Policies
Contingency Planning Program Standard
Contingency Planning Program
Every Tenet Facility must have a comprehensive Contingency Planning Program. These standards supplement the Facility’s Disaster Recovery Plan (DRP) to help ensure that our operations and workforce members are protected, safe and recoverable in the event of a disaster or significant event.
Contingency Planning Program Budget
- Sufficient budget to support plan development and maintenance
- Labor, supplies and services to fulfill obligations of the Contingency Planning Program
Key Disaster Scenario
- Used as the basis to design, develop, activate and execute the Contingency Plan (CP)
- Represents the worst-case conditions of a disaster (severity, timing, major critical loss)
Emergency Response Team (ERT)
- Key disaster recovery team includes management from the following areas:
- Administration (CEO, COO)– Chairperson
- Privacy and Security Compliance Officer and Compliance Officer
- Information Security Officer
- Information Systems
- Facility Security
- Human Resources
- Accounting (CFO)
- Public Relations
- ERT primary roles include:
- Ensuring safety of individuals
- Providing initial response review
- Making decisions regarding the level of disaster response
- Planning, coordinating, exercising, managing and maintaining the CP
- Coordinating plan development, response and recovery withmanagers
- ERT activated in the initial phase of an emergency
- ERT approves recovery resources and procedures for BCP, ERP and DRP
- Sufficient budget to support plan development and maintenance
- Labor, supplies and services to fulfill obligations of the Contingency Planning Program
Key Disaster Scenario
- Used as the basis to design, develop, activate and execute the Contingency Plan (CP)
- Represents the worst-case conditions of a disaster (severity, timing, major critical loss)
Emergency Response Team (ERT)
- Key disaster recovery team includes management from the following areas:
- Administration (CEO, COO)– Chairperson
- Privacy and Security Compliance Officer and Compliance Officer
- Information Security Officer
- Information Systems
- Facility Security
- Human Resources
- Accounting (CFO)
- Public Relations
- ERT primary roles include:
- Ensuring safety of individuals
- Providing initial response review
- Making decisions regarding the level of disaster response
- Planning, coordinating, exercising, managing and maintaining the CP
- Coordinating plan development, response and recovery withmanagers
- ERT activated in the initial phase of an emergency
- ERT approves recovery resources and procedures for BCP, ERP and DRP
- Data Criticality Analysis (DCA)
- Identify mission critical applications and data sets
- Determine recovery priority for identified information
- Use cost-benefit analysis to determine recovery strategies
- List business impacts (patient care impact, revenue loss, penalties, extra expenses) per function
- Rank application by category
- Category 4
- Critical system cannot be unavailable for any length of time
- Redundant systems with full backups are required
- Category 3
- Critical system cannot be unavailable for longer than 24 hours
- Backupsare retained off-site and retrievable within 24 hours
- Disaster recovery procedures allow for recovery and restoration within 24 hours
- Category 2
- System cannot be unavailable for longer than 72 hours
- Backups are retained off-site and retrievable within 72 hours
- Disaster recovery procedures allow for recovery and restoration within 72 hours
- Category 1
- System must be restored but can be unavailable for longer than 72 hours
- Backups are retained off-site and retrievable within reasonable amount of time
- Disaster recovery procedures document recovery and restoration procedures
- Category 0
- System does not need to be restored following a disaster
- Backups may be retained but are not required
- Disaster recover procedures document recovery and/or restoration procedures
- Data Backup Plan (DBP)
- Backup and store DCA information in a secured facility away from primary location
- Ensure recall for recovery purposes procedures
- Implement Backup Plan with required components
- Contact list
- List of critical data
- Schedule of backups
- Retention periods
- Off-site storage facility rotation schedule
- Emergency Response Plan (ERP)
- Ensure ERP with critical resources and procedures are followed
- Initiate at onset of potential emergency (at initiation of the DRP)
- Covers the handling of or dealing with disaster events
- Team Identification and Contact Lists (ERT, business function recovery teams)
- Personnel Safety and Evacuation Procedures
- Damage Assessment Procedures
- Disaster Criteria
- Notification Procedures
- Command Center Logistics
- Disaster Alert Procedures
- Disaster Declaration Procedures
- Business Continuity Plan (BCP)
- Outlines how to continue critical business operations while recovering from an emergency and/or declared disaster
- Outlines steps to maintain or continue operations when adverse event occurs
- Team Structure–Team Leader and alternates, team members, contact numbers
- Team Notification Procedures
- Business continuity procedures for critical systems
- Documentation procedures for critical systems
- Disaster Recovery Plan (DRP)
- Restore and recover critical information assets
- Lists resources and recovery procedures for critical systems
- Team Structure–Team Leader and alternates, team members, contact numbers
- Team Notification Procedures
- Location of Recovery Facilities
- Backup Requirements and Retrieval Processes
- Response Procedures for critical systems
- Recovery Procedures for critical systems
- Resumption Procedures for critical systems
- Restoration and Return Procedures for critical systems
- Contingency Testing Plan (CTP)
- Validating procedures and date and sign each exercise/test
- Testing the components of the Contingency Planning Program
- All systems are represented and appropriately categorized in DCA review
- All appropriate systems are included and testedfor retrieval in the DBP plan
- ERP procedures are relevant and appropriate
- All appropriate systems are included in the BCP plan and hardcopy documentation is available
- All appropriate systems are included and tested for recovery in the DRP plan
- Record(s) of reviews, updates and exercises/testing conducted
- Contingency Plan Maintenance
- Update plan when changes are identified
- Annual contingency plan testing
- Installation of a new system
- Significant business change
- Training
- Personnel should be trained on the Tenet Facility’s contingency planning procedures
- Documentation should be maintained for all training classes conducted
- Identify mission critical applications and data sets
- Determine recovery priority for identified information
- Use cost-benefit analysis to determine recovery strategies
- List business impacts (patient care impact, revenue loss, penalties, extra expenses) per function
- Rank application by category
- Category 4
- Critical system cannot be unavailable for any length of time
- Redundant systems with full backups are required
- Category 3
- Critical system cannot be unavailable for longer than 24 hours
- Backupsare retained off-site and retrievable within 24 hours
- Disaster recovery procedures allow for recovery and restoration within 24 hours
- Category 2
- System cannot be unavailable for longer than 72 hours
- Backups are retained off-site and retrievable within 72 hours
- Disaster recovery procedures allow for recovery and restoration within 72 hours
- Category 1
- System must be restored but can be unavailable for longer than 72 hours
- Backups are retained off-site and retrievable within reasonable amount of time
- Disaster recovery procedures document recovery and restoration procedures
- Category 0
- System does not need to be restored following a disaster
- Backups may be retained but are not required
- Disaster recover procedures document recovery and/or restoration procedures
- Data Backup Plan (DBP)
- Backup and store DCA information in a secured facility away from primary location
- Ensure recall for recovery purposes procedures
- Implement Backup Plan with required components
- Contact list
- List of critical data
- Schedule of backups
- Retention periods
- Off-site storage facility rotation schedule
- Emergency Response Plan (ERP)
- Ensure ERP with critical resources and procedures are followed
- Initiate at onset of potential emergency (at initiation of the DRP)
- Covers the handling of or dealing with disaster events
- Team Identification and Contact Lists (ERT, business function recovery teams)
- Personnel Safety and Evacuation Procedures
- Damage Assessment Procedures
- Disaster Criteria
- Notification Procedures
- Command Center Logistics
- Disaster Alert Procedures
- Disaster Declaration Procedures
- Business Continuity Plan (BCP)
- Outlines how to continue critical business operations while recovering from an emergency and/or declared disaster
- Outlines steps to maintain or continue operations when adverse event occurs
- Team Structure–Team Leader and alternates, team members, contact numbers
- Team Notification Procedures
- Business continuity procedures for critical systems
- Documentation procedures for critical systems
- Disaster Recovery Plan (DRP)
- Restore and recover critical information assets
- Lists resources and recovery procedures for critical systems
- Team Structure–Team Leader and alternates, team members, contact numbers
- Team Notification Procedures
- Location of Recovery Facilities
- Backup Requirements and Retrieval Processes
- Response Procedures for critical systems
- Recovery Procedures for critical systems
- Resumption Procedures for critical systems
- Restoration and Return Procedures for critical systems
- Contingency Testing Plan (CTP)
- Validating procedures and date and sign each exercise/test
- Testing the components of the Contingency Planning Program
- All systems are represented and appropriately categorized in DCA review
- All appropriate systems are included and testedfor retrieval in the DBP plan
- ERP procedures are relevant and appropriate
- All appropriate systems are included in the BCP plan and hardcopy documentation is available
- All appropriate systems are included and tested for recovery in the DRP plan
- Record(s) of reviews, updates and exercises/testing conducted
- Contingency Plan Maintenance
- Update plan when changes are identified
- Annual contingency plan testing
- Installation of a new system
- Significant business change
- Training
- Personnel should be trained on the Tenet Facility’s contingency planning procedures
- Documentation should be maintained for all training classes conducted