Healthcare Business Continuity Management and Disaster Recovery— No Longer an Afterthought in Today’S World Authors

Healthcare Business Continuity Management and Disaster Recovery— No Longer an Afterthought in Today’s World Authors:

Scott Gerard, CPA Robert Malarkey, Partner CISSP, CISA Crowe LLP Crowe LLP

Table of Contents

Increasing Threats in an Already Dynamic Environment 2

Elements of a Business Continuity Management Program 3

When Disaster Strikes: Defining Risk Areas 5

Strategies for Successful Business Continuity Management 9

Making Business Continuity Management an Organizational Priority 11

Conclusion: Internal Audit’s Vital Role 12 Increasing Threats in an Already Dynamic Environment

A healthcare organization’s operations and network environment are great, and clinical, operational and can be greatly impacted, or even shut down, due to a financial areas all are at risk should critical systems natural disaster or the harmful actions of bad actors. go down.

The mass shooting in a Chicago hospital in November With patient lives on the line, the stakes are even higher 2018 was a stark reminder that today’s hospitals and in healthcare than in other, less complex industries. health systems face an increasing array of dangers If hospitals cannot operate their many departments that threaten to disrupt patient care and business and cannot keep vital IT systems up and running, these operations. Workplace violence in the healthcare organizations could be rendered unable to take care industry overall is on the rise, with one recent U.S. of patients who entrust their lives to them. Government Accountability Office study reporting All healthcare organizations know the importance healthcare workers at inpatient facilities are five to of having emergency response plans in place to 12 times more likely to encounter nonfatal violence immediately address disasters, whether natural or in the workplace than workers in other industries.1 man-made. Furthermore, hospitals are required to Cyberattacks, which can bring down electronic health follow Centers for Medicare & Medicaid Services (CMS), record (EHR) applications and other vital systems Joint Commission and state authority regulations for in a matter of seconds, also have become more emergency preparedness. A primary component of an commonplace.2 organization’s disaster response is its ability to continue And, of course, the threat of natural disasters, including operations as the organization works to recover from hurricanes and fires, is ever present and seems to a disaster. Business continuity management (BCM) be increasing, especially in geographically vulnerable accomplishes this by pre-emptively identifying and areas. A hospital in Paradise, California, may not reopen establishing plans to continue managing key business after sustaining significant damage in the November functions, processes and their associated IT- or non- 2018 Camp Fire.3 And the effects of 2017’s Hurricane IT-related dependencies to minimize the impact of Harvey are still very much on the minds of hospital and unexpected events on the organization while trying to healthcare facility management in the Houston region maintain seamless, uninterrupted operations. as they digest lessons learned and rebuild.4 Healthcare internal auditors can bring value to When disaster strikes in an industry as complex organizational leadership and governance by as healthcare, the effects can be far-reaching. performing periodic reviews of the organization’s The consequences of IT failures within a healthcare BCM and disaster recovery (DR) planning objectives facility in today’s increasingly electronic, data-reliant and strategies.

Association of Healthcare Internal Auditors I Crowe, LLP 2 Elements of a Business Continuity Management Program

A well-thought-out BCM program allows an organization When drafting a BIA, the team doing so should use to continue functioning during a disaster and, existing organizational documents and information, ultimately, to fully recover normal business operations including results of the organization’s hazard and in a timely manner afterward. Through the process of vulnerability analysis. Other input used for BIA business continuity planning, an organization identifies development includes questionnaires (using a standard its main risks, processes and IT systems, and it then form) or interviews with experienced staff members creates plans for remediation should a disaster occur. within the various departments. Examples of questions to be addressed during a BIA include: Though they may intersect with emergency management plans, which are concerned with keeping • What are the significant business processes in patients and staff safe from harm during a disaster, this department? business continuity plans (BCPs) are focused on • What applications or systems are considered continuing operations when main systems are down. mission critical? Central elements of a BCM program include: • What resources, including human resources (key Business Impact Analysis players), are required for these business processes to function normally? A business impact analysis (BIA) is a process to predict the impact on business processes and systems in • What are the main financial and operational impacts the event of a disaster in order to develop strategies to the department and organization if these business to recover. Conducting a BIA helps an organization processes cannot be performed? prioritize recovery of each business process and define • What is the recovery time objective for each function? what those processes need from the following three In other words, how long can the department perspectives: function without doing this business process before • People: What are the minimum personnel it significantly affects the organization? (Number of requirements needed to conduct the business hours? Days? Weeks?) process? • How quickly can these processes be resumed should • Technology: What IT resources (for example, a downtime event occur? software applications or systems) are required and • What are the department’s key dependencies? considered critical to execute that business process? For example, is there another system that this • Process: What non-IT tools, such as patient care department’s system interfaces with that also should instruments and paper charting, are needed to be considered critical? support the process? • Does the department or business unit produce To conduct a BIA, business leaders seek input from information that is important to another unit? What department owners and stakeholders across the would the impact be to that department if there is organization to help define and prioritize all critical an outage? business functions. A standardized process for • What resources, including personnel, would be establishing ownership and conducting a BIA required to recover from a major disaster or should exist. system outage?

A well-thought-out BCM program allows an organization to continue functioning during a disaster and, “ ultimately, to fully recover normal business operations in a timely manner afterward. ” 3 Healthcare Business Continuity Management and Disaster Recovery Output from the BIA should show how important each (see “Strategies for Successful Business Continuity business process is to supporting the organization Management”). The plan should be clear enough for any overall and help the organization prioritize where it person to follow, regardless of the individual’s everyday should focus its time, attention and resources in the role or background. critical period following a disaster. The input from each business unit is essential to provide a road map for IT Disaster Recovery in terms of which systems need to be brought back up As a result of conducting a BIA and developing a BCP, in what time frame. It’s important to note that while the organization should now have a comprehensive the IT function ultimately is responsible for bringing list of applications and systems needed to continue technological systems back up, the business units or operations and a prioritization plan for how quickly departments themselves should own the process of the IT department needs to be able to recover those identifying critical systems. applications and systems. This is known as a disaster Business Continuity Planning recovery plan. While business continuity plans focus primarily on operations, disaster recovery plans largely Using the framework created during the BIA, are an IT endeavor to support operations. When organizational leadership then can move into creating developing DR plans, operational leadership should a BCP. A BCP is a strategic plan that positions an be involved so the IT department can understand organization’s high-risk business processes to be able operational processes that need to immediately to function should a disaster occur and major systems continue in addition to the supporting applications. shut down. As with BCPs, DR plans should be thorough.

To develop a business continuity plan, organizational leadership and members of the business continuity Testing team or committee should meet with the crucial Another crucial component of a BCM program is testing process owners within each department to create a of both business continuity and disaster recovery plan that can be put into place should a catastrophic plans. Teams should conduct tests at least annually event occur. The plan should focus on how each using either a tabletop simulation or a full-scale drill. department can minimize impact to the organization Periodic testing of the plans helps expose incomplete and continue operating at an acceptable level during and ineffective procedures that need to be revised or an event. The more thorough the plan, the better updated to strengthen and refine recovery plans.

Association of Healthcare Internal Auditors I Crowe, LLP 4 When Disaster Strikes: Defining Risk Areas When critical systems are severely damaged during patients are unable to access their own health information a disaster, the negative effects on a healthcare or schedule or change appointments via patient portals. organization are multipronged. While different types of disasters—extreme weather incidents, terrorist Risk Prevention Strategies: attacks, ransomware or smaller-scale incidents such • Have a redundant system in place so clinicians as a software malfunction—produce different effects, can access patient medical history and check for consideration of risk areas is vital to making sure the medication allergies; make sure downtime viewers organization is prepared to continue operating when are available for critical applications.

crucial systems are down. • Have a redundant system or backup (manual) patient Following are examples of some of the biggest risks portal system in place for patients to access their for healthcare organizations in clinical, operational, own medical information or to schedule or amend finance and IT areas as well as strategies for adequately appointments. preparing to continue operations should a disaster • Develop manual processes for handing off patient occur. The examples can help internal auditors review information, such as lab information and patient organizational BCM and DR preparedness and assess orders, to the lab, the radiology department or other the effectiveness of existing plans. members of the care team.

Clinical Risk Areas • Involve medical professionals in BIA and BCP development exercises to make sure critical clinical Risk: equipment is prioritized and accounted for; clinicians Clinicians cannot access the EHR and therefore cannot can provide valuable input to IT about complicated, quickly or efficiently treat or diagnose patients. In addition, specialized equipment.

5 Healthcare Business Continuity Management and Disaster Recovery Risk: Operations and Finance Risk Areas Clinicians cannot access electronic systems and must Risk: transition to a manual, paper-based system, but newer, Major utilities (for example, electricity and water) are less-experienced clinicians are not familiar with how to brought down during a disaster, or the facility is damaged document or work on paper. and rendered completely unusable. Risk Prevention Strategies: Risk Prevention Strategies: • Include staff training on paper-based charting in • Have a well-equipped command center in place with business continuity and DR plans. functioning utilities. • Make paper-based charts and forms readily available • Prearrange transportation to move patients and staff throughout the facility and easy to locate. safely in the event of a disaster. Having learned from • Coordinate clinical training (charting) with laboratory Hurricane Katrina, hospitals in the New York City area staff to cover comprehensive steps for how lab results had arranged for ambulance companies to be on will be returned and shared. standby should patients need to be evacuated, and they were grateful for that foresight when Hurricane • Assign a staff member to make sure doctors and Sandy hit in 2012.5 nurses are documenting information correctly. • Schedule periodic inspections of facility backup Risk: generators. Patient handoffs—whether internal or external—are confusing and ineffective due to critical systems being • Plan for adequate amounts of fuel and other energy down and communication among clinical departments sources to sustain on-site operations in the event that or with other community healthcare organizations patients and staff are restricted from transport. being hindered. • Have contingency plans in place for all major utilities.

Risk Prevention Strategies: Risk: • As part of overall BCM, have clinical staff conduct an Critical patient care and facility supplies cannot be evaluation and inventory of where patient handoffs delivered or otherwise replenished, and patients cannot be are likely to occur. transferred to another facility due to a building lockdown • Include a manual process for documenting internal caused by severe weather, such as a blizzard, or other and external patient transfers in business continuity events, such as an earthquake. and DR plans (for example, to document moving Risk Prevention Strategies: patients from ambulatory to an acute care setting • As part of business continuity planning, staff should internally or externally). assess the organization’s inventory of critical supplies. • Designate a staff member to have complete • Stock enough medicine, medical supplies, food, responsibility for patient handoffs when systems water, clean linens and other supplies to last are down. for a predetermined amount of time; for many • Make year-round efforts to improve overall organizations, the goal is the Joint Commission’s coordination among clinical departments, particularly Emergency Management 96-hour standard or between ambulatory and acute care settings. compliance with guidelines from other local, state or federal authorities. • Coordinate with local healthcare facilities and other community organizations to design processes • For supplies typically ordered online, establish an for patient handoffs, and then conduct periodic alternative method for placing orders if systems assessments and tests of those plans. are down.

Association of Healthcare Internal Auditors I Crowe, LLP 6 • Have a plan in place to work with vendors to • Keep backup copies of software, systems and files in handle large orders that require advance payment an off-site or alternative location, and make sure they before shipment (for example, orders of expensive can be brought back up in a timely matter. pharmaceuticals) if online payments are not possible. • Have redundancies in place on the network between • With infection prevention a top priority, include plans multiple data sites. This gives the organization the for hiring a third-party service to continue cleaning ability to use another data site without disruption if linens and rooms if these services are not able to be one data site goes down. performed in-house for a period of time. • Establish contracts for redundant critical technologies • Have a plan in place for a third-party service to provide such as a redundant internet connection. ongoing cleaning and sterilization of medical devices. • Make sure network capacity is adequate to move Risk: large data files between systems if necessary. The organization loses revenue because patients have to • Have an appropriate backup plan or disaster recovery be turned away (diverted to another facility) because there plan for the organization’s interface engine (the open is no backup (manual) system in place to intake patient link or application that allows other applications health and billing information. within the network to communicate with one Risk Prevention Strategies: another). • Have a process for manually collecting patient billing • As part of the disaster recovery plan, note whether information, so financial services staff members have the organization is able to restore an earlier version complete and correct billing information when they of all critical systems. later submit claims. • When considering backup capabilities and restoration • Implement a formal manual backup process for timings, account for changes in complexity and physicians to transcribe their notes if the patient volume of data over time (for example, a considerable accounting system (PAS) is down. increase in the number of patients since the last time • Consider assigning a staff member sole responsibility business continuity plans were reviewed), and test to make sure physician notes are properly transcribed the ability to migrate large data files from the backup and are later captured in the PAS once it is back online. systems to the primary systems.

• If the organization’s main building is not accessible IT Risk Areas (such as during a hazardous materials incident or Risk: due to fire or weather-related damage), have controls The organization cannot recover vital systems and suffers in place to make sure there is sufficient (remote) negative impacts to patient care, reputational damage and network bandwidth and proper equipment to allow financial losses, and it is in breach of federal, local and state staff to work either from home or at a predetermined regulatory requirements and potentially subject to fines. off-site facility.

Risk Prevention Strategies: Risk: • Have a backup facility in place that is able to bring up the During downtime, security is reduced, leaving patient organization’s main servers and provide synchronous health information, payment card information and other replication, redundancy and high availability. sensitive information at risk of being compromised.

Have a process for manually collecting patient billing information, so financial services staff members “ have complete and correct billing information when they later submit claims. ” 7 Healthcare Business Continuity Management and Disaster Recovery Risk Prevention Strategies: Risk: • In the recovered environment, have in place security As healthcare organizations outsource more and more controls that are the same as or comparable to those systems and processes, they are reliant on third parties to in the original environment. maintain critical applications and systems, whether stand-

• As part of DR, include a plan for simultaneously alone applications or those integrated with other in-house recovering the security functions that go with critical applications. systems. For example, if there is a specific firewall in place to protect sensitive patient records, the disaster Risk Prevention Strategies: recovery plan should include that firewall, and it • Coordinate disaster recovery plans and business should be brought back up with the EHR. continuity plans with all vendors providing third-party applications or hosting critical applications. • Create a plan for destroying any confidential information that was captured on paper during • Share updates to BCPs and DR plans, and conduct downtime procedures, and decide as an organization periodic joint tests with vendors, depending on the how long the paper should be kept in case it needs criticality of the applications. to be referred to (for example, should the paper be scanned so there is an electronic copy?).

Association of Healthcare Internal Auditors I Crowe, LLP 8 Strategies for Successful Business Continuity Management The following are some of the areas healthcare DR plans. Local partners can be called on for assistance organizations most commonly overlook when creating with emergency response, transportation and even business continuity and disaster recovery plans as well patient care during a disaster affecting the individual as strategies for making those plans more effective. facility or one that is widespread throughout a region.

Revisit business continuity plans and DR plans Clearly define roles. Plans should detail who has the often. Business continuity and disaster recovery plans authority to declare a disaster and define roles for the are not static documents meant to be created one organization’s disaster recovery team. Depending on time and then put away on a shelf. They should be the size of the entity, four or five people typically make revisited consistently and revised as needed based on up the overall disaster recovery team, covering areas changes to departmental processes and software or such as communications and media relations, resources other infrastructure changes. Commonly overlooked and supplies and workforce. Each of these people will in this area are changes to technology vendors or new lead a team of individuals who can take action during IT systems that weren’t reflected in the original BC and an event and make sure disaster recovery and business DR plans. A process should be in place to capture such continuity plans are executed. The IT department changes. In addition, BCPs contain vital staff and vendor typically has a separate disaster recovery team that contact information. As this information changes includes a point person who determines budget and frequently, plans should be reviewed periodically and resource allocation and maintains contact with vendors. updated when contact information changes such as when there is employee turnover. To capture staff Identify in advance any temporary staffing or information, consider sending an annual or biannual vendors that might be needed during a disaster. email to employees as a reminder to provide updated Business continuity plans should include contact contact information to organizational leadership. information for additional staff required. Consider assigning a staff member the role of managing Keep business continuity and disaster recovery temporary staff during a downtime or disaster event. plans in multiple formats. Unfortunately, some organizations have learned the hard way the Keep up with training. Training staff in BCM and consequences of relying on only one format when disaster recovery may seem like one more to-do item paper-only plans have burned during a fire or an in an increasingly busy work environment; however, in electronic-only plan was rendered inaccessible due to the midst of a disaster is not the time to learn about the a system crash or ransomware attack. Keeping BC and organization’s business continuity and disaster recovery DR plans in multiple formats and storing backups off- plans. Organizational leadership should require training site are essential practices. at regular intervals—at least annually—and be sure to Don’t overlook outlier or affiliated facilities. Larger include plans for training new employees during the organizations need to consider and include in their onboarding process. BCPs and DR plans any external facilities, such as Consider having a third-party consultant review behavioral health clinics, imaging centers or other the organization’s plans. An outside perspective free-standing centers belonging to the health system can help organizational leadership challenge existing or existing as part of a joint venture with another business continuity and disaster recovery plans and health system. note areas for improvement. The bird’s-eye view can Seek input from local authorities and community be valuable, especially for organizations that have been partners. Working with local community leaders and experiencing change in management, operations or authorities such as police, fire departments and other IT systems and for those that have been using similar healthcare providers is critical when creating BC and plans for many years.

9 Healthcare Business Continuity Management and Disaster Recovery Test, test and test some more. Testing the overall time frame. And many organizations already practice business continuity plan, including disaster recovery, is full-scale disaster simulation drills, such as those paramount to validating effectiveness in the event of a required by CMS.6 disaster. Testing should be conducted at least annually, Finally, whether conducting a full-scale, communitywide and many organizations benefit from more frequent drill or a biweekly IT downtime simulation, testing, depending on the size and scope of the facilities organizations should have a formal procedure to involved. Some organizations find tabletop exercises capture and address lessons learned from tests to be helpful. During these events, key stakeholders performed. Also, lessons learned from other from departments across the organization walk through organizations that could experience the same or various disaster scenarios featuring loss of IT systems. even different types of disasters should be evaluated, These tabletop exercises typically include “injects” wherever possible, so additional perspectives can be in which twists to the scenario are added to help considered. This will help organizations be even better participants probe what they might do should scenario prepared for various disaster scenarios. Just as facilities X, Y or Z happen. learn valuable lessons after the fact when an actual Some organizations’ IT departments periodically event occurs, indispensable insights can be gleaned conduct downtime exercises during which they take from drills and other simulation exercises, with the down a main system, such as the organization’s EHR, information then being used to revise and update BC and then try to restore it from backup within a specified and DR plans.

Association of Healthcare Internal Auditors I Crowe, LLP 10 Making Business Continuity Management an Organizational Priority For business continuity management efforts to be most responsibility for updating plans at least annually; successful, they need to be among an organization’s depending on organizational size, this may be the top priorities. This can be an understandably tall order individual’s sole job. for many healthcare organizations in an era marked by • Include discussion about BCM and DR plans in daily stretched financial and human resources. or weekly departmental meetings. As with many organization-wide initiatives, business • Regularly communicate information about BC or DR continuity management requires a commitment of plans with staff members to increase awareness. support from organizational leadership, including the board. The following strategies for making business • Consider the impact to BC and DR plans when continuity management more of an organizational implementing new IT systems, moving applications to priority should be considered: a hosted environment or making significant changes to operating departments. • Include discussion about BCM on the board’s and C-suite’s meeting agendas. Help establish or enhance • Consider including a BCM-related objective on senior tone at the top. leaders’ annual reviews.

• Appoint a member of the leadership team to own business continuity management, including

As with many organization-wide initiatives, business continuity management requires a commitment “ of support from organizational leadership, including the board. ”

11 Healthcare Business Continuity Management and Disaster Recovery Conclusion: Internal Audit’s Vital Role In a complex and continuously evolving healthcare industry that faces more threats than even just a decade ago, today’s hospitals and health systems need to be more prepared than ever to continue operations should a disaster occur. Healthcare internal auditors play a critical role in assessing whether an organization is meeting business continuity management objectives. These objectives include formulating thorough, standardized business continuity and disaster recovery plans—with considerations for the essential processes, personnel and resources, including external partners, needed to navigate an event—and overseeing testing and follow- up for all plans.

Working with organizational senior leadership, healthcare internal auditors can help make sure business continuity management is effective so the organization is ready to serve patients even when unexpected events occur, disasters strike or major systems are unavailable.

Endnotes: 1 “Lawmakers Seek OSHA Standard on Workplace Violence Prevention in Health Care,” Safety+Health, March 14, 2018, https://www.safetyandhealthmagazine.com/articles/16776-lawmakers-seek-osha-standard-on-workplace-violence-prevention-in-health-care

2 Aziza Kasumov, “Cyberattacks on Health-Care Providers Are Up in Recent Months,” Bloomberg, July 17, 2018, https://www.bloomberg.com/news/articles/2018-07-17/cyberattacks-on-health-care-providers-are-up-in-recent-months

3 Risa Johnson, “Feather River Hospital: ‘We Don’t Know If We Will Reopen’ After Camp Fire,” Chico Enterprise-Record, Nov. 28, 2018, https://www.chicoer.com/2018/11/28/feather-river-hospital-we-dont-know-if-we-will-reopen-after-camp-fire/

4 Sheri Fink and Alan Blinder, “Houston’s Hospitals Treat Storm Victims and Become Victims Themselves,” The New York Times, Aug. 28, 2017, https://www.nytimes.com/2017/08/28/us/hurricane-harvey-houston-hospitals-rescue.html?smid=tw-nytimes&smtyp=cur

5 John Palmer, “Five Lessons That Have Made Hospitals Better Prepared Since Hurricanes Katrina and Sandy,” Patient Safety & Quality Healthcare, Dec. 6, 2017, https://www.psqh.com/news/five-lessons-made-hospitals-better-prepared-since-hurricanes-katrina-sandy/

6 Centers for Medicare & Medicaid Services, “Emergency Preparedness Rule,” https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Emergency-Prep-Rule.html

12 Healthcare Business Continuity Management and Disaster Recovery ABOUT AHIA

The Association of Healthcare Internal Auditors (AHIA) is a network of experienced healthcare internal auditing professionals who come together to share tools, knowledge, and insight on how to assess and evaluate risk within a complex and dynamic healthcare environment. AHIA is an advocate for the profession, continuing to elevate and champion the strategic importance of healthcare internal auditors with executive management and the Board. If you have a stake in healthcare governance, risk management and internal controls, AHIA is your one-stop resource. Explore our website for more information. If you are not a member, please join our network, www.ahia.org. AHIA white papers provide healthcare internal audit practitioners with non-mandatory professional guidance on important topics. By providing healthcare specific information and education, white papers can help practitioners evaluate risks, develop priorities, and design audit approaches. It is meant to help readers understand an issue, solve a problem, or make a decision. AHIA welcomes papers aimed at beginner to expert level practitioners. This includes original content clearly related to healthcare internal auditing that does not promote commercial products or services. Interested? Contact a member of the AHIA White Paper Subcommittee.

SUBCOMMITTEE:

Alan Henton, White Paper Chair Debi Weatherford [email protected] [email protected]

Mark Eddy Laura L. Sak-Castellano [email protected] [email protected]

Linda Greer Deborah Pazourek, AHIA Board Liaison [email protected] [email protected]