Hospitals are specialized healthcare enterprises that operate either for profit or as a public legal entity. Crisis management in hospitals is also known as “hospital alert and response planning” (german: Krankenhaus Alarm- und Einsatzplanung KAEP), this has its roots in the need to increase treatment capacity.
Examples of this are mass casualty incidents (MCI) or sick cases, where the hospital has to care for significantly more patients than in regular operation. Also described in the KAEP are measures to deal with functional failures, such as power outages.
Hospital processes require personnel as well as resources embedded in an organization. Support from resources such as electricity, water, sewage, hygiene, IT, materials, medicines, etc. is required with the highest availability. Organizational, billing and documentation processes occur in parallel.
The intersection between a hospital and a company from a business continuity management perspective is therefore very large. The Criticality Ordinance of the German Federal Office for Information Security (BSI) explicitly refers to healthcare in §6, and threshold values are given in the annex to the Criticality Ordinance. Currently, no dependency chains have been defined in the area of critical infrastructure, i.e., up to now it has been possible for a critical infrastructure company or hospital to be supplied by a non-critical infrastructure provider.
If we look at the partial aspects of business continuity management (BCM) according to ISO 22301, there is also a great deal of overlap between a conventional KAEP and BCM. A KAEP completely covers the part of the emergency manual. A good KAEP is based on a risk analysis and builds on emergency preparedness measures. Looking at the hospital holistically and consequence-based, there are two aspects that need to be covered: Increasing capacity and safeguarding against functional failure. See the consequence-based model by Wurm et al 2017.
Business continuity management in hospitals?
Business continuity management is thus much more comprehensive and provides a framework into which hospital alarm and response planning can be perfectly integrated. Through structured business impact and risk analysis, preparedness measures are derived and implemented. Preparedness also includes the development of coordinated training concepts for staff from the porter to the hospital director.
A user-friendly emergency manual provides clear guidance in the event of an emergency or crisis. So far, the quality of KAEP can only be audited by partial aspects. An audit according to ISO 22301 could close this gap. Reviews and updates are to be carried out regularly. The guidelines help to maintain BCM and give it a framework. In many cases, hospitals and companies lack an adequate job description to establish, build and maintain an emergency preparedness organization.
Quote from a client: “If you think emergency preparedness is expensive, you’ve never paid for an emergency.”
As a summary, it is clear from our point of view: companies, especially critical infrastructure companies and hospitals have more in common than differences when it comes to business continuity management.
Do you need support in hospital crisis management, would you like an exercise or would you like to expand your preparedness? Contact us.
An article written by Jens von den Berken, published on 07 May 2019
Translated by Charlotte Ley