Problem solve Get help with specific problems with your technologies, process and projects.

Business continuity in the finance and healthcare sectors

Despite operational differences in financial and healthcare organizations, the need for business continuity is strong in both. This tip discusses how the business continuity and disaster recovery lessons learned in these sectors can be leveraged in other industries.

When it comes to business continuity (BC) in the banking/finance and healthcare sectors, the lessons to be learned...

from both sectors can be very valuable for those in other industries.

From business and operational views, the two sectors are clearly quite different. Both, however, are very sensitive to any kind of disruption that would impact their operations, their ability to help people and the vast amounts of data they require. Any operational disruption to critical banking systems or to hospital systems could negatively impact either institution, not only in terms of providing their primary services, but also their reputation in the community.

Regulations in the financial and healthcare sectors that impact business continuity

Both sectors have regulations in place that address the need for business continuity. In the financial sector several are in place including, NASD 3510 and 3520, and NYSE Rule 446. Both 3510 and 446 describe the minimum BC processes for each institution, while 3520 specifies the need for emergency contact information. How these activities are implemented is up to the individual institution. There are others called banking circulars, which address emergency issues, but compliance with the above regulations is required by virtually all financial institutions in the U.S. The Federal Financial Institutions Examination Council (FFIEC) offers a BC planning handbook that is widely used in the financial sector.

Within the healthcare sector, The Joint Commission (formerly The Joint Commission for Accreditation of Healthcare Organizations) issues standards and guidelines for all kinds of healthcare entities. Failure to follow these standards, especially during a Joint Commission audit, could result in the institution losing its license. The Joint Commission standards for emergency management address business continuity in terms of continuity of operations, patient care and other critical functions.

At another level, financial firms need to be consistent with Sarbanes-Oxley (SOX) legislation, particularly as it applies to financial reporting. While SOX legislation does not specifically address business continuity by name, Sections 302 and 404 require the establishment of controls for the processing and reporting of financial data. Within these controls is where business continuity can be established -- as yet another control. Within the healthcare sector, Health Insurance Portability and Accountability Act (HIPAA) legislation addresses the protection of patient records, among other activities. This is where business continuity can play a key role.

Finally, both sectors need to be aware of Public Law 110-53, signed in 2007, and Title IX in particular. The law's original goal was to address unresolved issues identified in the 9/11 Commission Report. Title IX was added to address business continuity, primarily within the private sector. The law calls for voluntary certification of business continuity plans by approved third-party accreditation firms. Currently the Department of Homeland Security (DHS) is managing Title IX implementation, and is in the process of identifying one or more standards against which company BC plans can be assessed. While Title IX currently requires voluntary compliance with its specifications, in time this could become a mandatory requirement.

Value to other business sectors

Lessons learned from incidents affecting healthcare and finance industries include dealing with system outages, loss of data, network disruptions and human error. For example, when you visit a bank and the computers are down, you cannot transact business and the bank could lose a customer. Similarly, in a hospital, the loss or destruction of patient data, or the unplanned shutdown of a critical system in an emergency room, could result in lawsuits or other litigation. Other business sectors should examine these two industries -- and their recognition of business continuity and disaster recovery (DR) as essential activities -- as models for justification of a BC/DR program.

Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.

Do you have comments on this tip? Let us know. Please let others know how useful this tip was via the rating scale below.

Do you know a helpful storage tip, timesaver or workaround? Email the editors to talk about writing for

Dig Deeper on Disaster recovery planning - management