Like many organizations, hospitals and other healthcare providers rely on consistent operations. Unlike most businesses, however, healthcare organizations have an added risk layer – patient health, safety and, in some cases, their lives. Several events can threaten stability in healthcare, from less common catastrophic disasters such as earthquakes and mega-storms, to more frequent power outages and data breaches.

The aging population is growing exponentially, with the number of people over 60 poised to triple by 2050. These older adults will be direct consumers of healthcare services. While business continuity is important for saving lives, it has a subtler importance that broadly affects operations.

The increased population of seniors will expect a positive customer experience, regardless of external threats to operations. In short, if healthcare providers want to remain competitive, they need to focus on ensuring quality uninterrupted care in the face of any danger.

Business continuity in healthcare

Continuity is crucial in healthcare. A business continuity plan ensures that in the event of a disaster or a similar event, an organization will be able to service its customers without interruption or noticeable delay.

A good plan pares down response time since employees can follow a predefined set of workflows, rather than triaging and engaging in off-the-cuff damage control. Since the stakes are high in healthcare, business continuity plans are essential tools for limiting risk and ensuring uninterrupted quality patient care.

While business continuity plans are useful and advisable for a wide variety of businesses, they are essential in healthcare. One reason is HIPAA, the Health Insurance Portability and Accountability Act of 1996. HIPAA requires healthcare providers to protect patient information in the event of a disaster.

The risks of healthcare business disruption

Healthcare is often a 24/7 job. There are few, if any, after-hours periods. Nothing can wait until the IT department fixes bugs tomorrow, solutions need to occur immediately. The risks are high, and include losing data, interrupting communication, compromising care and other impacts of technology downtime.

  • Patient data loss

    • Modern healthcare creates a lot of information. Patient monitors record data. Billing records are maintained and updated frequently. Sensitive data handling is as crucial as dispensing patient care. What happens if patient data is lost due to a disaster or data breach? Are there backups, redundancies and other measures to ensure that critical, life-or-death information is retained?
    • There are financial risks to losing patient data that go beyond health. While losing billing codes is unlikely to be detrimental to a patient, a hospital cannot provide care if it is not economically viable due to lost revenue.

 

  • Compromised care

    • The biggest risk from both the hospital and patient’s perspective is the negative impact of an event on patient care. If the power goes out, patients that are on life support should be high on priority. But even fewer extreme examples illustrate the problems that can precipitate from failing to develop and implement a business continuity plan. Missed provider notes and skipped medications can completely derail a patient’s care plan.
    • Communication is a crucial component of care. Much of modern healthcare is dispensed through a treatment team approach. Specialists, primary care physicians, physicians assistants, nurses and social workers all access a patient’s chart. If an event compromises IT so that lines of communication are blocked, quality of care will suffer.

 

  • Technology downtime

    • Healthcare providers use myriad technologies to optimize operations. These applications and electronic health records require protection. Downtime means lost revenue and compromised care. Networks should be built with resiliency so that there are no single points of failure.
    • If your fiber connection gets cut, how will you access the cloud, or communicate with others, either located remotely through an SD-WAN, or with those outside of your organization?

 

 

Steps to establishing a business continuity plan

Creating a business continuity plan is critical. Like any planning, it requires not only an initial investment in time and resources but also a commitment to revisiting the plan throughout the business cycle. Here are the basic steps and how they are best implemented:

 

  • Engage the entire organization, including higher-ups

    • Plans are more effective when they reflect the comprehensive realities of an organization. Business continuity planning cannot happen in a vacuum. Compliance isn’t met by downloading a boilerplate form. The plan must go through a distilling process that touches all aspects of operations.
    • But, for the plan to be taken seriously and become part of the organization’s culture, it must come from the top-down. Management must play a role – ideally one that involves more than issuing directives.

 

  • Define scope

    • Simply, what is it that you need to protect? Healthcare providers should have a handle on their systems. This part of the initial assessment is like a broad inventory of what should ideally be protected based on a wide variety of threats.
    • The scope is defined by your particular vulnerable resources.

 

  • Create a business impact assessment

    • In this assessment stage, the various identified resources that need protection are assigned a priority based on how resistant each is to downtime. Some critical resources can weather a typical power outage, such as archived patient billing records, while others cannot be down for even a split second.

 

  • Develop the plan

    • A business continuity plan is a combination of a list of prioritized critical resources with backup protocols to ensure minimal downtime. The plan could include logistics for transporting patients to a different location in the event of a major natural disaster or could outline the use of backup generators in a power loss, for example.

 

  • Implement

    • Once a plan is developed, it should go through a final review before being adopted organization-wide. When approved, it must be also implemented as a part of regular operations and not simply reside on a shelf as a symbol of compliance.
    • Like most plans, a business continuity plan is useless if kept dormant. Organizations change, technology evolves, and patient expectations vary. Because of this variability, business continuity plans should not be seen as static documents.
    • With a well-thought-out business continuity plan, healthcare providers can be prepared for the worst, and provide optimal patient service.