Documents‎ > ‎

Business Continuity



Business Continuity

General Statement

The mission of PKB’s Business Continuity Program is to establish and support an ongoing contingency planning program to evaluate the impact of significant events that may adversely affect customers, assets or employees. 

This program is designed to ensure that PKB can recover its mission-critical functions, meeting its fiduciary responsibility to its stakeholders and complying with the requirements and guidelines set forth where applicable. 

PKB has developed detailed Business Continuity and Disaster Recovery Plans for the restoration of critical processes and operations. PKB has dedicated resources to its contingency planning and disaster recovery program.

  


Introduction to PKB's Business Continuity Policy

The Patients Know Best (PKB) Business Continuity Policy (BCP) is focused on maintaining the continuity of services, systems and processes. To return to a normal operating state as soon as possible, taking into account the impact of any delay on PKB’s quality of service, reputation and finances.

The BCP has been developed to ensure:

  1. PKB's BCP and the objectives herein are understood by all stakeholders and employees.
  2. All critical functional and/ or service dependencies are identified, documented and fully evaluated.
  3. That employee, provider and system plans are defined to underpin recovery steps in the event of an interruption in service, function and/ or core activities.
  4. The BCP and associated plans, registers and conclusions are reviewed and tested bi-annually.
  5. The BCP is distributed to all named individuals. 
 

Business Continuity Objectives

 
To ensure adequate and effective response planning, PKB has assessed and reviewed service continuity and recovery steps from the following standpoints; provider responsibilities and dependencies, internal system dependencies and adjacencies, stakeholders and customer impact and financial impact. 


The following objectives have been defined:

BCP increases PKB’s ability to respond whilst also protecting information assets and service delivery commitments through a holistic approach to recovery management and planning. 
The BCP management and planning process seeks to reduce the severity of a service-impacting event through a thoughtful and comprehensive recovery and continuity framework. 

Scope of the BCP

All of PKB’s activities and initiatives must comply with, and be incorporated into the BCP.

Requirements of the BCP:

  • A cross-functional DR (Disaster Recovery) Team is defined with a designated IC (Incident Coordinator) to ensure recovery and security of critical systems and assets and;
  • The formation and maintenance of a Disaster Recovery Plan (DRP). To outline specific recovery initiatives, workflows and technical steps. The DRP includes primary and secondary emergency contact information for all named staff, alongside secondary individuals in case of absence or unavailability. Primary, secondary and tertiary communications channels are defined across different communication mediums, so as to lessen dependence on one medium. 
  • The DRP is tested for efficacy on a regular basis.
  • Each function within PKB, defined as critical to operational stability or service delivery within the BCP, must maintain a register of services, dependencies, suppliers and vendors to ensure the efficacy of the BCP related to their defined functional responsibilities. 
  • All organisations within PKB with responsibility for a critical service must have a defined BCP coordinator responsible for updating registers as an ongoing organisational commitment. 


The key principles of business continuity within PKB are as follows: 

  1. To take all reasonable steps to avoid any activity that might adversely impact service continuity. 
  2. To ensure continuity planning is an intrinsic component of PKB’s functional methodology and operational approach.
  3. To ensure employee, stakeholder, customer and provider information is current and sufficient. 
  4. To make advance arrangements for the recovery of service critical components.
  5. To make advance arrangements to relocate or reorganise operations to allow critical processes to continue.
  6. Providing resilience for information systems and data, or alternative ways of working in the event of their failure. 
  7. All systems and processes must be in line with PKB's Information Governance and Security Policy.
  8. To protect employees, customers and third-parties where an event is likely to impact their safety. 
  9. To apply robustness and rigour to BCP testing and for this testing to have a regular and prioritised schedule of adherence. 
  10. To facilitate BCP training sessions and keep up-to-date BCP training materials. 
  11. To ensure regularity and method in the sufficient updating of the BCP/ DRP plans; be those organisational, procedural, provider-centric, systems or services. 

Approval and review

PKB-BCP v1.2 approved by Business Continuity Manager and the Executive Board 1st June 2020.
 

Disaster Recovery 

In the event of a business disruption affecting PKB, the Disaster Recovery Team (‘DR Team’) will implement a recovery strategy based on the severity and nature of the incident. PKB has no dependence on a traditional physical office facility for the successful operation of business services because all PKB staff work in a distributed way rather than in a central office.

Patients Know Best will notify customers of a business disruption, provide details of the recovery progress, and advise customers of any necessary interim arrangements to contact the company. The details of our business recovery plan are considered confidential and regarded as proprietary materials. However, we will be happy to address any specific questions or issues to assure confidence in PKB’s business continuity capabilities.
 

PKB Infrastructure 

The PKB infrastructure is hosted by Google Cloud Platform (GCP). The GCP full compliance statement is available here: https://cloud.google.com/security/compliance/

 
Key features of PKB’s disaster planning process

  • Distributed and resilient communication channels
  • Key business systems accessibility and definition of alternative methods
  • Resilient and diverse cloud infrastructure
  • Patient data backup, data retrieval and recovery processes
  • Detailed risk and impact assessments
  • Incident step mapping and workflows
  • Step duration analysis
  • Stakeholder and customer communication policies
  • Recovery Time Objectives (RTO) expectations.

Incident Management Team

There is a predefined DR Team that coordinates response and crisis management across PKB. The DR Team has set forth guidelines which incorporate industry best practices for critical business units.
 

Business Impact Analysis

PKB identifies time-sensitive, mission-critical processes, recovery time objectives (RTO) and business impacts.

Business Continuity and Disaster Recovery Plans

PKB prepares and regularly updates and tests its Business Continuity and Disaster Recovery Plans to support the business needs. Plans include crisis management, employee communication, alternative site requirements, recovery management and site-specific checklists.

Plan Testing

All aspects of the plans are tested frequently in accordance with regulatory requirements. This includes crisis management and response, business continuity and critical infrastructure disaster recovery.

Patient Data Backups

The entire fully encrypted patient dataset is backed up nightly. PKB is also continuously archiving changes to this data set. In case of a total system failure (destroyed database servers, etc.) data can be recovered up to the minute before the failure.

 
Auditing

Frequent internal audits are conducted of the business continuity and disaster recovery program. These are performed as part of our biannual IG review process. 
 

Executive Leadership Updates

The DR Team provides regular updates on the status of contingency and recovery programs to the Executive Leadership Team of PKB.

Employee Training and Awareness

This includes promoting awareness, IG procedures, security policies and identifying employees’ roles in a contingency event. Since clear communication during an outage is vital, all PKB employees who support key BCP/ DR functions have multiple contact routes; home phone, mobile phone, Skype/IM, Slack and email.

Worst Case RTO for Critical Functions


Critical Function

RTO

Provide access to patient data via web portal.

4 - 24 hrs

Provide access to patient data via API.

1 - 12 hrs

Provide access to support function - ticketing system is offline.

30 mins

 


Since it is impossible to anticipate every type of potential disaster, there can be no assurance that there will be no interruption of the PKB business functions in all circumstances. However, PKB is committed to rigour and robustness in our approach and planning with regard to our Business Continuity Program.


Ċ
David Grange,
2 Jun 2020, 06:49
Comments