Disasters can strike at any time, and are always unexpected. But planning for disasters is more than a matter of what goes on in the hospital’s data center. In the end, it is the hospital’s staff that must work as a team to set things right after a disaster strikes. And that means putting in place operational procedures, workarounds, and prioritizing various department functions that constitutes a business continuity plan.
Memorial Sloan-Kettering Cancer Center (MSKCC) in Manhattan is in the process of mapping out a business continuity plan for each department in the hospital. Steve Duch, the hospital’s director of IS business development, makes a distinction between business continuity and disaster recovery planning. “We did disaster recovery planning before this, but it was disaster recovery without the business continuity component,” he says.
“Business continuity is what happens to people in the workplace, staff relocations, manual procedures, operational procedures, emergency notification procedures, and documentation procedures,” Duch explains. “We want to separate that from disaster recovery, because when people think of disaster recovery, they think IT has it covered. But you still have to make that distinction, have to prepare what your people are going to do. We want them to think about that first, when they are doing the planning, up front.”
To conduct its audit, the hospital is using software (supplied by Virtual Corp., Budd Lake, N.J.) to formalize and document a business continuity plan for each one of its business units. Duch says that the business continuity process is getting broad participation from the hospital’s departments. The hospital has assembled a planning committee that identifies the applications that are thought to be most critical, but the departments also have a say in what they think is most essential.
Duch says the hospital ranks its software applications as tier 1, 2 or 3, in recovery time and recovery point objective, or how far back in time the data should be recovered. The most critical applications are the ones that are patient facing or that the patients rely on, Duch says. “We are a completely digitized hospital [the hospital uses Allscripts as its main vendor], so the medical system is one of the tier 1 applications that have to be up and running right away; also the blood bank system and the laboratory system.”
During the process, the head of each business unit is asked to identify procedures, describe the workflow, and identify the most important part of the business,” Duch says. “We then ask them to identify which applications they need, what are the essential parts of the IT applications to make sure they are able to do their job.” The results are fed back into the hospital’s disaster recovery plan so the needs of the departments are met.
Duch says the audit is an ongoing process, and that nearly all of the hospital’s major departments have been covered. He says the process has been useful, because it has potential gaps in services a department thought it could provide. “One that we missed the first time out, but is critical that we have, is food services, because we have a lot of patients with special diets and special timeframes. That has to be a tier 1 critical system for us,” he says.
MSKCC tests its disaster recovery plan one or two times a year. On the business continuity side, it holds an exercise that involves “coming up with a scenario, and we call the team together and see how they would respond to that scenario,” he says. “It involves hospital administration and they take it seriously.”