Protecting Your Business with BCP

Protecting Your Business with BCP

Recent history has shown that it is imperative for hospitals to have a Business Continuity Plan in place. According to the Harvard School of Public Health, the intensity and frequency of major natural disasters has increased from 100 per year in the 1970s to more than 500 per year. After the devastation wrought by 2005’s Hurricane Katrina, The Joint Commission (TJC) required all healthcare facilities to implement a disaster plan.  HIPAA has since required the backup of all electronically-protected health information (EPHI), as well as disaster recovery plans.  When a community is dealing with a disaster, be it a terrorist attack, hurricane or flu pandemic, it is critical that they be able to count on their local hospital to provide medical services at their most needed time.  A Business Continuity Plan, or “BCP,” is the key to maintaining the availability of these services.

The BCP is a set of procedures that allows a hospital to continue operating during an emergency, be it a major natural disaster, a pandemic or simply a burst pipe in the records room.  When a disaster such as a hurricane hits a region, the effects are often devastating. Homes are evacuated, residents are displaced and many businesses are forced to close (and some never re-open).   A hospital, however, does not have the luxury of simply closing its doors and waiting for the storm to pass. It must be able to remain “open for business” during any situation.  If not, millions of dollars in revenue may be lost- even if a hospital is down for as little as one day. University of Texas Medical Branch (UTMB) in Galveston and its 414-bed John Sealy Hospital, for example, lost $276 million in revenue after it was hit by Hurricane Ike in 2008, essentially closing patient and operating rooms for nearly five months, according to the National Association of State Chief Information Officers.

But, more importantly, if a hospital cannot remain operable, people will die. Whether it is facing mass power outages, water contamination, a disease epidemic or any other disaster, a hospital must have plans in place to allow it to continue servicing patients.

In addition to simply ensuring it has working backup generators in the event of a power failure (and hopefully those generators are not located in a basement or ground level, which are susceptible to flooding, as we saw in Hurricane Katrina and the more recent Hurricane Sandy), the hospital must also ensure it has ample fuel for those generators.  The hospital also needs to be able to deal with patient transportation both to and within the facility and have clean water available. These are some components of a typical emergency operations plan. Such a plan may also include the process of evacuating patients to nearby facilities, if the hospital must be closed, as happened during Hurricane Sandy and also during the recent tornadoes in Oklahoma

But the hospital must also have ways to access medical records, place orders and review lab results. This is why it is crucial that a hospital maintain an off-site data center, where this information is housed. In addition, more hospitals are adopting modern technological gadgets that will prove to be an asset in the event of an emergency, but also are practical in their everyday business.  iPads, for instance, can be used to access patient data, enter and transmit orders and can therefore allow a hospital to continue serving patients to the best of its ability, even if its on-site network or computer system has been shut down.

As financially devastating as Hurricane Ike was to UTMB and its associated hospital, perhaps more impressive is the fact that the University actually had many technological services back online within just 72 hours of the hurricane hitting. According to a State of Texas report provided to NASCIO, this is due to the fact that their “information technology team was prepared with a business continuity and disaster recovery plan that:

  • prioritized technology recovery,
  • built resilient space for local resources,
  • contracted for and used remote data center space,
  • created and tested plans for remote staff deployment,
  • documented plans and kept them current, and
  • ran weekly and monthly tests of the backup power supplies.”

In order to develop a BCP, a hospital should first pull together a team to develop a plan. Your plan will need to evaluate each function within the hospital, and then prioritize these areas by whether those functions are critical (e.g. trauma care, security, radiology) or non-critical (cafeteria, gift shop, records, storage, etc.).  The team should then conduct a threat analysis, evaluating potential disasters the hospital might face and the likelihood of each. The team must also identify what resources and funding would be needed to restore critical functions in the hospital if they are lost.  The plan should include a disaster kit, which is comprised of copies of insurance policies, emergency phone numbers, security codes, lists of employees and contact information, basic medical supplies and a small food supply. The hospital, of course, will need a through facilities recovery plan, which accounts for transporting patients, providing back-up power, and even providing a temporary command center, if needed. This will be one of the most critical aspects of a BCP. It is imperative that the facilities have emergency power, computer and phone resources to maintain contact with the outside world, including vendors and other healthcare providers, during a disaster.  For this reason, as we saw with UTMB, it is imperative the BCP include a comprehensive information technology component.

Once the BCP is complete, it is recommended to test it as often and as thoroughly as possible through exercises and drills, some “table top”, and some actual “walkthroughs.”   Testing the BCP allows the team to identify areas of weakness and correct these before an actual disaster occurs.  Finally, the team should be prepared to review and update the BCP on a regular basis.

Again, as we have seen with recent multiple natural disasters, it is Imperative that hospitals have a BCP in place. Moreover, it is required by TJC and as part of HIPAA’s “Security Guidelines.” Hopefully more hospitals will continue to embrace technological advances (such as the iPad) as means to avoid any loss of productivity in the event of a disaster, and will also be diligent about reviewing and testing their BCP on a regular basis. By doing so, they can continue to ensure they are able to save more lives when their services are most needed.

~ Melissa McCain