Develop a Business Continuity Plan for Healthcare

Streamline the traditional approach to make BCP development manageable and repeatable.

Analyst Perspective

A BCP touches every aspect of your organization, making it potentially the most complex project you'll take on. Streamline this effort or you won't get far.

None of us needs to look very far to find a reason to have an effective business continuity plan (BCP).

From pandemics to natural disasters to supply chain disruptions to IT outages, there's no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?

Don't try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:

• Focus on one business unit at a time. Keep the effort manageable, establish a repeatable process, and produce deliverables that provide a starting point for the rest of the organization.
• Don't start with an extensive risk analysis. It takes too long and at the end you'll still need a plan to resume business operations following a disruption. Rather than trying to predict what could cause a disruption, focus on how to recover.
• Keep your BCP documentation concise. Use flowcharts, checklists, and diagrams instead of traditional manuals.

No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.

Frank Trovato
Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Andrew Sharp
Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight
As an IT leader, you have the skill set and organizational knowledge to lead a BCP project, but you must enable leaders to own their department's BCP practices and outputs. They know their processes and therefore know their requirements to resume business operations better than anyone else.

Use this research to create business unit BCPs and structure your overall BCP

A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:

• Develop a BCP for a selected business unit (as a pilot project), and thereby establish a methodology that can be repeated for remaining business units.
• Through the BCP process, clarify requirements for an IT disaster recovery plan (DRP). Refer to Info-Tech's Disaster Recovery Planning workshop for instructions on how to create an IT DRP.
• Implement ongoing business continuity management to govern BCP, DRP, and crisis management.

IT leaders asked to develop a BCP should start with an IT Disaster Recovery Plan

It's a business continuity plan. Why should you start continuity planning with IT?

1 IT services are a critical dependency for most business processes. Creating an IT DRP helps you mitigate a key risk to continuity quicker than it takes to complete your overall BCP, and you can then focus on other dependencies such as people, facilities, and suppliers.

2 A BCP requires workarounds for IT failures. But it's difficult to plan workarounds without a clear understanding of the potential IT downtime and data loss. Your DRP will answer those questions, and without a DRP, BCP discussions can get bogged down in IT discussions. Think of payroll as an example: if downtime might be 24 hours, the business might simply wait for recovery; if downtime might be a week, waiting it out is not an option.

3 As an IT manager, you can develop an IT DRP primarily with resources within your control. That makes it an easier starting point and puts IT in a better position to shift responsibility for BCP to business leaders (where it should reside) since essentially the IT portion is done.

Create a Right-Sized Disaster Recovery Plan today.

Healthcare complexities pose multiple obstacles against driving BCP best practices

Lack of organizational commitment
Organization and hospital leadership is busy with other commitments, which makes it difficult to get their buy-in for BCP. Without strong leadership commitment, BCP is a low-priority initiative.

Lack of BCP understanding
It's pivotal to implement BCP training to ensure that stakeholders will be able to apply it when needed. Without organizational commitment, there may be limited investments in training programs, leaving staff unaware of the BCP best practices, making it hard for them to follow and apply protocols.

Time limitations to implement BCP
Due to the above reasons, healthcare leaders feel that it's not worth the time and effort to invest in BCP. Low commitment leads to lack of time to train, monitor, and apply business continuity initiatives.

Resource shortage to implement BCP
Lack of commitment leads to the insufficiency of resources in terms of staff, technology, and investment into BC planning for business responsiveness to potential crises.

Regulatory compliance complexity: The healthcare industry is highly regulated, and leaders should make sure that patients' data is confidential and in accordance with standards, such as HIPAA (Health Insurance Portability and Accountability Act). Meeting such regulatory requirements while maintaining business continuity is a very challenging endeavor, making healthcare leaders reluctant to consider BCP over other competing priorities.

Rapidly evolving threats: Given the significant improvements in technology and high dependence of hospitals and healthcare providers on automated systems, cyberthreats and their impact on day-to-day work have increased dramatically. System failure, data breach, and ransomware can easily cause a disaster and jeopardize business continuity.

High dependence on external providers: Healthcare organizations are highly dependent on external entities, such as contract research organizations (CROs), medical device manufacturers, research institutes, medical clinics, regulatory agencies, pharmaceutical companies, etc. The high dependency on external entities make BCP compliance much more complicated than other industries.

Tackling the above challenges and obstacles requires leadership awareness of the BCP's crucial importance on their business, and their commitment to apply it. In addition to leadership buy-in, it requires resource allocation and training, financial support, mission alignment, collaboration with external entities, and testing the BCP framework.

Info-Tech Insight
In this blueprint, we keep referring to "business units," which in the context of healthcare, depending on the sector, means clinical department, back office, or a company's business unit. For instance, in the context of hospitals, business unit means "clinical department," whereas for a CRO it means "back office."

Modernize the BCP

If your BCP relies heavily on paper-based processes as workarounds, it's time to update your plan.

Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.

Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It's likely a completely offline process and won't be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.

The bottom line:

Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.

Info-Tech's approach

The traditional approach to BCP takes too long and produces a plan that is difficult to use and maintain.

The Problem:

You need to create a BCP but don't know where to start.

• BCP is being demanded more and more to comply with regulations, mitigate business risk, meet customer demands, and obtain insurance.
• IT leaders are often asked to lead BCP.

The Complication:

A traditional BCP process takes longer to show value.

• Traditional consultants don't usually have an incentive to accelerate the process.
• At the same time, self-directed projects with no defined process go months without producing useful deliverables.
• The result is a dense manual that checks boxes but isn't maintainable or usable in a crisis.

The Info-Tech difference:

Use Info-Tech's methodology to right-size and streamline the process.

• Reduce required effort. Keep the work manageable and maintain momentum by focusing on one business unit at a time; allow that unit to own their BCP.
• Prioritize your effort. Evaluate the current state of your BCP to identify the steps that are most in need of attention.
• Get valuable results faster. Functional deliverables and insights from the first business unit's BCP can be leveraged by the entire organization (e.g. communication, assessment, and BC site strategies).

Expedite BCP development

Info-Tech's Approach to BCP:

• Start with one critical business unit to manage scope, establish a repeatable process, and generate deliverables that become a template for remaining business units.
• Resolve critical gaps as you identify them, generating early value and risk mitigation.
• Create concise, practical documentation to support recovery.

By comparison, a traditional BCP approach takes much longer to mitigate risk:

• An extensive, up-front commitment of time and resources before defining incident response plans and mitigating risk.
• A "big bang" approach that makes it difficult to predict the required resourcing and timelines for the project.

Case Study

A workshop on continuity planning to improve an existing BCP approach and extend it to the larger organization.

SOURCE
Info-Tech

INDUSTRY
Healthcare Systems

In October 2022, Info-Tech Research Group conducted a four-day business continuity workshop with supply chain process and operational team stakeholders, IT representatives, and the continuity team. The engagement focused on the methodology to augment the existing continuity plan approach with the intent of scaling it to the larger organization. The stakeholders who participated across the four-day engagement provided valuable organizational knowledge and subject matter expertise.

The engagement focused on working with the team of participants and leveraged the following practical approach for defining continuity requirements and exercising the methodology:

• Gather feedback from key stakeholders and participants and identify prevalent challenges, frustrations, risks, and opportunities.
• Identify dependencies for a subset of supply chain business processes.
• Execute a business impact analysis to provide objective comparison and prioritization between activities.
• Execute a business impact analysis to provide objective comparison and prioritization between core IT systems identified during the process analysis.
• Examine scenario planning for candidate business processes and IT systems to identify gaps in current recovery capabilities and provide a framework for a full response plan.
• Review integration between technical incident management, IT disaster recovery, regional response teams, and organizational crisis management.
• Examine the artifacts, governance, and roles required for a larger BCP program.