Business Continuity Planning to Stay Up
For complex organizations, such as pharmaceutical companies, the importance of a disaster
Editor Natural and man-made disas- ters happen. They happen to businesses of all sizes and in all geographic regions. While
the disasters themselves can vary from
a localized fire to mass power outages
and beyond, a well-conceived and
tested business continuity plan can
minimize the impact and shorten the
downtime. For complex organizations,
such as pharmaceutical companies, the
importance of a disaster recovery strat-
egy can’t be overstated.
Controlled Environments recently spoke with Chris
Burgher, Business Development Executive at SunGard
Availability Services, Wayne, Pa., about how organizations
can prepare for unexpected business disruptions. Chris is
an information technology and security and privacy professional with over 25 years of experience in the IT industry, and has worked in Information Security and IT Risk
Management for the past 15 years. He is a CERT Resilience
Management Model (RMM) Lead Appraiser, and an expert
in operational resilience.
Controlled Environments: How can healthcare and pharmaceutical companies achieve a desired level of “availability” and
maintain uninterrupted business operations?
Chris Burgher: Pharmaceutical companies in particular often
have complex organizational structures and multiple lines of
business (LOB) which can make high availability a challenge
when thinking about how to secure the entire organization.
Based on a recent IDC survey, we know “operational resiliency,” defined as “an emergent property of an organization
that can continue to carry out its mission in the presence of
operational stress and disruption” (source: Carnegie Mellon’s
Resilience Management Model CERT-RMM), is the ultimate
path to achieving continuous availability.
In order to achieve a desired level of availability, pharmaceutical companies should:
• Create a strong workforce continuity plan and test it often.
• Have a plan for re-distributing workload across the organization should a facility go down.
• Think of the value chain as extending beyond the organization’s four walls. If a critical supplier goes down, can your
operations still run smoothly?
CE: From your experience, what are the greatest business continuity vulnerabilities pharmaceutical and healthcare companies are exposed to?
CB: All types of companies are vulnerable to disaster, whether
manmade or natural. Risk management, security, and business
continuity are among the leading vulnerabilities.
For any organization in the healthcare industry, additional
considerations such as HIPAA and PHI compliance apply.
And of course, as many healthcare organizations move to electronic healthcare records (EHR), vulnerabilities surrounding
the security of distributing EHRs exist as well. Overall, these
organizations are facing more data protection issues than ever
CE: What ISO 22301 business continuity standards should
pharmaceutical companies be most conscious about?
CB: It depends on the organization. When you look at the
business continuity lifecycle, many steps are involved.
First step is to develop scope, context, and management
commitment. After that, a company should define its roles and
responsibilities — understand every business process within
the company so assigned staff can define risks and business
impact to each one.
From there you need to develop strategy, plans, and proce-
dures. This is the step where technology solutions come into play.
Once in place, you must exercise your plan, putting it to
test in mock disaster scenarios. It’s important to have stan-
dards in place to ensure strong oversight of the program.
Finally, you must evaluate your progress, audit, and review.
Ongoing metrics that identify KPIs of the program are key to success.
CE: There are many pharmaceutical companies in New Jersey.
How did SunGard AS help them recover their environments
during Hurricane Sandy?
CB: During Hurricane Sandy, SunGard Availability Services
received 342 alerts and 117 disaster declarations from its clients. Many of these customers are healthcare organizations
that experienced technology challenges. For instance, some
customers’ servers were under water, quite literally.
For all customers affected by Sandy, we played a vital role
in helping to restore infrastructure, leveraging our three-tiered
approach to recovery to get organizations up and running
after the storm. This approach includes data protection, systems recovery, and people, process, and programs.
The last piece of our approach—people, process, and
SunGard Availability Services