Industry Coverage icon

Develop a Business Continuity Plan for Healthcare

Streamline the traditional approach to make BCP development manageable and repeatable.

Unlock a Free Sample
  • Recent crises have increased executive awareness and internal pressure to create a business continuity plan (BCP).
  • Healthcare-driven regulations require evidence of sound business continuity practices.
  • Customers demand their vendors provide evidence of a workable BCP prior to signing a contract.
  • IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.

Our Advice

Critical Insight

  • BCP requires input from multiple departments with different and sometimes conflicting objectives. There are typically few, if any, dedicated resources for BCP, so it can't be a full-time resource-intensive project.
  • As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but ultimately, business leaders need to own the BCP – they know their processes and their requirements to resume business operations better than anyone else.
  • The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces as outlined in this blueprint.

Impact and Result

  • Implement a structured and repeatable process that you apply to one business unit at a time to keep BCP planning efforts manageable.
  • Use the results of the pilot to identify gaps in your recovery plans and reduce overall continuity risk while continuing to assess specific risks as you repeat the process with additional business units.
  • Enable business leaders to own the BCP going forward. Develop a template that the rest of the organization can use.
  • Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.

Develop a Business Continuity Plan for Healthcare Research & Tools

1. Develop a Business Continuity Plan for Healthcare Storyboard – A step-by-step document that walks you through process to build BCP within the healthcare industry.

Business continuity planning is a complex, interdepartmental project with multiple and sometimes conflicting objectives. Follow the guideline in this blueprint to structure your process to streamline your efforts and stay on track.

2. Maturity Assessment and Business Impact Analysis – Structured tools to conduct and document a business impact analysis for your business continuity plan.

Use these tools to conduct a maturity assessment of your current BCP processes and do a business impact analysis to identify the gaps.

3. Process Workflows Examples – A best-of-breed template to help you build a clear, concise, and compelling strategy document for stakeholders.

The sample workflows help you establish steps, dependencies, and alternates for BCP. The tools contain multiple example workflows. Use the conventions in this tool or create your own to visually document business processes and track process requirements.

4. BCP Recovery Playbook and Roadmap – Provide additional details on BCP procedures and develop a project plan to reach your BCP goals.

Communication between the recovery teams is very pivotal to make sure that BCP is conducted according to the plans. Leverage the tools and templates to make a communication plan and ensure that the improvement initiatives follow the best-practice guideline.

Unlock a Free Sample

Develop a Business Continuity Plan for Healthcare

Streamline the traditional approach to make BCP development manageable and repeatable.

Analyst Perspective

A BCP touches every aspect of your organization, making it potentially the most complex project you'll take on. Streamline this effort or you won't get far.

None of us needs to look very far to find a reason to have an effective business continuity plan (BCP).

From pandemics to natural disasters to supply chain disruptions to IT outages, there's no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?

Don't try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:

  • Focus on one business unit at a time. Keep the effort manageable, establish a repeatable process, and produce deliverables that provide a starting point for the rest of the organization.
  • Don't start with an extensive risk analysis. It takes too long and at the end you'll still need a plan to resume business operations following a disruption. Rather than trying to predict what could cause a disruption, focus on how to recover.
  • Keep your BCP documentation concise. Use flowcharts, checklists, and diagrams instead of traditional manuals.

No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.

Frank Trovato, Research Director, IT Infrastructure & Operations Practice

Frank Trovato
Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Andrew Sharp, Senior Research Analyst, IT Infrastructure & Operations Practice

Andrew Sharp
Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group

Executive Summary

Your Challenge Common Obstacles Info-Tech's Approach
  • Healthcare entities want to ensure patient care is uninterrupted during crises, which poses a challenge in the healthcare industry.
  • The healthcare industry is highly regulated, which makes BCP initiatives more complex than in other industries.
  • Due to the high turnover, it is a big challenge for the leads to provide training and ensure preparedness to apply BCP best practices.
  • Healthcare is highly dependent on technology such as telecommunication, electronic medical records (EMR), and cybersecurity tools. This requirement forces them to make strong business continuity (BC) and disaster recovery (DR) planning.
  • Pharmaceutical companies and healthcare providers highly depend on vendors and suppliers. They should ensure that managing logistics and suppliers is done appropriately to make sure different departments and business units function properly during a crisis.
  • Focus on implementing a structured and repeatable process that can be applied to one department at a time to avoid BCP from becoming an overwhelming project.
  • Enable leaders to own the BCP going forward by establishing a template that the rest of the organization can follow.
  • Leverage BCP outcomes to refine IT DRP recovery objectives and achieve DRP-BCP alignment.

Info-Tech Insight
As an IT leader, you have the skill set and organizational knowledge to lead a BCP project, but you must enable leaders to own their department's BCP practices and outputs. They know their processes and therefore know their requirements to resume business operations better than anyone else.

Use this research to create business unit BCPs and structure your overall BCP

A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:

  • Develop a BCP for a selected business unit (as a pilot project), and thereby establish a methodology that can be repeated for remaining business units.
  • Through the BCP process, clarify requirements for an IT disaster recovery plan (DRP). Refer to Info-Tech's Disaster Recovery Planning workshop for instructions on how to create an IT DRP.
  • Implement ongoing business continuity management to govern BCP, DRP, and crisis management.
Overall Business Continuity Plan
IT Disaster Recovery Plan BCP for Each Business Unit Crisis Management Plan
A plan to restore IT application and infrastructure services following a disruption.

Info-Tech's Create a Right-Sized Disaster Recovery Plan blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.

A set of plans to resume business processes for each business unit. This includes:
  • Identifying business processes and dependencies.
  • Defining an acceptable recovery timeline based on a business impact analysis.
  • Creating a step-by-step recovery workflow.
A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

Info-Tech's Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

IT leaders asked to develop a BCP should start with an IT Disaster Recovery Plan

It's a business continuity plan. Why should you start continuity planning with IT?

1 IT services are a critical dependency for most business processes. Creating an IT DRP helps you mitigate a key risk to continuity quicker than it takes to complete your overall BCP, and you can then focus on other dependencies such as people, facilities, and suppliers.

2 A BCP requires workarounds for IT failures. But it's difficult to plan workarounds without a clear understanding of the potential IT downtime and data loss. Your DRP will answer those questions, and without a DRP, BCP discussions can get bogged down in IT discussions. Think of payroll as an example: if downtime might be 24 hours, the business might simply wait for recovery; if downtime might be a week, waiting it out is not an option.

3 As an IT manager, you can develop an IT DRP primarily with resources within your control. That makes it an easier starting point and puts IT in a better position to shift responsibility for BCP to business leaders (where it should reside) since essentially the IT portion is done.

Create a Right-Sized Disaster Recovery Plan today.

Healthcare complexities pose multiple obstacles against driving BCP best practices

Lack of organizational commitment
Organization and hospital leadership is busy with other commitments, which makes it difficult to get their buy-in for BCP. Without strong leadership commitment, BCP is a low-priority initiative.

Lack of BCP understanding
It's pivotal to implement BCP training to ensure that stakeholders will be able to apply it when needed. Without organizational commitment, there may be limited investments in training programs, leaving staff unaware of the BCP best practices, making it hard for them to follow and apply protocols.

Time limitations to implement BCP
Due to the above reasons, healthcare leaders feel that it's not worth the time and effort to invest in BCP. Low commitment leads to lack of time to train, monitor, and apply business continuity initiatives.

Resource shortage to implement BCP
Lack of commitment leads to the insufficiency of resources in terms of staff, technology, and investment into BC planning for business responsiveness to potential crises.

Regulatory compliance complexity: The healthcare industry is highly regulated, and leaders should make sure that patients' data is confidential and in accordance with standards, such as HIPAA (Health Insurance Portability and Accountability Act). Meeting such regulatory requirements while maintaining business continuity is a very challenging endeavor, making healthcare leaders reluctant to consider BCP over other competing priorities.

Rapidly evolving threats: Given the significant improvements in technology and high dependence of hospitals and healthcare providers on automated systems, cyberthreats and their impact on day-to-day work have increased dramatically. System failure, data breach, and ransomware can easily cause a disaster and jeopardize business continuity.

High dependence on external providers: Healthcare organizations are highly dependent on external entities, such as contract research organizations (CROs), medical device manufacturers, research institutes, medical clinics, regulatory agencies, pharmaceutical companies, etc. The high dependency on external entities make BCP compliance much more complicated than other industries.

Tackling the above challenges and obstacles requires leadership awareness of the BCP's crucial importance on their business, and their commitment to apply it. In addition to leadership buy-in, it requires resource allocation and training, financial support, mission alignment, collaboration with external entities, and testing the BCP framework.

Info-Tech Insight
In this blueprint, we keep referring to "business units," which in the context of healthcare, depending on the sector, means clinical department, back office, or a company's business unit. For instance, in the context of hospitals, business unit means "clinical department," whereas for a CRO it means "back office."

Modernize the BCP

If your BCP relies heavily on paper-based processes as workarounds, it's time to update your plan.

Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.

Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It's likely a completely offline process and won't be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.

The bottom line:

Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.

Info-Tech's approach

The traditional approach to BCP takes too long and produces a plan that is difficult to use and maintain.

The Problem:

You need to create a BCP but don't know where to start.

  • BCP is being demanded more and more to comply with regulations, mitigate business risk, meet customer demands, and obtain insurance.
  • IT leaders are often asked to lead BCP.

Pie Chart for BCP

The Complication:

A traditional BCP process takes longer to show value.

  • Traditional consultants don't usually have an incentive to accelerate the process.
  • At the same time, self-directed projects with no defined process go months without producing useful deliverables.
  • The result is a dense manual that checks boxes but isn't maintainable or usable in a crisis.

The Info-Tech difference:

Use Info-Tech's methodology to right-size and streamline the process.

  • Reduce required effort. Keep the work manageable and maintain momentum by focusing on one business unit at a time; allow that unit to own their BCP.
  • Prioritize your effort. Evaluate the current state of your BCP to identify the steps that are most in need of attention.
  • Get valuable results faster. Functional deliverables and insights from the first business unit's BCP can be leveraged by the entire organization (e.g. communication, assessment, and BC site strategies).

Expedite BCP development

Info-Tech's Approach to BCP:

  • Start with one critical business unit to manage scope, establish a repeatable process, and generate deliverables that become a template for remaining business units.
  • Resolve critical gaps as you identify them, generating early value and risk mitigation.
  • Create concise, practical documentation to support recovery.

Embed training and awareness throughout the planning process

By comparison, a traditional BCP approach takes much longer to mitigate risk:

  • An extensive, up-front commitment of time and resources before defining incident response plans and mitigating risk.
  • A "big bang" approach that makes it difficult to predict the required resourcing and timelines for the project.

A traditional BCP approach takes much longer to mitigate risk

Case Study

A workshop on continuity planning to improve an existing BCP approach and extend it to the larger organization.

SOURCE
Info-Tech

INDUSTRY
Healthcare Systems

In October 2022, Info-Tech Research Group conducted a four-day business continuity workshop with supply chain process and operational team stakeholders, IT representatives, and the continuity team. The engagement focused on the methodology to augment the existing continuity plan approach with the intent of scaling it to the larger organization. The stakeholders who participated across the four-day engagement provided valuable organizational knowledge and subject matter expertise.

The engagement focused on working with the team of participants and leveraged the following practical approach for defining continuity requirements and exercising the methodology:

  • Gather feedback from key stakeholders and participants and identify prevalent challenges, frustrations, risks, and opportunities.
  • Identify dependencies for a subset of supply chain business processes.
  • Execute a business impact analysis to provide objective comparison and prioritization between activities.
  • Execute a business impact analysis to provide objective comparison and prioritization between core IT systems identified during the process analysis.
  • Examine scenario planning for candidate business processes and IT systems to identify gaps in current recovery capabilities and provide a framework for a full response plan.
  • Review integration between technical incident management, IT disaster recovery, regional response teams, and organizational crisis management.
  • Examine the artifacts, governance, and roles required for a larger BCP program.
Develop a Business Continuity Plan for Healthcare preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 5-phase advisory process. You'll receive 5 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Scoping
  • Call 1: Scope requirements, objectives, and stakeholders. Identify a pilot BCP project.

Guided Implementation 2: Business Processes and Dependencies
  • Call 1: Assess current BCP maturity. Create business process workflows, dependencies, alternates, and workarounds.

Guided Implementation 3: Conduct a BIA
  • Call 1: Create an impact scoring scale and conduct a BIA. Identify acceptable RTO and RPO.

Guided Implementation 4: Recovery Workflow
  • Call 1: Create a recovery workflow based on tabletop planning.

Guided Implementation 5: Documentation & BCP Framework
  • Call 1: Summarize the pilot results and plan next steps. Define roles and responsibilities. Make the case for a wider BCP program.

Authors

Frank Trovato

Andrew Sharp

Mahmoud Ramin

Contributors

  • Dr. Bernard A. Jones, MBCI, CBCP, Berkeley College
  • Kris Roberson, Disaster Recovery Analyst, Veterans United Home Loans
  • Trevor Butler, General Manager of Information Technology, City of Lethbridge
  • Robert Miller, Information Services Director, Witt/Kieffer
  • Sam Rego, CISO, Mohawk Medbuy and Plexxus

Search Code: 103674
Last Revised: February 15, 2024

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019