When ransomware infected the IT systems of a UK hospital group in November 2016, the group was forced to halt operations at three hospitals. For five excruciating days, the hospitals turned patients away while they shut down their systems to isolate and remove the virus. Even “major trauma cases” and “high risk women in labour” were directed to other facilities. According to a report in Computing.co.uk, some experts speculated there may not have been a hospital business continuity plan in place that would have helped to keep the facilities running during the disaster.
What’s more likely: there probably was some form of hospital continuity of operations plan (COOP). However, the plan likely hadn’t been updated recently enough to include the risks of a critical IT systems failure.
In this post, we identify what to include in a business continuity plan for hospitals and address the vital importance of updating the plan on a regular basis.
Sections to include in a hospital continuity plan
While every healthcare organization should have its own unique business continuity plan, there are some fundamental components that should be found in most plans. Most hospitals will want to include the following sections:
- Contact information of key stakeholders
- Objectives of the plan
- Risk assessment
- Business impact analysis
- Preventative solutions
- Incident response
- Recovery protocols
- Backup plans and systems
- Communication directives
- Recommendations on further action
- Plan testing & update schedule
Below, we break down the specific information to include within each section. But taken altogether, a hospital BCP should achieve the following core goal: identifying the risks to the hospital’s operations, along with the impact of a disruption, and outlining the specific steps and systems for recovering those operations if an incident occurs.
In a hospital setting, ensuring continuity of operations through a disaster can literally save lives. So it’s vitally important for a BCP to be thoroughly documented, meticulously followed by recovery teams and updated accordingly over time.
A quick note about different types of COOP plans
There are a lot of moving parts that keep a hospital running. Additionally, when the hospital is part of a larger system of healthcare facilities, spread out across a region, then continuity planning becomes increasingly complex.
For illustrative purposes, in this post we have consolidated the main concerns of hospital continuity planning into a single, oversimplified document. But in truth, hospitals can have multiple COOP documents to capture the specific concerns of different divisions:
- IT department
- Emergency room
- Intensive & intermediate care units
- Outpatient services
- Paramedical departments
- Surgical departments
- Infectious disease units
- Laboratory units
- Hospital administration
- Radiology
A disaster in the radiology department can look a lot different than one in the emergency room. So each division can indeed have its own distinct COOP, as part of the hospital’s larger business continuity plan.
Regardless of the size of the document, or the number of plans created across the organization, recovery procedures should be prioritized to ensure that the most critical operations are restored as quickly as possible.
Threats to a hospital
Why do hospitals need a continuity plan in the first place?
Above, we highlighted the example of a ransomware infection that forced three hospitals to halt operations. Ransomware has become a top risk for healthcare facilities in recent years, which only worsened during the 2020 pandemic. But the file-encrypting malware is just one of numerous disaster scenarios that hospitals need to plan for.
Example risks include:
- Fire within the hospital
- Natural disasters such as hurricane and tornados
- Health crises such as pandemics
- Terrorist activity
- Active-shooter situations
- IT infrastructure failure (server failure, network outage, etc.)
- Malware and viruses
- Workforce shortage or stoppage
- Cyberattacks
- Supply chain issues
- Utility interruption (electric, gas, water, etc.)
Disasters in a healthcare setting can also be caused by accidents and human error. According to statistics highlighted by the University of Illinois Chicago, “unintentional staff actions causing a compromise in patient data security accounted for 12 percent of security incidents in the healthcare industry.”
Hospital Business Continuity Plan Template
Regardless of whether a hospital has a single, comprehensive BCP, or multiple plans for different areas of the organization, each plan will typically follow a similar structure. Above, we listed the sections that should serve as a foundation for the plan. But the following template drills down further into each section to provide a framework of the information that should be included.
a) Contact information of key stakeholders
This section will sometimes include the contact information of those who wrote the plan, so that they can be contacted with questions or concerns about the documentation. It is also common to include the hospital’s key stakeholders that have a stake in the continuity of operations.
For example, the contact information could be operations staff, members of disaster recovery teams or executive staff who oversee the hospital (or the individual divisions for which the plan is written). Typically, these people should be contacted first when a disaster situation occurs.
How to structure: Each stakeholder should be listed with multiple communication methods:
- Name of individual
- Job title or role
- Locations (office & home addresses)
- Phone numbers (work, mobile, home & alternative)
- Email (work, home & alternative)
- Messaging handles (i.e. Slack, Skype, etc.)
b) Objectives of the plan
Since a hospital can have several different continuity plans, as mentioned above, it’s important to clearly define each plan’s objectives. This makes it clear what the plan aims to achieve: its areas of focus and its limitations.
For example, if the plan is focused strictly on IT operations, then this must be stated in the objectives. By doing so, you make it clear that additional planning is still needed for other hospital operations.
How to structure: A bulleted list of objectives can help to quickly summarize the objectives as follows:
- To ensure continuity of hospital operations through an operational disruption.
- To identify the risks and business impact of such disruptions.
- To set forth emergency protocols for mitigating and resolving interruptions.
c) Risk assessment
Above, we highlighted some examples of common threats to hospitals. In this section, each of those risks should be assessed in detail. Risks should be clearly defined and rated by their likelihood of occurring.
This section is arguably one of the most important in a hospital’s continuity of operations plan, because all further planning, protocols and systems will be based on the risks identified here.
How to structure:
Note: The above chart has been simplified for illustrative purposes. A single department within a hospital could have dozens of high-probability risks listed in its risk assessment. With rare exceptions, NO major risk should go unidentified, so that every possible disaster is prepared for.
d) Business impact analysis
The business impact analysis is the vital byproduct of the risk assessment. When assessing risks, you need to understand how each type of disaster will have a unique impact on the hospital.
In a ransomware attack, for example, which files and systems will be lost? How long will it take to recover them? Which departments will be affected? How will the event disrupt hospital operations and services? All of this needs to be clearly defined in order to prioritize recovery strategies.
How to structure: Some business continuity plans will combine the risk assessment and impact analysis into one section for easier skimming; however, they can also be separated as follows in this simplified version:
e) Preventative solutions
This section should define all the preventative measures implemented to avoid the risks identified in the sections above. This can include technologies, building enhancements, protocols and any other strategies that help to keep disasters at bay.
How to structure:
- Categorize the various types of prevention into groups, such as IT solutions, structural enhancements, etc.
- List each solution to define what it is and how it helps to prevent the applicable disruption.
f) Incident response
When disaster strikes in a hospital setting, the immediate response to the incident will play a huge role in how long the disruption lasts. This section will thus outline the proper response to each of the disaster scenarios identified in the risk assessment.
How to structure:
- Given the volume of risks to a hospital, each potential incident will likely have its own section or appendix within the larger BCP/COOP.
- For each incident, include thorough instructions on how to respond and who will do it.
g) Recovery protocols
Similar to the incident response section, this section should outline the specific procedures for a full recovery of affected hospital systems and services. Whereas the initial response helps to mitigate and resolve an incident, the protocols in this section provide guidance for a complete restoration of operations.
How to structure:
- List the specific recovery procedures for each type of incident.
- Be clear about who will carry out the recovery protocols and on what timeline.
h) Backup plans and systems
“Backups” here can refer to any type of contingency, from data backups to secondary offices to be used if an emergency relocation is necessary. While the “Incident response” and “Recovery protocols” sections will also include some of these backups, this section is intended to provide a more comprehensive list of all backup resources.
How to structure:
- Divide the lists by categories, for example: backup equipment for IT, office assets, etc.
- Include information on secondary locations, such as contingencies for scaling the Emergency Department in a crisis or relocating departments to other areas of the hospital (i.e. after a fire).
i) Communication directives
A lack of communication in a disaster will make a swift recovery nearly impossible. This section is designed to provide clarity on how teams will reach each other during an emergency, especially if primary lines of communication are unavailable.
How to structure:
- Include specific methods of communication and devices that should be used.
- Specify how various personnel will receive updates during a catastrophic event, such as SMS alert systems, call-in lines, etc.
- Include external communication procedures for the public, media and other third parties.
j) Recommendations to further action
During the creating of a hospital business continuity plan, vulnerabilities will naturally be identified. This section outlines those gaps and provides the steps and solutions for remedying them.
How to structure:
- Define the weaknesses identified. For example, if current data backup systems are inadequate for ransomware attacks, explain why and what the impact would be.
- Propose solutions to eliminate those vulnerabilities, such as a more robust BC/DR solution that can quickly recover data after a ransomware infection.
k) Plan testing & update schedule
No continuity of operations plan is complete without proper testing and routine updates. The protocols and systems documented in the plan should be routinely tested to ensure they will be effective in a real-world incident.
How to structure:
- Include a list of tests ordered by priority, along with specific instructions for carrying out each.
- Make sure all tests are documented; that documentation can then be used to refine the BCP as needed.
- Specify how often tests should be performed and how often the BCP should be reviewed and updated.
Remember: While the “update schedule” is last on this list, it is just as important as the formation of the entire BCP itself. Here’s why …
4 reasons to update a hospital business continuity plan
Simply creating the plan is not enough.
Today, most facilities offering urgent medical care do have a hospital business continuity plan. In the United States, having a healthcare business continuity plan is not just a moral or business decision. It’s the law. Under HIPAA, the Department of Health and Human Services requires that healthcare businesses have a “comprehensive testing and monitoring strategy … to prevent and manage [Electronic Health Record] downtime events.”
But a hospital business continuity plan is by no means a “once and done” project. If you’re not constantly updating and reevaluating your plan, then you’re leaving your hospital at risk. Here are 4 key reasons why.
1) Information becomes outdated
Keep in mind that a good business continuity plan for hospitals is extremely specific. It outlines places, technologies, vendors, processes and other information that becomes quickly outdated.
Even information that’s only a month old may not be applicable anymore. So, it’s important to update your plan constantly.
- Tip: Your business continuity plan should include a schedule for reviewing and updating the plan, and by whom. You’ll likely need to identify several people or teams who are responsible for this critical task.
2) New threats emerge
Hospitals must constantly plan for a wide range of disaster scenarios, both manmade and natural. These threats evolve and can increase over time.
Only a few years ago, very few organizations understood the threat of ransomware – or had even heard of it. Today, it’s one of the most costly forms of cyberattacks, which the FBI says are increasingly targeted toward hospitals and government agencies.
That’s just one example of a threat that probably wasn’t included in most disaster recovery plans for hospitals only a few years ago. But it absolutely must be today.
What about the changing risks of other disasters? Is the hospital located in an area where it might be more prone to harsh weather conditions caused by climate change in future years? What about the risks of a sudden virus outbreak, like Ebola, which forced healthcare organizations to rapidly restructure their emergency processes in 2014?
New threats are constantly emerging. Updating your plan is essential to staying prepared.
3) Personnel changes frequently
A business continuity plan identifies numerous staff people, including key executives as well as department heads, who will play critical roles in a disaster. Who will be in charge? Who will implement the procedures listed in the plan? Who needs to be contacted, both internally and externally? Which vendors will supply backup resources if needed? Who has access to mission-critical IT systems?
Your plan may be filled with names or titles from across your organization. But if those personnel have moved onto other jobs, or the positions have changed, then their absence will leave gaping holes in the plan. This is why it’s critical to constantly review the plan to ensure that all personnel information is accurate and up to date.
4) Better technologies are developed
Systems for backing up and restoring critical hospital data have improved significantly over the years. If you’re using technologies that are even just a few years old, you could run into serious issues during an IT disaster. It could take days to restore data, or the data could be corrupted beyond recovery.
IT administrators must reevaluate their disaster preparedness technology at least once a year to ensure that data is being properly backed up – locally, in the cloud, or both – and can be recovered almost instantly.
Summary
Every hospital needs a comprehensive business continuity plan to ensure it is prepared for an emergency. But for healthcare organizations especially, a business continuity plan must be treated like a work in progress, not a static document. There are many moving parts, in addition to those listed above, so planning documentation should be routinely reviewed and updated. By reevaluating the plan according to a specific schedule, hospitals can greatly minimize the risk and length of operational downtime when disaster strikes.
Request a Free Demo
Learn more about protecting your healthcare organization from threats like data loss, ransomware attacks and cyberattacks with BC/DR solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.
