Healthcare is becoming increasingly reliant on digital technology and the data it generates. Technology is now integrated into operations at virtually every level—handheld diagnostic tools, tablet-based consultation reports, electronic medical records, automated reconciliation, billing and payment and more. IT is how healthcare works, competes and manages the efficiency and effectiveness of each organization.

As a result, the potential impact of IT outages has increased exponentially. And that makes the discipline of business continuity an imperative for healthcare executives. One clear, simple example of the gravity of this issue: A business continuity plan is required to comply with HIPAA regulations.

But in the course of providing IT managed services to healthcare clients, there is often a lack of clarity and understanding of business continuity in general. So, let’s begin this discussion by defining business continuity in healthcare terms.

Business continuity is a set of plans, procedures and resources established to maintain or recover essential services and functions impacted by an event causing an interruption of normal healthcare delivery operations and integrated with emergency operations plans.

Some confusion among executives is understandable, because the label “business continuity” often is applied loosely to any one of the essential elements in a complete continuity plan.

So let’s provide some perspective here, too. Healthcare executives must manage three distinct but integrated business continuity phases.

Disaster recovery planning. Plans, procedures and resources for continuity or recovery of IT systems, infrastructure and telecommunication service.

Business continuity planning. Plans, procedures and resources for continuity or recovery of essential business services and functions impacted by a disaster or other disruption.

Emergency operations planning. An integrated approach to managing programs and activities for four emergency phases (mitigation, preparedness, response and recovery) for all types of emergencies and disasters, including IT-related events

Notice the cyclical, interdependent relationship of these three phases – IT, business, and disasters or emergencies. It’s this dynamic that has made escalating cyber threats so challenging for the healthcare industry. The greater the dependence on IT, the greater the risks to the business, and the larger the impact of IT disruptions.

Consider the flow of data alone as a continuity risk factor.

A growing number of doctors, nurses and administrators use Wi-Fi-enabled communications via smartphones and tablets instead of clipboards and pieces of paper. At the same time, internet-connected devices have been introduced at bedsides in multiple forms, to monitor heartbeats, temperatures, blood pressure and more.

The advent of Internet of Things (IoT) technologies adds a layer of complexity, as more systems such as scanners in radiology departments, refrigerators in labs and ventilation systems in operating rooms join the network. These devices present the same security risks as networked computers, but not all have been designed to the same cybersecurity standards.

Increasing mobility complicates the situation—patients, providers and payers share the plethora of digital information across the virtual and physical boundaries. Valuable data about the people and processes involved in healthcare are zooming through cyberspace nearly every minute of every day between a range of remote locations, from the smallest physician offices and clinics to the largest hospitals and insurers via every intervening layer.

And all shades of cyber criminals know about this flow of data, from sophisticated hackers to disgruntled former employees. Interrupting or halting this gushing flow of healthcare data is rapidly becoming big business.

According to a recent survey by the Ponemon Institute, data breaches cost the healthcare industry an estimated $6.2 billion, as nearly 90 percent of healthcare organizations reported they were hit by at least one data breach during the last two years. This study illustrates that any healthcare organization collecting, storing and transmitting patient data is vulnerable to cyber disruption.

Robust business continuity practices provide a bulwark against this cyber threat. Take ransomware as an example. A solid business continuity plan requires all devices involved in healthcare operations to be backed up on a timely, regular cycle. If information is stolen, normal operations can be restored quickly, minimizing the impact of interruption in terms of cost and quality of care.

Overall, sound business continuity practices reduce the leverage of cyber crooks, lending some comfort and confidence to executives and authorities contending with an attack.

Seen in this light, the discipline of business continuity is more than a matter of email filtering or installing a firewall. The profitability and reputation of any individual healthcare organization is at stake. Indeed, these issues are at stake for the industry as a whole. And its senior leadership must take action.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Frank Picarello

Frank Picarello

Frank Picarello is Chief Operating Officer for TeamLogic IT.