When it comes to business continuity planning, healthcare is often ahead of the game – regulatory requirements make sure of that. But for health IT leaders, such planning is complex and constantly evolving, or at least should be. Shalen Sehgal, managing director at Crises Control, suggests some key actions CIOs and CCIOs should be taking on continuity planning.
- Consider the more unpredictable events. Is your risk register based entirely on what has happened in the past? If so, you’re missing a trick. Make sure you’re considering new and emerging risks, as well as more random events. Power outages and data breach, including through cyberattack, are likely high on your list. But what about the disruption which could be caused for a small fire in the same building as your server room?
- Ensure your plan is fit for use during the panic that will ensue when an event strikes. Do this by creating a series of shorter action plans to fit each of your major threat scenarios. These actions should include specific tasks for specific individuals, such as taking responsibility for locking down access to the data until the event is resolved and lifting the lockdown when the situation is resolved.
- Make sure that your action plans will be available to you under all circumstances. Having a well written plan in place is absolutely no use to you if you cannot access it in an emergency because your IT servers have been taken out by the flood, fire or power failure. Having a copy of the plan hosted on cloud servers might be an option, but can it be accessed from mobile devices as well as laptops?
- Involve a variety of communications channels. Phone, e-mail, SMS and push notifications, means that external stakeholders, such as suppliers, can choose which channels they prefer to use, and the message is guaranteed to get through to them somehow.A communications platform that can create an automatic audit trail can be helpful. This enables detailed review of events after a challenging incident – including winter pressures.
- Make sure that you have a testing and exercising programme in place. This should include a mixture of virtual, desktop and live tests and exercises. Such a testing programme is required for NHS agencies as part of emergency planning.