All too often, organizations experience events that cause devastating compromises to their operations. No organization hopes for a disaster, but the need for a disaster recovery plan remains real and unavoidable. A quick and effective response can make the difference between an incident and a catastrophe, and while disaster recovery planning is essential for all industries, it is critical in the healthcare field. The Health Insurance Portability and Accountability Act (HIPAA) requires that all healthcare provider organizations plan for contingencies and outages. This paper explores the disaster recovery planning process in the healthcare setting.
Disaster recovery planning appears time- and resource-consuming without any obvious or direct link to the bottom line. What frustrates planners even more is that the result of their labor - a workable plan that protects and preserves the operation - shows no return on investment (ROI) unless there is a disaster that calls for its use. Certainly, no organization hopes for a disaster, but the need for this crucial plan remains real and unavoidable.
Healthcare organizations want their dollars to ensure the best and most timely treatment of patients. This goal makes investment in projects like disaster recovery planning or continuity of operations plans (COOPs) seem less important than facilities expansion or acquisition of the latest diagnostic instruments. Nearly everyone can agree that adding improved diagnosis and treatment capabilities will improve patient health. It may be harder to get everyone to agree that preserving and protecting those tools and technologies is equally important. But keep this in mind: Any tool that cannot be used due to an incapacitating event is of no value to anyone. And a healthcare operation out of service even temporarily, regardless of the cause, can put many lives at risk.
An effective COOP can ensure that vital tools are kept in service or restored to service rapidly, under even adverse conditions. With laws requiring the creation of these plans, revenues being squeezed from all sides, and unrelenting pressure to keep the doors open under all conditions, one question remains foremost on the minds of those charged to make it happen: Where do I begin? This project's scope can seem like trying to eat an elephant all at once. But just like eating an elephant, a project of this size is accomplished one bite at a time.
The Health Insurance Portability and Accountability Act (HIPAA) requires that all healthcare provider organizations plan for contingencies and outages. An effective plan to sustain the operation is the final output of the planning process. HIPAA also requires that these organizations use a "risk management" approach for their plans. This approach means that risks and events that may cause such outages must be identified, analyzed, and mitigated or compensated for. This in-depth process can be complex. Laying the proper foundation through a project management methodology is the best way to ensure you don't miss a step.
Well-planned and executed projects begin with a clear understanding of objectives, constraints, and other factors that will affect the project and its outcome. Clearly, the final outcome to be produced is a complete, tested, and proven plan.
To start, you must clarify scope, budget, scheduling issues, and resources. These are the basic components that will form the framework of a workable plan.
The project manager must first define scope and resources in ways that are unique to a COOP. COOPs are very specific to a business unit, location, facility, or other operational component. The plan must consider the work done by the operation, the information used, staffing, geography, weather, time horizon, and many other factors. Resources include those things available to build and test the plan, and those items available when the plan is activated. The project manager needs to define the following categories.
Assets: human, physical, informational, technological
Potential threats and their sources: human, natural, technological
Vulnerabilities: flaws or other shortcoming (including absence) in a control or asset
After identifying the above, you will know the primary elements that can suffer from or cause a disaster. You will also know what assets are available to build your plan. To help you get started, a useful Contingency Plan template and Guidelines are included in the Appendix.
Once you have defined assets, threats, and vulnerabilities, the next step is to assess risk. In fact, HIPAA requires risk assessment as part of the disaster planning process. Performing a Business Impact Analysis (BIA) is an additional step that must be taken and complements the risk assessment process.
A risk assessment must be performed (and updated annually). This assessment reviews the assets, threats, and vulnerabilities of the operation. Simply stated, assets are "things of value." These can be the tangible and intangible items that an organization acquires and uses to accomplish its mission. Intangibles may include processes, intellectual property, image, and reputation. It can be hard to place value on intangibles, but they are often even more critical to protect than tangible assets. They often represent competitive advantages or the nearly irreplaceable company image and reputation.
No comments:
Post a Comment