SUCCESS STORY

Preserving Critical Functions and Services During and After Disasters

When a cyberattack at a key supplier to a large health system created a significant service disruption, organization leadership recognized a need to evaluate their current security posture. With an increasing frequency of cyberattacks, including ransomware attacks and healthcare’s increasing reliance on digital technologies, Business Continuity Management—as part of a broader Business Resilience strategy—is needed more than ever. Impact Advisors partnered with the organization to take the next step on its Business Continuity journey.
Depositphotos 64285175 XL

A 12-hospital system with over 200 outpatient facilities and physician practices faced a critical challenge when a cyberattack on a key blood supplier exposed significant
gaps in its Disaster Recovery and Business Continuity plans. 

Organizational leadership engaged Impact Advisors to assess the existing presence of downtime procedures and create a program designed to enhance its preparedness for maintaining critical hospital functions during major disruptions. The organization’s primary objectives were to:

  • Reduce business disruption by planning recovery activities and
    mitigating downstream impacts.
  • Avoid confusion during a crisis by documenting, testing, and training in
    advance.
  • Facilitate a return to normal business operations by designing and
    documenting restoration action.
 

The organization had experience with short-term planned and unplanned outages of its IT systems but was not well-prepared for outages of a longer duration. In addition, its downtime procedures lacked consistency in terms of process maturity and documentation quality. Similarly, it was adequately prepared for weather related outages, but less so for other disruptions, such as those instigated by supply chain partners.

“We are able to identify gaps we hadn’t thought of.”

“This process was less painful than I thought.”

“It was nice to have open dialogue with members from other facilities.” 

“I hadn’t thought about doing it that way before.”

Comments from Business Continuity Program Participants

Piloting with Key Administrative and Clinical Service Areas

Impact Advisors began a multi-phase plan, starting with a “Program Design” phase, which included establishing a governance structure for management, prioritization, and
oversight. Working closely with health system leadership, the team defined a scalable Business Continuity process tailored to adhere to the organization’s existing standards, thereby flattening the learning curve and aiding adoption. This framework was piloted with eight key administrative and clinical service areas, including Registration & Billing, Supply Chain, Surgical, and Imaging/Radiology, over a 7-week period. During this time, Impact Advisors engaged over 30 leaders to assess recovery maturity, conducted over 40 staff interviews, and performed 7 tabletop exercises. 

The assessment uncovered several areas of concern including high variability in the quality of existing downtime procedures, a focus on managing short-duration to the exclusion of longer-duration disruptions, and the concentration of operational knowledge in a few individuals, whose absence would pose a risk to recovery.

An All-Hazards Approach Was Key to Success

The hospital departments were initially focused on how to respond effectively to a wide range of potential outage scenarios, including weather events, earthquakes, IT outages, and staffing shortages, without writing detailed procedures for each. At the beginning of the engagement, the team discovered that the health system had over 40 examples of downtime procedures and disaster recovery plans. To manage this complexity, Impact Advisors adopted an all-hazards approach that emphasized the impacts of disruptions rather than their specific causes. This strategy categorized disruptions into four primary impact areas: IT services, facilities, personnel, and supply chain. As a result, the number of potential response scenarios was significantly reduced.

The team took a “toolbox approach,” equipping the organization with a set of tools and strategies that could be used across various impacts. Impact Advisors developed 13 Business Continuity Plans (BCPs) across the departments, tailored to meet the health system’s needs. A training plan was then developed and transitioned to internal leaders for further scaling across the organization. 

The program was successful in helping to evolve the organization’s maturity level for Business Continuity across several key measures. It also generated improved engagement and communication of risks to leadership, that will continue to help mature their competency over time. A clear path forward was highlighted to help the organization continue its Business Continuity journey, including a set of KPIs to monitor ongoing program success.

You Can’t Predict the Future But You Can Prepare for It

A key consideration for healthcare organizations is to approach Business Continuity not as a one-time project with a defined end date, but as an ongoing program or practice. It should be viewed as an evolving process that continuously enhances an organization’s ability to respond to and recover from significant disruptions. This iterative approach fosters organizational learning, enabling increased resilience over time through the insights gained from past preparedness and recovery efforts.

Additionally, Business Continuity is separate but closely tied to Disaster Recovery, Security Incident Response, and Emergency Preparedness—collectively referred to as a Business Resilience strategy. Therefore, its success rests on the plans and actions established with the various administrative and clinical operating units, rather than relying solely on the IT, Security, and Facilities Management teams. Ensuring business resilience is a large-scale effort and requires cooperation and coordination to be successful.

Download PDF

Expertise

About Us

Impact Insights

Search

Headquarters

400 E. Diehl Rd, Ste. 190
Naperville, IL 60563

Downtown Chicago Office

980 N. Michigan Ave. Ste. 1998
Chicago, IL 60611

Impact Advisors Mexico

Insurgentes Sur 945, 1st Floor
Mexico City, Mexico 03710

Phone

1-800-680-7570

Email

contact‌‌‌@‌‌‌impact-advisors.com

“Impact Advisors Mexico” is a trade name of IMPACT ADVISORS HEALTHCARE CONSULTING MEXICO, S. DE R.L. DE C.V.

Linkedin Facebook X-twitter

© 2025 Impact Advisors

Legal & Privacy Policy