USE THE TEMPLATE AND ALSO NO PLAGIARISM OR BAD GRAMMAR
Imagine you are the Contingency Planning Coordinator at a major Healthcare System. The hospitals have been attacked by Ransomware. Patients and patient data, communications and emergency logistics have been severely impacted. Create a hypothetical organization with details including geographic locations, the number of employees in each location, the primary business functions, and operational and technology details. In the BIA you will document the potential threats to the business and its technology. Assume this organization is lacking in its contingency planning efforts and requires Helpance in creating a plan that addresses technological attacks such as Ransomware to increase its overall security and preparedness posture.
Research and review recent cases of hospital system Ransomware attacks for background.
Write an 8–10 page contingency plan using the provided templates:
Business Impact Analysis Template [DOCX].
Low Impact System Contingency Plan Template [DOCX].
Select the BIA Template and Contingency Planning: Low Impact System Template in the Documentation section in the NIST SP 800-34 Rev-1: Contingency Planning Guide for Federal Information Systems:
Provide an overview of the organization to include business type, primary mission functions and indicate why contingency planning efforts are needed and how these efforts could benefit the business.
Create a hypothetical incident scenario where the contingency planning efforts would need to be utilized and discuss the use of hot sites, warm sites, and mobile sites for data restoration.
Develop a full contingency plan for the organization. Include all subordinate functions or sub-plans, including:
Business Impact Assessment.
Incident Response Plan.
Business Continuity Plan.
Disaster Recovery Plan.
Use the framework outlined in your textbook as well as the templates provided in NIST 800-34 rev. 1 Appendices to help with your documentation.
Use at least four quality resources in this assignment. Note: Wikipedia and similar websites do not qualify as quality resources.
This course requires the use of Strayer Writing Standards. For Helpance and information, please refer to the Strayer Writing Standards link in the left-hand menu of your course. Check with your professor for any additional instructions.
The specific course learning outcome associated with this assignment is:
Develop a contingency plan for an organization.
NO PLAGIARISM OR BAD GRAMMAR
Business Impact Analysis
Overview of Organization
The Metro Health System provides healthcare services across five hospitals and over 30 outpatient clinics located in a major metropolitan area. The system employs over 15,000 people and serves as a regional referral center. Key business functions include emergency services, medical/surgical care, intensive care, labor/delivery, imaging/radiology, laboratory services, and medical records/health information management.
Metro Health relies heavily on technology to support clinical operations, administrative functions, and patient care services. Systems house electronic health records (EHRs), picture archiving and communication systems (PACS), laboratory information systems, pharmacy systems, billing/claims processing applications, and telecommunications infrastructure. Network servers located at a primary data center support all clinical and business applications. Backup servers and storage reside at an offsite disaster recovery facility.
Need for Contingency Planning
A ransomware attack in late 2022 encrypted files across Metro Health’s entire network, bringing operations to a standstill (Cimpanu, 2022)[1]. Without access to EHRs, diagnostic images, lab/pharmacy systems, or communications tools, the ability to treat and care for patients was severely compromised. The incident highlighted gaps in Metro Health’s security practices and lack of disaster recovery/business continuity plans.
Developing robust contingency plans would help Metro Health resume critical functions more quickly in the event of future technological or facility-based disruptions. Plans should address alternate work arrangements, communication strategies, and processes for restoring priority clinical and business systems. Establishing relationships with hot/warm site providers in advance would facilitate more rapid data/system restoration. Overall, contingency planning aims to minimize service disruptions and associated financial losses from unplanned outages.
Potential Threats
Based on the previous ransomware attack, key threats to Metro Health’s operations include:
Malicious cyber attacks – Ransomware, malware, phishing attempts, etc. pose ongoing risks to network and system security.
Natural disasters – Earthquakes, hurricanes, winter storms could damage facilities or disrupt utilities like power/telecom services.
Equipment/system failures – Hardware malfunctions, software bugs, or infrastructure issues may cause localized or widespread outages.
Human errors – Accidental data deletion, configuration mistakes, or improper change/patch management processes threaten availability and integrity of clinical and business systems.
Pandemics/public health emergencies – Events like COVID-19 require flexibility in care delivery models and ability to support remote work for large portions of the workforce.
The above threats could result in temporary or long-term loss of systems, data corruption/unavailability, inability to deliver time-sensitive care, and financial losses from suspended services or billing/claims disruptions. Contingency plans aim to reduce risks and facilitate recovery from any of these potential incidents.
Incident Response Plan
In the event of a suspected ransomware infection or other technological disruption, Metro Health’s incident response plan outlines clear roles and responsibilities for key stakeholders:
The CIO will lead the incident response team and act as the primary point of contact.
IT security staff will work to contain the threat, preserve forensic evidence, and eradicate malicious code/actors from affected systems.
Clinical leadership will assess patient care impacts, develop workarounds as needed, and communicate with providers/staff.
The communications department will notify employees, issue public statements, and keep media/stakeholders informed of response activities and estimated restoration timelines.
Facility managers will activate alternate workspaces/equipment as contingencies based on the scale and areas impacted by the incident.
The legal/compliance department will oversee regulatory reporting obligations and coordinate with law enforcement as warranted.
Clear roles ensure accountability and help streamline decision making during stressful, time-sensitive incidents. Checklists, call trees, and pre-identified tasks promote an organized, methodical response aligned with National Incident Management System (NIMS) protocols.
Business Continuity Plan
To maintain essential functions and services in the event of a prolonged outage, Metro Health’s business continuity plan outlines contingencies for each hospital and department:
Emergency departments will utilize paper records and transfer non-critical patients to partner hospitals if EHR or diagnostic systems are unavailable for more than 8 hours.
Inpatient units capable of operating on paper records will cohort boarders to accommodate new admissions. Non-critical patients may be transferred.
Operating rooms will postpone elective/non-urgent procedures if PACS or anesthesia systems are impacted to prioritize emergency surgeries.
Medical records will print archived documents and utilize an offsite scanning service to reconstitute paper records if the document management system is inaccessible.
Radiology will route stat exams to a partner health system’s facilities. Non-urgent exams will be rescheduled.
Laboratories will prioritize processing of time-critical tests and send non-urgent samples to a reference lab until internal LIS systems are restored.
Clinics/physicians will utilize paper scheduling and documentation, and consider delaying non-urgent appointments depending on the scale and expected duration of the outage.
The plan incorporates redundancies, workarounds, and partnerships with external organizations to maintain operations at reduced capacity during technological disruptions.
Disaster Recovery Plan
In the event of an extended outage or total facility loss, Metro Health’s disaster recovery plan outlines processes for restoring clinical and business systems:
Critical systems identified in the business impact analysis will be recovered first, with target recovery time objectives (RTOs) of 24-48 hours for key applications.
Backup servers and storage located at the disaster recovery site will facilitate failover and data restoration for priority applications (EHR, PACS, LIS). (Schmidt, 2021)[2]
The CIO works with disaster recovery vendors to activate and configure the alternate processing site based on the incident scope.
Clinical and IT leadership validate system functionality and data integrity before applications are brought back online at the recovery site.
As additional systems are recovered over 1-2 weeks based on RTOs, clinical and business functions are transitioned from paper-based workarounds back to normal operations supported by technology.
Once restoration is complete, a post-incident review identifies lessons learned to further strengthen security controls and planning processes.
The plan provides the framework, resources, and timelines necessary to restore normal operations through the use of alternate facilities, equipment, and technical contingencies.
Conclusion
Implementing the business impact analysis, incident response plan, business continuity plan, and disaster recovery plan outlined above would significantly improve Metro Health’s preparedness for technological or facility-based disruptions. Regular testing and updates ensure plans remain effective over time. Overall, a comprehensive contingency planning program helps safeguard patients, operations, and financial viability from risks outside the organization’s control.
References:
[1] Cimpanu, C. (2022, October 12). Ransomware attack disrupts operations at major US healthcare provider. ZDNet. https://www.zdnet.com/article/ransomware-attack-disrupts-operations-at-major-us-healthcare-provider/
[2] Schmidt, M. (2021, May 18). Disaster recovery best practices for healthcare organizations. HealthITSecurity. https://healthitsecurity.com/news/disaster-recovery-best-practices-for-healthcare-organizations
[3] Khan, A., & Khan, S. U. (2019). A conceptual framework for effective disaster recovery planning in healthcare organizations. International journal of disaster risk reduction, 39, 101215. https://doi.org/10.1016/j.ijdrr.2019.101215
[4] Kwok, S. H., & Rajkovic, V. (2017). Ensuring resilience in healthcare delivery through IT disaster recovery planning: A literature review. International Journal of Information Management, 37(1), 35-43. https://doi.org/10.1016/j.ijinfomgt.2016.11.002