How Hospitals Can Heal Their BCM Programs

There are around 5,500 hospitals in the U.S., and sometimes I feel like I have been to every one of them to consult with their staff about their Business Continuity Management (BCM) program.

I’m exaggerating, obviously, but it is true that we at BCMMETRICS and MHA Consulting have been privileged over the years to work with a great many hospitals around the country to help them assess and strengthen their hospital BCM program.

Two things I can tell you off the bat, based on these experiences:

1. Nurses make great sources when you want to hear in plain language exactly what’s going on at a hospital.
2. Despite one commonly encountered opinion, American hospitals and the people who work in them have an intense and impressive focus on caring for their patients and keeping them safe.

Unfortunately, there is one area where hospitals lag behind their counterparts in the regular corporate world: their knowledge of and commitment to business continuity.

Recently, however, I’ve noticed that more and more people who work in hospitals have become aware of this and have made a commitment to elevating the resiliency of their institutions.

In light of the above, I thought that in today’s blog I would share some interesting things I’ve discovered over the past two decades about American hospitals and their BCM programs. In keeping with the subject, you could call this my diagnosis of where hospitals are falling short in their BCM programs.

I’ll conclude with a treatment plan showing how hospitals can begin to catch up with their corporate peers in terms of BCM and create a more resilient patient-care environment.

Hospitals & BCM: Diagnosing the Problem

Here are a few striking things I’ve observed over the years in terms of U.S. hospitals and their business continuity management programs. Taken together these constitute my diagnosis of the problem with the business continuity plans of a large number of hospitals:

• Mixed readiness. Hospitals are much better at responding to emergencies that take place outside the hospital and bring patients to them than they are at dealing with events that affect the hospital facility itself.
• Limits of HEICS. The Hospital Emergency Incident Command System (HEICS) is excellent in most hospitals, but it does not create the kind of broad resiliency of operations that is the focus of a strong BCM program.
• An assumption of immunity. People who work in hospitals tend to assume that nature, bad luck, and bad actors will respect their humanitarian role and spare them from the problems they bring to ordinary businesses. Unfortunately, this is not the case and recent events have shown the impact to hospitals.
• Vulnerable facilities. As recent hurricanes and similar events have shown, many hospitals have not given sufficient attention to hardening their facilities against potential threats and disruptions. We have an expectation as a society that hospitals will always be there to take care of us no matter what.
• Not keeping pace. In recent years, hospitals have become vastly more dependent on technology, but their systems for protecting this technology have not kept pace.
• A unique challenge. Protecting the computer systems and data of a hospital is a uniquely challenging (and expensive) proposition due to the immense complexity and criticality of these systems. The average hospital has hundreds of computer systems and applications, and their proper functioning is literally a matter of life and death.
• Lagging behind. When it comes to protecting their systems and data (a part of BCM we refer to as IT/Disaster Recovery), hospitals as a group lag behind the rest of corporate America.
• Dependence on technology. Hospitals today depend on computer systems to do virtually everything they do to take care of patients, from systems for transcribing doctors’ notes to the Pyxis system for tracking and dispensing medications.
• Poor workaround systems. Most hospitals do have downtime procedures that employees can use to perform critical functions in the event of computer outages; however its use is limited and not all employees are well-versed in using the procedures.
• Under-prepared employees. Even when manual backup systems exist, many employees are not familiar with them. When called on to use them, they often do so hesitantly and incorrectly knowing they can’t be used for an extended period of time.
• Impact on patient care. Nurses and upper management tend to disagree on the impact system outages have on patient care, with nurses saying it is significant and immediate (right away) and management often saying it is modest and manageable over a longer period of time.
• Increased risk. In my estimation, when computer systems are down, the level of risk associated with patient care , safety, and outcomes goes up exponentially.
• System unavailability. Application failure is remarkably common in U.S. hospitals. Nurses often complain that the systems they depend on are frequently unavailable. Accountability for these problems tends to be more casual than in other industries I’m familiar with such as banking.
• Inadequate backup systems. Even when hospitals make an effort to back up critical systems, their approach tends not to be sufficiently rigorous. For example, I know of a hospital that created a backup to a critical system for monitoring patients’ heart activity; however, the computer running the backup was in the same room as the computer for the primary system. An event affecting that room could potentially take out both systems.
• Non-clinical operations. As incomplete as the backups of their patient-care systems tend to be, most hospitals have even less backup capability of the non-clinical side of their operations (e.g., finance, accounting, and billing).
• Sticker shock. Understandably, hospital executives often experience sticker shock when confronted with the (high) price for making their information systems resilient. This can cause them to forego any effort to strengthen their institutions’ BCM programs.

Fortunately, in recent years, many hospital employees at all levels have come to recognize that, despite the challenges, there is a pressing need across the industry to take steps to make their computer systems more resilient and to strengthen their business continuity programs generally.

Is your business part of the 48% that lack a BC plan? If so, it might be time to start a BCM program.

Suggested Treatment Plan

If the above constitutes my diagnosis of what ails the BCM programs at most American hospitals, what treatment plan would I suggest?

A “one size fits all” approach works about as well in business continuity consulting as it does in treating human patients; however, I think many hospitals would benefit from taking the following four steps (in order):

2. Harden the facility. Do a solid risk and threat assessment, addressing natural, manmade, and technological risks. Identify the vulnerabilities of your campus and take steps to mitigate them. Make sure you have abundant backup power. Make sure you can monitor what’s happening across the facility. Beef up your physical access controls, if necessary. Look for ways to shield your building from impacts. A campus that is more physically robust is better positioned to ride out incidents of all kinds.
3. Develop robust downtime procedures. For every critical patient-care procedure, develop a method for accomplishing it that doesn’t rely on your computer systems. Make sure workers on every shift are capable of skillfully executing these procedures.
4. Develop better IT backup for the clinical side. Build the most resilient IT environment possible, to minimize downtime and enhance the systems’ ability to be recovered.
5. Develop better IT backup for the nonclinical side. These functions are less critical than the patient-care systems but are nonetheless important.

You’ll also want to make your HEICS system as strong as it can be and ensure it is integrated with the BCM and Information Security programs.

By taking these steps, you will be on your way to ensuring that, in terms of resiliency and business continuity, your patient-care environment and computing systems are healthy and fit.

Consider BCMMetrics™ Business Continuity Management Tools

If you’re searching for business continuity software, take a look at BCMMetrics. Our cloud-based solutions facilitate compliance across your business continuity program and include tools to help with:

• Conducting BIAs. BIA On-Demand (BIA^OD) gives you all the right questions to ask for every BIA interview and organizes the data to provide insights and easily share with your team.
• Evaluating standards compliance. Compliance Confidence (C²) makes it simple to assess your program’s level of compliance against key industry standards and gives you a “FICO-like” score that helps identify areas for improvement.
• Assessing your program’s residual risk. Residual Risk (R²) quantitatively identifies where pockets of residual risk exist and helps you evaluate how to handle them.

We also offer eight hours of free consulting in the first year to help with each tool to make sure you’re getting everything you want out of it. Our tools are intuitive, secure, and get the job done. If that’s what you’re looking for in a business continuity management system, schedule a free demo of our software today.