Anticipating Threats: How Prepared Is Your Business?

By Endrita Muhaxheri

Having an effective business continuity management system based on ISO 22301 can help medtech companies remain resilient.

With the shifts in the business environment happening faster than ever, new risks also arise. These shifts often require taking new business continuity approaches. By having an effective business continuity management system based on ISO 22301, organizations will be able to employ a holistic approach that will help them move forward with confidence and be sure to remain resilient. When implemented correctly, it will also lead to improved quality in all processes, which can provide increased profit for the organization.

Furthermore, with smart business continuity management, the organization will be able to build a strong foundation, allowing it to show the value of the business continuity program to key stakeholders and, most importantly, to its customers.

This article elaborates on what exactly is ISO 22301 – Business Continuity Management, and it provides insights about its benefits to the medical device industry. Furthermore, it offers information on how ISO 22301 improves quality management.

What Is 22301 – Business Continuity Management System?

ISO 22301 is the international standard for Business Continuity Management (BCM). It provides requirements for a management system that helps the organizations have an effective business continuity program and minimize the impact of disruptive incidents. It is generic, therefore it is applicable to any type of organization, regardless of its nature, its characteristics and the sector in which it operates.

Based on the International Organization for Standardization (ISO), “ISO 22301 specifies requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”

The ISO 22301 was first published in 2012. There was an increasing interest to update the existing version to better deal with the range of threats in today’s business landscape. Therefore, in November 2017, ISO 22301 went under revision. Currently, the standard is in the Draft International Stage (DIS), in which several modifications are being made. The new version will identify opportunities for aligning ISO 22301 with today’s BCM thinking. A team of more than 30 experts from more than 14 countries is evaluating each recommended change and use agreed criteria to decide if and how a change should be implemented.

Benefits of ISO 22301 in the Medical Device Industry

Having emergency response plans in place is essential to being able to address natural or man-made disasters. Ensuring that medical devices are protected from unfortunate events is crucial. Considering that devices are increasingly becoming digitally interconnected, on the one hand they can create a more efficient healthcare system and improve the care patients receive. However, on the other hand, computer systems-dependent medical devices can be exposed to security threats. These events such as natural disasters, security breaches, etc. come unexpectedly and can possibly impact the effectiveness and safety of the device. Luckily, medical manufacturers can employ an all-inclusive approach in order to reduce the risks of cyber threats. In this way, they can consider the security aspects during the design and development of medical devices (security-by-design), as well as having a strong plan to both manage the evolving vulnerabilities and to respond when they occur.

It is imperative that organizations comply with certain data security and business continuity standards such as ISO 22301, and to ensure that they have taken the appropriate measures to make sure that their activities are resilient and will not be seriously impacted from unexpected disruptions.

The first step in protecting the organization from disruptions is creating an all-inclusive approach, meaning that all potential areas and critical elements that can have an impact should be taken into consideration.

So, what are the reasons why business continuity in healthcare is important?

1. Protection of crucial operations and assets

Business continuity responsibility reaches across most areas of a business, and all employees directly or indirectly have a role in ensuring organizational success. It is a fundamental objective for any security team to be alert through providing a risk assessment, prevent breaches, prepare to respond in such events, and finally, support post-incident recovery. They are at the core of reducing and managing risk, protecting assets and people, and adding value—one on which it is hard to put a price tag.

2. Protection of sensitive data

With the increasing incorporation of technology in the healthcare sector, the safeguarding of patient data is becoming more difficult. Therefore, it is important that medical providers implement technology that backs-up data continuously, so the organization can regain access to patient data, in times of disasters. Medical device manufacturers should apply an effective cybersecurity framework, which will allow them to monitor and identify cybersecurity information sources, and then detect the risks. Moreover, also in terms of software, they should have a strong plan that includes monitoring, verifying and validating third-party software as well as respective updates. This will allow the manufacturer to sustain safety and vital performance.

Adequate data protection processes and back-up practices will ensure that the data is secured, and it can help diminish the risk of a catastrophic failure and allow the healthcare organizations to rather focus on service expansion.

3. Maintaining efficiency

Cases of unexpected disruption can be costly both from a business and medical perspective. For instance, a disruption in business operations will undoubtedly increase operations’ cost.

However, with an appropriate business continuity program, healthcare organizations will be able to operate efficiently even when disaster strikes.

A well-planned business continuity management program will enable an organization to continue operating during a disaster and eventually to fully recover and go back to normal business operations in a timely manner.

How ISO 22301 Improves Quality Management

To ensure the continuity of quality, business continuity management is important; maintaining it should involve having appropriate plans in place.

Incident Response Plan. An incident response plan (IRP) is vital for disaster recovery and business continuity, because it contributes to the protection of sensitive data. However, many organizations do not have one. Therefore, an effective strategy to handle incidents, diminish their impact and strengthen the defense against future incidents should be part of an IRP. An IRP can also help protect a company’s reputation, maintain customer trust, and reduce the risk of potential loss in revenues.

Disaster Recovery Plan. Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organization in remaining operational even after unfortunate events. Their goal is to limit risk and get an organization running after an unexpected potential interruption.

According to PhoenixNAP, 93% of companies without disaster recovery who suffer a major data disaster are out of business within one year.

Some of the benefits that are associated with having a disaster recovery plan in place are:

  1. Cost efficiency, as preventive and corrective measures will be in place.
  2. Minimization of the impact of potential interruption of fundamental business operations.
  3. Increase in employee productivity, because the specific roles are set and a disaster recovery plan will be executed by the right people.
  4.  Greater customer retention, as the inability of the organization to meet customer expectations will make them switch to another provider.

Business Impact Analysis (BIA). The most important task in business impact analysis (BIA) is to understand which organizational processes are crucial in order to have uninterrupted business operations and to understand the impact the disruption that these processes would have on the business.

The BIA should be the starting point prior to the business continuity plan or disaster recovery plan. A BIA defines the priorities of business function, its potential dependencies, the required staff and the timeframes within which the functions need to be recovered for the organization to restore its operations.

Some of the benefits include: improved functionality, cost reduction, increased compliance, etc.

Business Continuity Plan. A lot of organizations have a business continuity plan (BCP) but a significant portion does not possess practical knowledge on how to enact it in a real-life emergency situation. As such, the following are three crucial questions you should ask when and after completing a BCP:

  1. Instruments of activation: What tool will you use to activate the BCP in a real-life scenario?
  2. People responsible: Who is responsible for making crucial decisions in the event of a disaster, and does all the staff understand their responsibilities?
  3. Communication and awareness: Are your employees informed about the BCP and action plans? Do they know whom to contact in case of a disaster?

By the creation, implementation and continual improvement of these plans and business strategies, the organization raises awareness about the importance of the protection of crucial business operations. This instills a risk-based thinking in the overall management culture, which is a crucial element of quality management. The risk-based thinking approach involves an understanding of the organizational context and the risks and opportunities that need to be addressed.

In conclusion, we can say that the business continuity plan is important, because speed is the new currency of business. The more quickly incidents can be identified and controlled, the less damage they will cause. No matter how diligently the organization and its staff focus on ensuring the security and stability of systems, systems as well as employees are inevitably vulnerable to some kind of natural or man-made disaster that threatens the business existence. Even though some disasters, such as power outages are predictable, many disasters are unexpected in timing or severity, creating unwanted disruption for people and the organization.

The more effort we put into preparedness, the more reliably the processes can be implemented. We have witnessed multiple devastating negative events, and we must use these as lessons for all of us to learn as well.

Related Articles

About The Author

Endrita Muhaxheri, PECB