Cyberattack, major computer breakdown, fire, flood, staff shortage...
In a hospital or health association, every business interruption has a direct impact on patient and user safety.
This is precisely what the PCA (Business Continuity Plan) and the PRA (Business Resumption Plan): to enable the structure to continued care and support, even in the event of a serious crisis.
1. BCP / DRP: what exactly are we talking about?
PCA: steering through the storm
A Business Continuity Plan (BCP) is a strategy paper which describes how a plant maintains its essential missions during a major crisis (cyber attack, power failure, flood, pandemic, etc.).
The aim is to identify vital activities (emergency, accommodation, pharmacy, patient records, payroll, etc.) and to plan for emergency resources (premises, IS, paper procedures, human resources, etc.).
In healthcare, the BCP is not limited to IT, and can be integrated into the white plan to cover human resources, buildings, suppliers, logistics, etc.
PRA: restarting after the shock
Visit Disaster Recovery Plan (DRP) completes the BCP: it describes how to restart what has been stopped, particularly information systems.
As the CNIL reminds us, disaster recovery encompasses all the actions required to restart a system that has been shut down following an incident.
In concrete terms, the PRA specifies, for example:
- in which order to restart applications (patient record, imaging, HR, etc.),
- from which backups,
- with which target times (RTO, RPO),
In the public sector, as in the healthcare sector, national guidelines recommend that we think in terms of BCP + DRP together, sometimes in the form of a PCRA (Business Continuity and Recovery Plan).
2. Why is this crucial for hospitals and healthcare associations?
Continuity of care and protection of vulnerable persons
A well-designed BCP/ERP primarily serves to ensuring continuity of care and support, even in the midst of a crisis. For a hospital or healthcare association, this means keeping disruptions to a minimum: avoiding the closure of entire departments, maintaining surveillance of fragile patients, guaranteeing the distribution of treatments, and preserving the welcome and safety of residents.
Very real threats, especially cyber
Today, a cyber attack can paralyze an entire hospital IS and expose sensitive health data.
Without BCP/ERP, teams find themselves without clear instructions, decisions are taken in a hurry, and the risk of medical errors, loss of information or organizational chaos explodes.
With a BCP/ERP that has been worked out in advance, teams have a complete ready-to-play scenario who does what, with what tools, in what order. Feedback shows that :
-
patients benefit from improved continuity of care,
-
data is better protected thanks to proven backup and restore procedures,
-
staff know what to do, reducing stress and mistakes in the middle of a crisis.
A clear expectation from the authorities
Authorities (ANS, ANSSI, ARS) are now requesting Formalized BCP and DRP, These include the «business continuity and recovery strategy» function in cybersecurity programs such as CaRE.
Clearly: for a healthcare establishment, not having robust BCP/ERP is no longer an option - this is a prerequisite for protecting patients, teams and data.
3. How to set up a BCP / DRP in a medical-social establishment?
Step 1 - Setting up governance and sponsorship
A BCP/RAP cannot be “an IT document”. It must be supported by management and co-constructed with the professions.
In concrete terms, we identify a sponsor (general management or management of the association), we set up a PCA/PRA committee bringing together the CIO, care management, medical management, quality/risk management, logistics, HR, CISO, etc., and appointing a project manager clear.
This framework makes it possible to arbitrate priorities, budgets and technical choices without getting stuck.
Step 2 - Identify vital activities (impact analysis)
The aim is to answer two simple questions:
What activities should never stop? (emergency, operating room, protected unit, on-call duty, medical hotline, etc.)
With what minimum service level and acceptable downtime?
For this purpose, a impact analysis (BIA) These include mapping essential processes, identifying dependencies (applications, premises, service providers, key personnel) and defining recovery objectives (RTO/RPO). This provides the compass for the BCP/RBP.
Step 3 - Working on crisis scenarios
The ANS PCA/PRA kit recommends covering at least four main scenarios :
unavailability of human resources (mass absenteeism, strike, pandemic), buildings (fire, flood, technical disaster), suppliers (medicines, catering, telephony...), and of course the information system(cyber attack, major breakdown).
For each scenario, we describe the concrete impacts on vital activities: what becomes impossible, what absolutely must be maintained, and at what level. This allows us to move beyond generalities and into the real world.
Step 4 - Building the BCP: how to keep on working?
The BCP answers a simple question: “How do you keep working when everything's going wrong?”
We're looking for continuity solutions realistic, These include the transfer of certain services to another site, paper-based procedures for prescribing and traceability when the HIS is unavailable, staff reinforcement or redeployment plans, safety stocks (drugs, consumables, equipment), and emergency communication resources (back-up telephony, walkie-talkies, secure external messaging, etc.).
These choices have been compiled in a clear plan, with short reflex cards for each department, up-to-date lists of contacts and emergency numbers, and a crisis management diagram (crisis unit, roles, frequency of meetings, key decisions).
Step 5 - Building the DRP: how to restart cleanly?
The PRA section focuses on information systems recovery : which applications should be restarted first, when, from which backups, and with what precautions to avoid damage. re-infect the IS after a cyberattack.
We define a backup actually tested, The aim is to avoid the “we thought it worked” situation when everything comes to a standstill. The idea is to avoid the "we thought it worked" situation when everything comes to a standstill.
Step 6 - Test, train, improve
A BCP/PRA sleeping in a filing cabinet protects no one. Cybersecurity authorities recommend test regularly plans, in particular through crisis management exercises based on cyber scenarios.
In practice, this involves “table-top” exercises (around a table, on a fictitious scenario), technical tests of changeover/restoration, and then systematic feedback to the customer. improve the system. Updating the BCP/ERP at least once a year keeps it in line with reality on the ground.
4. Phishia expertise: a BCP/ERP anchored in the cyber reality of the healthcare sector
At Phishia, We provide day-to-day support to hospitals, GHTs and healthcare associations in the following areas operational cybersecurity and the resilience to attack (ransomware, account compromise, targeted phishing, etc.).
Our strength: link your BCP/ERP to your actual digital risks in concrete terms, rather than producing yet another theoretical document.
What we do for you
PCA/PRA & cyber flash diagnostics
Review of your plans, procedures, safeguards and crisis organization, identification of deviations from ANS/ANSSI recommendations and the CaRE program, rapid mapping of critical activities and their digital dependencies.Co-construction of BCP/ERP with your teams
Workshops with caregivers, management and support functions, development of realistic scenarios (cyberattack blocking the HIS, loss of a site, failure of a key supplier, etc.), drafting of simple reflex cards, for use in stressful situations.Integration with your existing cyber security
Align the DRP with your backup, network segmentation, workstation hardening and supervision strategies, and integrate the plans into your cyber crisis management system (SOC, CISO, incident response providers).Tests & long-term ramp-up
Organization of crisis drills (table-top exercises, cyber-attack simulations), assistance with periodic plan updates, team awareness-raising via simulated phishing campaigns and educational modules.
The goal: on the day the crisis hits, your teams don't just discover the procedures... they apply them.
5. What about your BCP / DRP?
Whether you're starting from scratch or want to update an aging BCP/ERP, now's the time to :
- check that your plans cover current risks (cyber, shortages, health crises),
- return them concrete and usable by your teams,
- and align them with the requirements of the French authorities.
Would you like an outside perspective on your BCP/RAP, or would you like to build an approach tailored to your hospital or healthcare association?
We can discuss this with you in a no-obligation meeting, to understand your challenges and offer you customized support.
