Natural and man-made disasters happen. They happen to businesses of all sizes and in all geographic regions. While the disasters themselves can vary from a localized fire to mass power outages and beyond, a well-conceived and tested business continuity plan can minimize the impact and shorten the downtime. For complex organizations, such as pharmaceutical companies, the importance of a disaster recovery strategy can’t be overstated.
Controlled Environments recently spoke with Chris Burgher, Business Development Executive at SunGard Availability Services, Wayne, Pa., about how organizations can prepare for unexpected business disruptions. Chris is an information technology and security and privacy professional with over 25 years of experience in the IT industry, and has worked in Information Security and IT Risk Management for the past 15 years. He is a CERT Resilience Management Model (RMM) Lead Appraiser, and an expert in operational resilience.
Controlled Environments: How can healthcare and pharmaceutical companies achieve a desired level of “availability” and maintain uninterrupted business operations?
Chris Burgher: Pharmaceutical companies in particular often have complex organizational structures and multiple lines of business (LOB) which can make high availability a challenge when thinking about how to secure the entire organization. Based on a recent IDC survey, we know “operational resiliency,” defined as “an emergent property of an organization that can continue to carry out its mission in the presence of operational stress and disruption” (source: Carnegie Mellon’s Resilience Management Model CERT-RMM), is the ultimate path to achieving continuous availability.
In order to achieve a desired level of availability, pharmaceutical companies should:
• Create a strong workforce continuity plan and test it often.
• Have a plan for re-distributing workload across the organization should a facility go down.
• Think of the value chain as extending beyond the organization’s four walls. If a critical supplier goes down, can your operations still run smoothly?
CE: From your experience, what are the greatest business continuity vulnerabilities pharmaceutical and healthcare companies are exposed to?
CB: All types of companies are vulnerable to disaster, whether manmade or natural. Risk management, security, and business continuity are among the leading vulnerabilities.
For any organization in the healthcare industry, additional considerations such as HIPAA and PHI compliance apply. And of course, as many healthcare organizations move to electronic healthcare records (EHR), vulnerabilities surrounding the security of distributing EHRs exist as well. Overall, these organizations are facing more data protection issues than ever before.
CE: What ISO 22301 business continuity standards should pharmaceutical companies be most conscious about?
CB: It depends on the organization. When you look at the business continuity lifecycle, many steps are involved.
First step is to develop scope, context, and management commitment. After that, a company should define its roles and responsibilities — understand every business process within the company so assigned staff can define risks and business impact to each one.
From there you need to develop strategy, plans, and procedures. This is the step where technology solutions come into play.
Once in place, you must exercise your plan, putting it to test in mock disaster scenarios. It’s important to have standards in place to ensure strong oversight of the program.
Finally, you must evaluate your progress, audit, and review. Ongoing metrics that identify KPIs of the program are key to success.
CE: There are many pharmaceutical companies in New Jersey. How did SunGard AS help them recover their environments during Hurricane Sandy?
CB: During Hurricane Sandy, SunGard Availability Services received 342 alerts and 117 disaster declarations from its clients. Many of these customers are healthcare organizations that experienced technology challenges. For instance, some customers’ servers were under water, quite literally.
For all customers affected by Sandy, we played a vital role in helping to restore infrastructure, leveraging our three-tiered approach to recovery to get organizations up and running after the storm. This approach includes data protection, systems recovery, and people, process, and programs.
The last piece of our approach—people, process, and programs— was one of the most important areas of recovery during and following the storm. We deployed five mobile recovery units, each equipped with computers, telephones, and all other basic office needs, to assist customers who were not able to use their existing workspace. There were a lot of lessons learned surrounding workforce continuity.
Hurricane Sandy exposed a true data center technology disaster and has companies reevaluating their business continuity programs.
CE: How should pharmaceutical companies prepare for 100 percent availability as we look ahead into storm season?
CB: Disaster recovery planning is a complex challenge that covers three major fronts. Looking ahead and planning for this year’s storm season, pharmaceutical companies need to consider three areas: data protection, systems recovery, and people, process, and programs.
• Data Protection: Hosting your data on-site alone is not a proper method of data protection. The first step to disaster recovery planning is to have an off-site, secure location to protect your data. Depending on your region and its proximity to water or to a storm or tornado “alley,” it’s usually best if your off-site recovery location is 40 to 50 miles away from your on-site location.
• System Recovery: Are your platforms, servers, operating systems, backup software and hardware, hypervisors, networks, and storage up-to-date and actually ready to recover your applications?
• People, Processes, and Program: Providing your staff with the required workspace, equipment and communications is vital to surviving a disaster. You should also have a “runbook” that documents the steps of your recovery. If a disaster strikes tomorrow and your staff has to work remotely, would they know what to do? It’s important to continually test these processes throughout the year. A disaster recovery/ business continuity (DR/BC) program is ongoing, and requires constant attention including testing, analyses, execution of change management, and more.
Many companies hire a service provider like SunGard Availability Services to keep their program in tip-top shape at all times.
This article appeared in the September 2013 issue of Controlled Environments.