Major cyber events like those with Change Healthcare and CrowdStrike/Microsoft have demonstrated that cyber disruption is a reality for which all healthcare organizations must prepare. The fact that healthcare is the most frequent target for ransomware attacks, as the FBI recently reported, underscores the urgency. Similarly, natural disasters like Hurricane Helene and other unplanned outages can strike at any time.

Such incidents create substantial operational delays and security risks. Healthcare organizations must be ready to continue operations during extended downtimes. Doing so with a robust, comprehensive continuity framework will minimize financial losses, protect sensitive data, and save lives.

Moving beyond mere contingency plans and basic recovery strategies to business continuity planning is imperative.  

Healthcare impact of recent outages

In a recent survey by the American Medical Association, 77% of provider respondents said they experienced service disruptions caused by the Change Healthcare incident. 80% said they lost revenue from unpaid claims, while 78% lost revenue from claims they have been unable to submit. And 55% used personal funds to cover expenses incurred as a result of the attack. Half of all respondents said they were forced to enter a new (and potentially costly) arrangement with alternative clearinghouses to conduct electronic transfers.  

How downtimes and cyberattacks devastate the healthcare sector

The healthcare sector often struggles with extended downtimes due to outdated systems and inadequate response plans. The HIPAA Journal reported that the biggest losses from the recent CrowdStrike incident were in healthcare, which suffered direct losses of $1.94 billion—an average of $64.6 million per organization, highlighting the critical nature of preparedness.

Among other incidents in 2024, a ransomware attack hit a health system of more than 100 hospitals and numerous referring providers. Another hit a large blood center, which impacted blood supply for more than 250 hospitals. These events demonstrate how cyberattacks can directly impact healthcare entities of all sizes because of the interconnected systems in the healthcare ecosystem.  

Ensuring mature enterprise-level business continuity plans is critical to maintain operations during unexpected disruptions, no matter the organization’s size or role in healthcare.

Building resilience: A mature business continuity plan plays an essential role in healthcare

A well-developed and mature business continuity plan is critical for ensuring operational resilience in the face of unforeseen disruptions. In today’s environment, where cyber threats and other risks can lead to prolonged outages, organizations need more than basic recovery strategies.  

A robust continuity plan, accompanied by playbooks for departments and staff, minimizes downtime and protects essential functions, such as clinical care delivery, access, and financial sustainability. It also mitigates reputational damage and ensures regulatory compliance. In essence, it forms the backbone of a healthcare organization’s ability to maintain service operations and navigate crises effectively.

Top questions chief executive officers (CEOs) should ask operational leaders
  1. How confident are we that our current business continuity strategy can withstand a prolonged cyber incident? How confident are we that it will enable us to sustain operations without compromising regulatory compliance or customer trust?
  2. Have we prioritized our critical operations and patient services? Do we have clear recovery objectives in place? Do we have documented response procedures for key departments and service lines? Do we have a plan to ensure all staff know their role during a disruption?
  3. Have we identified and mitigated the most significant risks to our organization, including cyber threats, natural disasters, and system failures?  
  4. Do we have operational playbooks and procedures in place? Do we have updated procedures to process claims manually for each payer if the technology is unavailable? How will we process labs during an extended downtime?
  5. Do we have a robust communication plan to keep stakeholders, staff, patients, and external partners informed during an incident? 

 

To develop a robust business continuity strategy, CEOs need to engage their operational leaders with targeted, critical questions. These inquiries will help ensure the organization is prepared to handle prolonged disruptions while maintaining regulatory compliance, patient care, and overall operational stability.  

As you assess the questions above, consider the following strategies and how they connect to key components of your business continuity plan:

  • Engage your leaders: Support from the full executive leadership team is critical to establish an effective business continuity strategy. Leaders must be confident that the current business continuity strategy includes defined playbooks for key departments, third-party support partners, and service lines.  

    One way to do this, for instance, is organizing a tabletop exercise with senior executives and key department leaders to simulate a crisis scenario. This will facilitate a deeper understanding of how a lack of planning can impact patient care and financial services. It will also foster collaboration and alignment among executives. This hands-on approach can highlight gaps, improve response strategies, and ensure commitment to the planning process.

  • Conduct a business impact analysis: This analysis can highlight data showing the potential impacts of disruptions on critical functions like patient care and financial services. The organization can then prioritize recovery efforts.

    The business impact analysis also helps determine acceptable downtime and resource requirements for each department, ensuring that continuity procedures are tailored to the specific needs and risks associated with each service line.

    For example, a regional health system’s oncology department may be the most impacted by a prolonged disruption due to the highly time-sensitive nature of critical cancer treatments. The business impact analysis results should lead the organization to prioritize continuity and recovery efforts for that department and establish an expedited recovery time objective to minimize the risk of treatment delays.

  • Assess your business operations risk: Leaders need to understand the prevalent risks and the importance of mitigation strategies. A crucial step in this process is to define potential disaster scenarios, such as cyberattacks and natural disasters. The organization should also establish a comprehensive risk management strategy for each, which should include proactive cybersecurity measures, system backup strategies, and offsite locations.

    For instance, a healthcare organization that relies on a single supplier for lifesaving medications should use a business operations risk assessment to evaluate supply chain vulnerabilities and analyze the potential impact of a supplier disruption. The organization can mitigate this risk by expanding its supplier network, creating redundancy in its supply chain and ensuring continuity of critical patient care.

  • Develop your operational response procedures/playbooks: Having clear, documented response procedures is critical. Teams should develop playbooks with enough detail to operate effectively in the event of incidents like ransomware attacks and system failures. These playbooks should outline step-by-step actions, including communication protocols, system recovery processes, and escalation paths. This will allow teams to act quickly and consistently during a crisis. Additionally, leaders should ensure ongoing training and staff competency reviews tied to the new procedures and playbooks.

    Equally important is considering all major departments within the organization. Clinical, administrative, and IT departments all play a vital role in maintaining continuity of care. Each of these departments faces unique challenges during an incident, and established procedures must reflect this.

    For instance, disruptions from a natural disaster or prolonged cyber event may prevent the delivery of essential billing and claims documentation. In this scenario, the team would need to activate continuity procedures that include manual billing processes, alternative methods for submitting claims, and coordination with insurers to prevent delays in reimbursement. Establishing such procedures ensures that even without full IT capabilities, the organization can maintain its cash flow and financial stability, minimizing the long-term financial impact of the disruption.

    Tailoring response procedures to account for these nuances ensures that all parts of the organization are prepared to act swiftly and in coordination. This will minimize downtime and maintain the quality of patient care even during disruptive events.

  • Ensure you have right-sized communication and coordination protocols: One of the most important considerations for the business continuity plan is having effective communication plans for crises. Poor communication can exacerbate disruptions and confuse internal and external response partners. It can also create significant reputational harm.

    For instance, part of the continuity planning should be ensuring that leaders and team members of internal communications and external PR are included in the planning process. Doing so will ensure the organization’s leaders in cybersecurity, human resources, operations, legal, compliance, and other areas are aligned in advance. They will know what to say to key stakeholders during an incident and which communications channels will be available in a variety of scenarios.

Resilience in action: Snapshot of a prepared organization

A regional health system experiences a cyberattack that requires it to go offline from its electronic health record (EHR) system for 3 weeks. That impacts essential functions, including clinical documentation, scheduling, and billing. Thankfully, the health system recently completed a thorough business continuity plan.  

With fully trained people and tested procedures, everyone knows just what to do.

Upon recognizing the outage, the crisis management team activates the organization’s business continuity plan (BCP). The team initiates an all-hands emergency call, referencing response playbooks that specifically address cyberattacks and power outages.

The internal communications team executes the appropriate communications, based on the BCP protocol. Executives use pre-defined channels (e.g., secured texting apps, landline systems) to stay in contact. Clinical and administrative teams receive real-time updates from the command center.  

On-call personnel for each department are immediately informed. Each department and line of business turns to its playbook for detailed immediate steps. Critical departments like Emergency Services switch to manual documentation, using prepared paper forms and procedures to ensure patient care continues with minimal disruption.

Clinical staff can operate without the EHR system, using pre-prepared offline patient summaries. Clinical teams initiate alternative care pathways for surgeries or procedures that require power or access to specific medical equipment. This includes diverting patients to nearby unaffected hospitals based on predefined agreements in the BCP.

While IT systems are down, the revenue cycle and billing departments switch to pre-documented manual methods for capturing patient and procedure information. This lets them process claims once the systems are restored.

The organization’s disaster recovery plan ensures that critical systems such as the patient EHR are backed up at an offsite data center. These systems are switched over to backup generators within minutes of the outage. Once the health system is back online with normal operations, planned procedures integrate offline documentation and communications with the EHR system.

Start building a resilient future for your organization before the next disruption

Cyber threats, natural disasters, equipment failures, and extended power outages all require a comprehensive business continuity plan. And as cyber threats become increasingly sophisticated and capable of causing long-lasting disruptions, a mature and proactive business continuity plan is no longer optional. It is essential.  

Healthcare leaders must prioritize this as a strategic initiative to ensure they are prepared for downtime and able to maintain critical operations under pressure. The cost of being unprepared is too great, and the clock is ticking. Organizations with a mature business continuity plan will be able to maintain care delivery and operations despite disruptions. 

Additional contributors: Angela Rivera, Partner in Digital & Technology Transformation; Robert Faix, Partner in Digital & Technology Transformation; Karen Kennedy, Senior Manager in Digital & Technology Transformation; Sean Huffman, Associate Principal in Financial Transformation; Kevin Ryan, Business Process Consultant; and Emily Shirden, Senior Vice President with Jarrard Inc., a Chartis Company.  

Related Insights

Contact us

Get in touch

Let us know how we can help you advance healthcare.

Contact Our Team
About Us

About Chartis

We help clients navigate the future of care delivery.

About Us