1985 Earthquake to several hospitals, business recovery is not a priority. If only part of the medical center is damaged or is disabled, business recovery planning could enable the setting up of another function such as Laboratory or Pharmacy in either a different part of the medical center or close by. Some critical business functions have to be located in close patient proximity while others can be offsite.

Information Technology Recovery Considerations

The IT Recovery Team coordinates the technical recovery to insure that all activities are completed in a timely manner to achieve the Recovery Time Objective (RTO) of the critical business functions. There is a natural tendency in large organizations for there to be a gap between business functions and IT functions. Both can harbor false assumptions about what the other is doing for recovery. The Business Impact Analysis (BIA) provides IT with the information from the critical business functions to effectively plan for the data backup, offsite storage, recovery processing, network redundancy, and other elements necessary for an effective recovery. The business continuity planning process must be business function driven rather than an IT project.

Information Technology Recovery Strategies

There are several recovery strategies that can be employed for information technology functions. The most reliable strategy is either a vendor supported "hot site" or an internal "hot site" in another location within the same organization. Obviously, the internal strategy will only work in a health care system as opposed to a standalone facility. The other strategies that are sometimes employed yet rarely work are mutual aid arrangements with other organizations. These strategies take too long to implement in an actual disaster situation, and assume that the other site has the excess capacity, hardware configuration, software configuration, etc. to accommodate the affected organization. Under the HIPAA guidelines, a backup recovery strategy for information technology needs to be in place, or a clear statement of the risk assumption needs to be delineated. Individual critical business functions such as Laboratory and Pharmacy need to develop recovery strategies that assume an information technology recovery in another location, either within the facility or without, or the recovery will never proceed beyond the emergency response phase or manual mode. One complex factor that needs to be considered is the network connections between the backup data processing location and the primary work sites, depending on whether or not they will be located onsite or offsite.

Vital Records/Critical Data Offsite Storage

A vital record is defined as any information that is required to support the recovery or operations of a business unit, department, or business location. Vital records can be in many forms, i.e. tapes, CD-Rom disks, microfilm/fiche, hardcopy, reports, reference materials, etc. For recovery purposes, it is assumed that all vital records stored within a site will not be available following a disaster event. Therefore, vital records should be stored at an offsite location no closer than 25 miles from the primary location.

The Business Impact Analysis identifies vital records associated with the critical business functions. The BIA further identifies the RTO and RPO for the function. A facility-wide vital records program needs to focus on disaster recovery rather than production failure, meaning that all data for recovery must be available in offsite storage. It is usually best to utilize a third party vendor to rotate and store the vital records.

Typically, most electronic vital records are created within the data center. Thus, it is natural for the responsibility for coordination of the vital records program to be in the IT area. Ideally, wherever in the organization the responsibility is ultimately placed, the function must be centralized to maximize efficiency. The coordination of gathering and bundling the daily vital records to be shipped offsite can be automated with an application that tracks the process. The coordination of the vital records function should also include the confirmation with the Business Recovery Team Leaders that the backups being performed meet user expectations.

Manual Procedures/Work Arounds/Application Downtime Procedures

HIPAA places much emphasis on documentation of manual procedures. During the Y2K preparation, healthcare organizations refined their manual procedures since the risks during Y2K typically revolved around hardware or software failure. Work arounds are useful during that triage period while recovery plans are being implemented. Plans to recover work in progress and lost transactions needs to be incorporated into the planning effort. All laboratory and pharmacy systems go down periodically, and application downtime procedures are put into effect. These need to be expanded to cover the entire RTO period.

Action Steps to Implement Business Recovery Structure

Once the Business Impact Analysis and Risk Assessment is performed, the following steps would be followed to implement the business continuity planning process within a multi-medical center, healthcare system - in the United States typically a health maintenance organization (HMO).

Immediate Steps
• Go back and validate original BIA critical business functions with each organization. Make changes as appropriate.
• Identify vital records for business functions not on original list.
• Identify Team Leaders and Alternates for Recovery Teams and IT Team for each organization.
• Task Team Leaders with confirming recovery team membership for each organization.
• Keep up to date lists of recovery team members and how to contact in each organization.
• Validate vital records expectations, IT and business functions.
• Conduct education on vital records concepts for all recovery teams in each organization.

Intermediate Steps
• Appoint Business Recovery Coordinator with sufficient authority.
• Task Team Leaders with confirming recovery team membership and documenting.
• Appoint a Business Recovery Coordinator who will serve in the EOC and direct recovery teams, reporting to Operations Section Chief.
• Document business recovery activation procedures, including where and when to activate if telephones do not work.
• Adopt an enterprise-wide RPO and RTO and communicate to recovery teams.
• Set schedule/policy for regular updates to business recovery plans, assigning responsibility to Business Recovery Coordinator in each organization within the enterprise.
• Form Business Continuity Steering Committee, composed of Chair and representatives from all critical organizations within the enterprise.
• Form Business Continuity Steering Committee for each organization, composed of Chair and Team Leaders.
• Set business recovery as a regular agenda item at Safety Committee and peer group meetings.
• Insure that business recovery structure is represented in existing Safety and/or Disaster Committees.
• Assign centralized responsibility for vital records management for each organization, and make them accountable.
• Implement enterprise-wide vital records policy and program to meet RTO and RPO timeframes, utilizing a third party vendor.
• Clarify differences in roles and responsibilities in cases of seeming overlap between emergency response and business recovery.
• Select vendor to manage vital records, which in turn trains staff, begin backups, and implements program.
• Brief senior management on program.

Longer Term
• Modify existing HEICS structure to reflect business recovery concerns.
• Modify HEICS structure in existing Emergency Response/Disaster Plan to include business recovery teams.
• Include business recovery elements in disaster drills and exercises.
• Educates and train current HEICS staff in business recovery concepts and specific recovery plans.
• Educate and train Operations Section Chief and staff in specific recovery planning for critical functions and technology.
• Develop EOC materials, i.e. message forms, logs, etc. specific to business recovery.
• Recovery teams will be the nucleus of the design teams to help develop and implement cost effective recovery strategies for enterprise.
• Enterprise-wide Business Recovery Steering Committee should meet every two months, individual organization Steering Committees should meet every three months, individual recovery teams should meet every six months, and all recovery personnel in the enterprise should attend a one day seminar annually.
• Set up "war room" for business recovery in each organization.
• Develop checklists and/or gather documentation needed for technical recovery and store offsite.
• Follow through and complete recovery plans identified as critical, and keep them up to date as dynamic plans well documented.

Conclusion

It is estimated that HIPAA compliance could cost the healthcare industry in the United States more than the amount expended on Y2K preparedness. In addition, there are new regulations concerning the earthquake retrofits of hospitals that could price many standalone community hospitals out of the market. There will be a trend towards a larger percentage of the population, especially in California, obtaining medical care from large health care systems such as HMOs. Large health care systems are growing even larger with mergers and acquisitions.

Large health care systems become ever more dependent on information technology to keep the business running. Thus, the business continuity planning process is increasingly complex, but nevertheless must keep the focus on the planning process as business function driven. Recovery solutions must be developed at the same time as healthcare providers strengthen their emergency preparedness efforts. When no large scale magnitude earthquake has happened for a decade or so, it is easy to slip back into denial about the tremendous effort needed to prepare for such an event. Medical centers must design realistic triage areas, prepared to accommodate the 300 relatively seriously injured earthquake victims that will arrive in the emergency room in 30 minutes. The entire first floor of the medical center should become one large triage area, expanding the emergency room boundaries.

The Health Insurance Portability and Accountability Act (HIPAA) will finally mandate business continuity planning in the healthcare industry, which along with stepped up emergency response capabilities, will prepare US healthcare organizations for the disasters to come.