Five essential strategies for hospitals to weather unplanned disruptions
What’s trending: How to ensure business continuity despite hurricanes, cyber events
2024 has brought wave after wave of unplanned disruptions to hospitals and health systems. The industry-wide Change Healthcare and CrowdStrike/Microsoft cyber events and more targeted attacks took organizations offline for extended periods. More recently, Hurricanes Helene and Milton have caused flooding, lengthy power outages, and other destruction.
Such incidents can impede provision of care, create substantial operational delays, and generate security risks.
Healthcare organizations must be ready to safely continue operations. Establishing a tested business continuity plan will minimize financial losses, protect sensitive data, and save lives.
Why it matters
The healthcare sector often struggles with extended downtimes due to inadequate response plans and outdated systems.
The HIPAA Journal reported that the biggest losses from the recent CrowdStrike incident were in healthcare, which suffered direct losses of $1.94 billion—an average of $64.6 million per organization.
Among other incidents this year, a ransomware attack hit a health system with more than 100 hospitals and numerous referring providers. Another hit a large blood center, which impacted blood supply for more than 250 hospitals. These events demonstrate how cyberattacks can directly impact healthcare entities of all sizes because of the interconnected nature of the healthcare ecosystem.
Natural disasters also pose a tremendous risk. In as many as one-third of the cities along the Gulf and Atlantic coastlines, at least half of hospitals are vulnerable to flooding from hurricanes. In other parts of the country, tornadoes, fires, and earthquakes may be bigger concerns.
Regardless of the organization’s location, size, or role in healthcare, ensuring mature enterprise-level business continuity plans is critical to maintain operations during unexpected disruptions.
What’s next
A robust continuity plan allows healthcare organizations to navigate crises effectively. It minimizes downtime, protects essential functions, ensures regulatory compliance, and mitigates reputational damage.
Healthcare executives should consider the following five strategies as they develop or reassess their business continuity plans:
1. Engage the organization’s leaders: Support from the full executive leadership team is critical. Leaders must be confident that the organization’s business continuity strategy includes defined playbooks for key departments, third-party support partners, and service lines.
One way to do this, for instance, is organizing a tabletop exercise with senior executives and key department leaders to simulate a crisis scenario. This will facilitate a deeper understanding of how a lack of planning can impact patient care and financial services. It will also foster collaboration and alignment among executives. This hands-on approach can highlight gaps, improve response strategies, and ensure commitment to the planning process.
2. Conduct a business impact analysis: The data in this analysis can reveal the potential impacts of disruptions on critical functions like patient care and financial services. The organization can then prioritize recovery efforts. The analysis also helps determine acceptable downtime and resource requirements for each department. That way, the organization can tailor continuity procedures to the specific needs and risks associated with each service line.
For example, a regional health system’s oncology department may be the most impacted by a prolonged disruption, given the time-sensitive nature of critical cancer treatments. The business impact analysis results should lead the organization to prioritize continuity and recovery efforts for that department and establish an expedited recovery time objective to minimize the risk of treatment delays.
3. Assess the organization’s business operations risk: A crucial step is to define potential disaster scenarios, such as cyberattacks and specific natural disasters. The organization should establish a comprehensive risk management strategy for each. This should include proactive cybersecurity measures, system backup strategies, and offsite locations.
For instance, a healthcare organization that relies on a single supplier for lifesaving medications should evaluate supply chain vulnerabilities and analyze the potential impact of a supplier disruption. The organization can mitigate this risk by expanding its supplier network, creating redundancy in its supply chain, and ensuring continuity of critical patient care.
4. Develop the organization’s operational response playbooks: Teams should develop playbooks with clear detail to operate effectively in the event of incidents like ransomware attacks and system failures. These playbooks should outline step-by-step actions, including communication protocols, system recovery processes, and escalation paths. This will allow teams to act quickly and consistently during a crisis. Additionally, leaders should ensure ongoing training and staff competency reviews tied to the new procedures and playbooks.
These playbooks should tailor procedures for each major department. Clinical, administrative, and IT departments play a vital role in maintaining continuity of care. Each of these departments faces unique challenges during an incident, and established procedures must reflect this.
For instance, disruptions may prevent the delivery of essential billing and claims documentation. The revenue cycle team would need to activate continuity procedures that include manual billing processes, alternative methods for submitting claims, and coordination with insurers to prevent delays in reimbursement. Establishing such procedures ensures that even without full IT capabilities, the organization can maintain its cash flow and financial stability, minimizing the long-term financial impact of the disruption.
5. Establish right-sized communication and coordination protocols: One of the most important considerations is having effective communication plans for crises. Poor communication can exacerbate disruptions and confuse internal and external response partners. It can also create significant reputational harm.
For example, organizations should include leaders and team members of internal communications and external PR in the planning process. Doing so will ensure the organization’s leaders in cybersecurity, human resources, operations, legal, compliance, and other areas are aligned in advance. They will know what to say to key stakeholders during an incident and which communications channels will be available in a variety of scenarios.
As the risk of disruption increases, healthcare leaders must prioritize business continuity planning to maintain critical operations under pressure. A new article from Chartis offers insight into starting the process with the C-suite and shares an example of how a prepared organization effectively responds during unplanned disruption.
ABOUT CHARTIS
The challenges facing US healthcare are longstanding and all too familiar. We are Chartis, and we believe in better. We work with more than 900 clients annually to develop and activate transformative strategies, operating models, and organizational enterprises that make US healthcare more affordable, accessible, safe, and human. With more than 1,000 professionals, we help providers, payers, technology innovators, retail companies, and investors create and embrace solutions that tangibly and materially reshape healthcare for the better. Our family of brands—Chartis, Jarrard, Greeley, and HealthScape Advisors—is 100% focused on healthcare and each has a longstanding commitment to helping transform healthcare in big and small ways. Learn more.
Want more fresh perspectives to help you think about, plan, and execute strategies for what’s next in healthcare? Subscribe to our latest thinking and check out our weekly blog, Chartis Top Reads.