Why business continuity in healthcare may need a check-up

By: Rajesh Jaluka

Business continuity planning is an established practice for many organizations, but I’m seeing more and more cracks in the pavement.  

Kyndryl’s report on IT risk¹ suggests that while most organizations have experienced events that disrupted their IT systems, the IT decision-makers at those organizations are confident in their ability to withstand another one.  But what about business continuity disruptions that happen outside of the organization, such as attacks on partner systems or market factors, that still impact the ability of the healthcare organization to operate as usual?

In May 2021, a cyber-attack disrupted fuel supplies along the east coast of the United States for nearly two weeks. Consider the impact on healthcare workers’ ability to commute or the availability of ambulances for patients.

A January 2023 system outage forced the Federal Aviation Administration to temporarily ground all flights in the United States. One of the planes may have carried donor organs for transplants or a physician traveling to perform surgery.

Healthcare organizations need highly dependable operations, but disruptions are unpredictable. An effective business continuity strategy, therefore, must encompass more than risk mitigation. Improving patient care quality, increasing medical and administrative staff satisfaction, and preserving shareholder value all factor in.

So, how can healthcare leaders account for these factors when reshaping business continuity strategies? Let’s start with the question of system criticality.

1. Create solutions specific to your needs

Many enterprises use four to five classifications, such as mission-critical, business-critical, essential, and non-critical, to categorize all of their systems. Categorization helps keep the cost and complexity of their business continuity strategy low by designing a one-size-fits-all solution for each category.

However, this approach limits the organizational ability to tailor business continuity solutions to each system’s specific needs, which can create unintended consequences. For example, a more expensive solution for less critical systems and inferior solutions for more critical ones.

Several available SaaS solutions offer a compelling alternative approach to meet Recovery Point Objective and Recovery Time Objective needs. These services are available in a pay-per-use model and can be consumed on a smaller scale. This eliminates the need for organizations to bundle systems into just four or five generic continuity solutions. For example, most cloud providers offer various storage solutions, including object, block, and file. Each of these has multiple options, for example, object storage comes in different tiers based on the frequency of access—each with a different price point.

Many of these services can be consumed easily through code. The cloud providers also have well-architected frameworks to guide developers through cost and design considerations. These can enable organizations to implement a continuity solution that matches the needs of the specific business systems.

2. Determine your appetite for risk

What is the amount of risk an organization is prepared to accept, tolerate, or be exposed to, balanced against its business goals? Many enterprise leaders have unrealistic expectations from the business continuity solutions they have implemented. Every solution is designed with a base set of assumptions, and it breaks when the assumptions change.

For example, most organizations rely on a network carrier to connect with the outside world. The initial design of a business continuity plan might have two network carriers for diversity and redundancy. However, the design will not hold well when one carrier acquires the other, and the two physical networks become integrated. This is where a reevaluation of risk appetite comes in.

It is essential to engage stakeholders from across the organization, including HR, finance, marketing, and even the corporate board, to identify all the risks and assumptions. For example, the risks could be employee availability, equipment failure, site failure, a natural disaster, or ransomware attack. Then, use a method like the one designed by the Information Systems Audit and Control Association² to calculate the risk appetite.

3. Embrace the ecosystem

Fundamental to business continuity planning is understanding the workflows and integrations that drive interdependencies between systems. For example, during an office visit, a physician may not only need access to electronic health records but might also need X-rays or MRIs from a radiology system, prescription ordering through a pharmacy system, or orders of tests through a laboratory system.

Security is also a concern. While the cloud providers have adopted standards that exceed the standards implemented by many healthcare organizations, any disruption to the cloud can have a much broader impact, affecting hundreds and thousands of organizations all at once. Healthcare organizations are also a very high-value target for threat actors. Therefore, for some healthcare organizations, a private cloud-based solution³ may be a better fit.

Rajesh Jaluka is Vice President, CTO, US Healthcare and Government Market, Distinguished Engineer for Kyndryl

 ¹ “Survey findings: What IT decision makers say about the state of IT risk” Kyndryl, October 2023

² “ISACA’s Risk IT Framework Offers a Structured Methodology” ISACA, June 2020

³ “Mainframe modernization: Findings from survey of 500 business leaders” Kyndryl, September 2023