B.1 DISASTER RECOVERY



Similar documents
DISASTER RECOVERY/ BUSINESS CONTINUITY AUDITING: A CASE STUDY

Essential Components of Emergency Management Plans at Community Health Centers Crosswalk of Plan Elements

Hospital Emergency Operations Plan

Appendix I. Joint Commission Emergency Management Standards and Related Elements of Performance

The Joint Commission s Emergency Management Update

The Joint Commission Approach to Evaluation of Emergency Management New Standards

CONTINUITY OF OPERATIONS PLAN TEMPLATE

Creating a Business Continuity Plan for your Health Center

Disaster and Pandemic Planning for Nonprofits. Continuity and Recovery Plan Template

CCHC Emergency Preparedness Gap Analysis

South Puget Sound Community College Emergency Operations Plan Annex H RECOVERY

The Joint Commission s 2012 Emergency Management Standards and HRSA Health Center Emergency Management Program Expectations. NACHC Webex Training

Accreditation Program: Hospital. Emergency Management

Business Continuity and Disaster Recovery Planning

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Business Continuity Plan

How To Prepare For A Disaster

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

Business Continuity Planning for Schools, Departments & Support Units

SAMPLE IT CONTINGENCY PLAN FORMAT

Business Continuity Planning Toolkit. (For Deployment of BCP to Campus Departments in Phase 2)

4 Insurance 5 Availability of alternate sources for critical supplies/services

How to Prepare for an Emergency: A Disaster and Business Recovery Plan

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Disaster Recovery Plan Checklist

Hospital Emergency Operations Plan Workshop

Emergency Management Plan

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Business Continuity and Emergency Preparedness Planning. Vandita Zachariah, MA, MBA, CIA HHSC Internal Audit Division May 21, 2010

BUSINESS CONTINUITY PLAN OVERVIEW

Ohio Supercomputer Center

Business Continuity Planning and Disaster Recovery Planning

Pilot Nursing Home Emergency Management Assessment Tool

Continuity of Business

The University of Iowa. Enterprise Information Technology Disaster Plan. Version 3.1

Business Continuity & Recovery Plan Summary

Facilitated By: Ken M. Shaurette, CISSP, CISA, CISM, CRISC FIPCO Director IT Services

Why Should Companies Take a Closer Look at Business Continuity Planning?

Business Continuity & Recovery Plan Summary

Continuity of Operations Planning. A step by step guide for business

Business Unit CONTINGENCY PLAN

DRAFT Disaster Recovery Policy Template

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

All-Hazard Continuity of Operations Plan. [Department/College Name] [Date]

UNION COLLEGE INCIDENT RESPONSE PLAN

A Framework to Support Healthcare Continuity of Operations in an Information Technology Failure:

PBSi Business Continuity Planning

Franklin County Emergency Management Department (FCEMD) All County Emergency Response Team (CERT) Agencies. Table of Contents

D2-02_01 Disaster Recovery in the modern EPU

Emergency Management Program

Table of Contents... 1

Emergency Preparedness Guidelines

Hospital Emergency Management Plan

DISASTER RECOVERY AND CONTINGENCY PLANNING CHECKLIST FOR ICT SYSTEMS

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)

BUSINESS CONTINUITY PLANNING GUIDELINES

WALLA WALLA COUNTY Comprehensive Emergency Management Plan

Comprehensive Emergency Management Plan

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

Table of Contents ESF

Business Continuity Glossary

MASON COUNTY COMPREHENSIVE EMERGENCY MANAGEMENT PLAN (CEMP)

Program Outline & Accreditation Application

Evaluating and Improving Your Business Continuity Plan

Maricopa County Emergency Management

Audit of IMS Disaster Recovery Plan

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

Table of Contents ESF

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

MHA Consulting. Business Continuity Management 101

Emergency Support Function 14 Long-Term Community Recovery and Mitigation

HOSPITALS STATUTE RULE CRITERIA. Current until changed by State Legislature or AHCA

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Why COOP? 6 Goals of COOP. 6 Goals of COOP. General Guidelines for COOP Capability. COOP Program Model 7 Phases. Phase 1: Initiate COOP program

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

BUSINESS CONTINUITY PLANNING (BCP)

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

MGIC BUSINESS CONTINUITY PROGRAM

Guide to Physical Security Planning & Response

Continuity of Operations in the Clinical Laboratory

Disaster Recovery Plan The Business Imperatives

What is an Exercise? Agenda. Types of Exercises. Tabletop Exercises for Executives. Defining the Tabletop Exercise. Types of Tabletop Exercises

Unit Guide to Business Continuity/Resumption Planning

Protecting your Enterprise

Emergency Operations California State University Los Angeles

Transcription:

B.1 DISASTER RECOVERY Technology Recovery Strategy (20 hours) To confirm that MHS has developed an overall strategy to Standard: EM.02.01.01 - The hospital has an Emergency Operations Plan. (EP#4) manage information technology to minimize impact to business operations during a declared event. MHS Policy - Technology: Disaster Recovery, Section 1a Information Services will: Develop, monitor and maintain a disaster recovery plan for Information Services systems that include: a Business Impact Analysis, data backup procedures, emergency mode operation procedures, recovery procedures, and testing and revision procedures for Tier 1 production systems. Procedure I. D.2. All systems in the data centers and other critical systems will be supported with uninterrupted power sources and have access to emergency generator power by engineering. D.3. The data centers power requirements will be identified, documented, monitored and appropriately maintained by Engineering. DS4.1 - Ensure Continuous Service IT Continuity Framework. DS4.4 - Ensure Continuous Service Maintenance of the IT Continuity Plan. DS4.6 - Ensure Continuous Service IT Continuity Plan Training DS4.7 - Ensure Continuous Service IT Distribution of the IT Continuity Plan DS4.9 - Ensure Continuous Service Offsite Backup Storage 1. Assess whether MHS has developed an overall strategy for managing recovery of technology and systems. This includes: a. Existence of a written plan explaining the recovery strategy and actions to restore systems critical to patient care. b. Required procedures for IS systems (data back-up, emergency mode operations, recovery, testing, etc). c. Updates to the written plan when operations change. d. Training on plan components with key staff. e. Distribution of plan to key persons, and ensuring the plan is accessible under each disaster scenario. 2. Assess the process for managing the data centers and recovering servers during an emergency. Verify that: a. Processes exist to identify, prioritize and restore critical servers. b. Uninterruptible power sources are maintained and tested. c. Data center power requirements are identified, documented and monitored by Engineering. 3. Assess the adequacy of recovery processes for non-is managed systems. Business Impact Analysis (10 hours) To validate that MHS Policy - Technology: Disaster Recovery, Section 1a MHS has assessed Information Services will: Develop, monitor and maintain a disaster operations and recovery plan for Information Services systems that include: a aligned system Business Impact Analysis, Data Back-up Procedures, Emergency recovery plans with Mode Operations Procedures, Recovery Procedures, Testing & current business Revision Procedures needs for critical 1. Obtain a copy of the Business Impact Analysis (BIA). Assess for the following attributes: a. Reflects the current and complete MHS environment. b. Is current (within past 12 months). c. Documents the risks (qualitative/quantitative) and outcomes (opportunities/threats) for each department/ business process. 1

operations. 2. Validate there is a process in place to update the BIA when DS4.3 - Ensure Continuous Service Critical IT Resources changes to the MHS environment occurs. Recovery Objectives (10 hours) To verify there is a prioritization process to maximize critical resources and align business expectations with recovery objectives. MHS Policy - Technology: Disaster Recovery, Procedure I. E. Information Services and separate Information Systems Disaster Recovery Plans will be tested once a year on our Tier 1 production systems, either in response to an actual emergency or in planned drills. DS4.3 - Ensure Continuous Service Critical IT Resources 1. Assess whether IS has defined the ranges of recovery timelines for system downtime and lost data, based on process criticality. 2. Assess whether recovery time objectives (RTOs) and recovery point objectives (RPOs) have been assigned to system applications. Confirm the assigned objectives align to the Business Impact Analysis results. 3. Assess whether there is a process to communicate these objectives to the corresponding business entities/business owners. Test Plans and Schedules (30 hours) To validate that disaster recovery plans have been developed and tests have been scheduled to prepared for potential declared events. MHS Policy - Technology: Disaster Recovery, Section 1a Information Services will: Develop, monitor and maintain a disaster recovery plan for Information Services systems that include: a Business Impact Analysis, data backup procedures, emergency mode operation procedures, recovery procedures, and testing and revision procedures for Tier 1 production systems. MHS Policy - Technology: Disaster Recovery, Procedure I. E. Information Services and separate Information Systems Disaster Recovery Plans will be tested once a year on our Tier 1 production systems, either in response to an actual emergency or in planned drills. DS4.2 - Ensure Continuous Service IT Continuity Plans DS4.4 - Ensure Continuous Service Maintenance of the IT Continuity Plan DS4.5 - Ensure Continuous Service Testing of the IT Continuity Plan DS4.8 Ensure Continuous Service IT Services Recovery and Resumption 1. Verify that a schedule of tests and exercise activities have been created according to the Disaster Recovery plan. 2. Assess the process to document, update, store and collect/distribute test plans. 3. Obtain the Tier list of applications/systems used by Information Services. Assess the process for generating the list and verify the list is current (within the past year or since any major system change). 4. Select a sample of Tier 1 systems/applications and test for the following: a. Test plan has been created and is available b. Test plan is current c. Test plan identifies key personnel/responsibilities d. Test plan identifies primary actions to be performed for resumption, including data inputs/reports, other needed resources. Test Results and Remediation (20 hours) To validate that MHS Policy - Technology: Disaster Recovery, Procedure I. E. 1. Select a sample of Tier 1 applications and test for the 2

disaster recovery plans are effective to resume operations within expected recovery objectives and that test plans are updated based on identified improvements. Information Services and separate Information Systems Disaster Recovery Plans will be tested once a year on our Tier 1 production systems, either in response to an actual emergency or in planned drills. DS4.5 - Ensure Continuous Service Testing of the IT Continuity Plan DS4.10 - Ensure Continuous Service Post-resumption Review following: a. System has been tested within the past year, either through a simulated test or an actual declared event b. Test results were documented c. A post-exercise review occurred, with recommendations to improve continuity identified 3

B.2 BUSINESS CONTINUITY Continuity Strategy (30 hours) To confirm that MHS has developed an overall strategy to ensure continuous operations and has implemented critical preparations in advance. Standard: EM.01.01.01 - The hospital engages in planning activities prior to developing its written Emergency Operations Plan. Standard: EM.02.02.03 - As part of its Emergency Operations Plan, the hospital prepares for how it will manage resources and assets during emergencies. Standard: EM.02.02.11 - As part of its Emergency Operations Plan, the hospital prepares for how it will manage patients during emergencies. Standard: EM.03.01.01 - The hospital evaluates the effectiveness of its emergency management planning activities. Section III. A. An HVA (Hazards Vulnerability Analysis) is completed to assess the likelihood and impact of emergencies and is used to guide the development of the Emergency Operations Plan (EOP) and Emergency Management Program. The HVA is reviewed and assessed annually to determine if the probability of emergencies has changed with changes annotated and plans revised as needed. Section III. E. The CEMP [comprehensive emergency management plan] clearly defines the process for activation and implementation of the plan. The description includes the command structure (ICS - Incident Command System) for the plan, the conditions requiring activation of the plan, and the individual(s) responsible for implementation of the plan. Washington State Emergency Management Department identifies 9 natural hazards for the state: Avalanche, Drought, Earthquake, Flood, Landslide, Severe Storm, Tsunami, Volcano, and Wildland Fire. The department also identifies 11 technological hazards: Abandoned Underground Mine, Chemical, Civil Disturbance, Dam Failure, Hazardous Material, Local Hazard, Pipeline, Radiological, Terrorism, Transportation, and Urban Fire. 1. Assess whether scenarios or criteria has been established to enact a continuity plan and declare an emergency event. 2. Validate that a comprehensive plan has been established for continuity of operations. This should address: a. Emergency Operations Center /Incident Command Center setup b. Chain of Command / Communications c. Activating and/or cancelling emergency procedures d. Instructions / Procedures to manage through events e. Alternate sites for care/treatment of patients f. Documenting results / reporting of the declared event 3. Assess management s oversight of Emergency Preparedness, including advisory board meetings and other established committees. 4. Verify that a Hazards Vulnerability Analysis (HVA) has been completed for all campuses at MHS. Select a sample of HVAs and review for the following: a. Has been updated within past 12 months b. Assesses all major Washington State hazards c. Assigns ratings and scoring of each hazard d. Has been approved by appropriate level of management 5. Validate that the hospital has prepared for sustaining operations for 96 hours. Verify the plan addresses: a. Medication/supplies management b. Staffing levels c. Food and water supplies d. Patient care 6. Validate that MHS coordinates with local and regional contacts for Emergency Preparedness. 7. Verify that an Inventory Asset Tracking process has been established to manage emergency supplies. Validate that: a. There is a process for updating this spreadsheet annually b. The spreadsheet completes all required fields c. A process is in place to meet the grant requirements for regionally-funded supplies. 8. Validate that MHS has maintains adequate levels of supplies and equipment for emergency use. Validate that supplies are 4

tracked and replaced when the shelf-life of perishable supplies has expired. Continuity Plans and Procedures (20 hours) To validate that response plans are successful through the ongoing planning, testing and revising of continuity plans. Standard: EM.02.01.01 - The hospital has an Emergency Operations Plan. Standard: EM.03.01.03 - The hospital evaluates the effectiveness of its Emergency Operations Plan. Section III. H. Periodic drills are essential for maintaining staff awareness of emergency procedures and for evaluating the effectiveness of plans. Section III. I. Scheduled drills and community exercises which activate the MHS CEMP provide opportunities to observe staff performance and identify opportunities for improvement. 1. Verify that an Emergency Operations Plan has been established for each hospital and it is current (last 12 months) and approved by the correct level of management/oversight. 2. Validate that a process is in place to create an emergency management plan for all clinic/off-site locations. 3. Select a sample of emergency management plans and review for the following: a. Plan is current b. Plan defines roles/key persons needed to perform the plan c. Plan outlines procedures/actions to be performed d. Plan has associated test results / lessons learned 4. Validate that MHS has developed a schedule for testing each hospital location, twice annually. Verify that MHS includes the following test scenarios in the at least one of the annual tests: a. A simulation of a surge/influx of patients b. The local community is unable to support the hospital c. Includes participation in a community-wide exercise Communications (10 hours) To validate the adequate communications can be maintained during and after a declared event to facilitate continuous operations and support of patient care. Standard: EM.02.02.01 - As part of its Emergency Operations Plan, the hospital prepares for how it will communicate during emergencies. Standard: EM.03.01.03 - The hospital evaluates the effectiveness of its Emergency Operations Plan. Section III. E. The CEMP [comprehensive emergency management plan] includes a list of key staff essential for full implementation of the plan and procedures for contacting them. Contact procedures include on-site and remote contact processes for both manual and automated capability. Section III. M. Redundant internal and external communications systems are in place and are interoperable with other healthcare and 1. Review the communication strategy in place, including available tools/channels, roles/responsibilities, and types of messages. 2. Validate processes are in place to maintain current communications information, including updating phone numbers, contact names/departments and other resources. 3. Validate that communications processes are developed for the following audiences during a declared event: a. Notifying staff & personnel b. Notifying patients/families, esp. if relocating patients c. Notifying external authorities d. Notifying media/community e. Notifying vendors/suppliers f. Notifying regional healthcare partners 4. Validate there is a process to monitor the effectiveness of communications (both internal and with external entities) 5

first responder agencies. during an emergency response exercise. Training (10 hours) To validate that personnel are prepared to handle a declared event. Standard: EM.02.02.07 - As part of its Emergency Operations Plan, the hospital prepares for how it will manage staff during an emergency. Standard: EM.02.02.05 - As part of its Emergency Operations Plan, the hospital prepares for how it will manage security and safety during an emergency. Section III. O. Staff knowledge of their role in CEMP [comprehensive emergency management plan] activation is evaluated annually. Changes in CEMP are incorporated into the annual mandatory education curriculum. Section IV. C. Department leaders are responsible for orienting new personnel to the procedures of the department and, as appropriate, to job and task specific responsibilities for emergency management. Section VII. C. Employees also receive departmental safety orientation at their respective work areas regarding hazards and their responsibilities to patients, visitors and co-workers. In addition, all staff will participate in periodic refresher training relative to the Hospital Command Center (HCC)/Emergency Operations Center (EOC). MHS Policy Emergency Credentialing/Privileging-Licensed Volunteers Washington Industrial Safety and Health Act (WISHA) Washington State RCW - Chapter 49.17 1. Validate that MHS has trained staff on their emergency response roles during a declared event. Confirm there is a process to retrain staff periodically. 2. Validate there is a process for training staff on the use of emergency personal protective equipment (PPE), such as decontamination supplies. Confirm there is a process to periodically retrain staff. 3. Confirm there is a process to instruct volunteer licensed independent practitioners regarding their role in an emergency prior to a declared event. Verify there is a process to manage these volunteers during and after a declared event. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information