Prolonged downtime due to ransomware attacks and cybersecurity breaches is a growing threat in
healthcare IT — and with the increasing prevalence of these catastrophic events and their deleterious
effects on healthcare operations, chief information officers need to do more than worry.

“Many healthcare organizations have disaster recovery and business continuity plans that are part of
their routine business practices, but long-term disaster preparedness augments and supplements those
plans. This is a critical component of an organization’s readiness to protect patient lives and financial
well-being in the event of a catastrophic downtime event,” said Zahid Rathore, Senior Vice President at
Healthlink Advisors.

To assist healthcare organizations in developing and improving long-term disaster preparedness plans,
the Healthlink Advisors team developed Project Blackout BlueprintSM — a comprehensive, phased
approach to creating prioritized “playbooks” to guide IT and business teams in protecting critical
business operations.

“Teams need to identify and prioritize critical clinical, revenue cycle and ERP workflows that enable them
to admit, treat and discharge patients, account for the care provided, and compensate employees,” said
Rathore.

Project Blackout BlueprintSM has four phases, including:

Phase 1: Initiate and stand up project governance

Healthlink Advisors will help you establish a steering committee to provide oversight for the
project, and small, short-term expert groups to define the team’s preparedness needs.

“Our team will help leaders ensure their peers understand that this is not an IT-led initiative.
Instead, it’s an opportunity for IT to pull the business closer to them and better understand how
to support their critical operations,” said Rathore. “IT is a partner supporting clinical, revenue
cycle, human resources, supply chain and leadership teams on their journey to manage risk
and mitigate disastrous consequences caused by downtime.”

Phase 2: Conduct current state review and prioritization

In Phase 2, teams will look at each business area, identify and prioritize key functions, and look
for technology-enabled workarounds to support necessary functions.

“During this phase, we are identifying necessary functions that the organization is going to do
during a downtime event — as well as what they aren’t going to do,” said Rathore.

According to Rathore, part of this process involves objectively analyzing and identifying risks
and pitfalls associated with proposed workarounds that could lead to costly legal or operational
problems, as well as identifying proposed workarounds that IT is unable or unwilling to support
because they do not comply with regulations and requirements.

Phase 3: Create Project Blackout BlueprintSM playbooks

Each area of focus will receive a playbook of practices and procedures to follow during a
catastrophic downtime event. The playbook will incorporate existing disaster recovery and
business continuity processes, including applicable checklists, incident command structures,
restoration plans and more.

“We’re not starting from scratch,” said Rathore. “Each playbook will leverage the team’s
existing business processes and plans that are already documented and used to obtain Joint
Commission accreditation as an example.”

Phase 4: Implement repeatable processes for ongoing updates

As the playbooks are finalized, Healthlink Advisors will transition the knowledge and tools to
the client for ongoing implementation.

“It is possible to survive a prolonged downtime event — but not if you didn’t think about your
playbook in advance. You can’t just rely on disaster recovery and business continuity plans,”
said Rathore. “Project Blackout BlueprintSM is about the power of prevention.”

Zahid Rathore is a senior vice president at Healthlink Advisors, a healthcare consulting firm committed to improving clinical innovation, business systems, and healthcare IT strategy, delivery and operations.
Healthlink Advisors has extensive experience in assisting healthcare organizations with short- and
long-term IT planning, including disaster recovery, business continuity and catastrophic downtime
preparedness.