DSPT Toolkit - Business Continuity Plans

It is a plan for keeping your business running in the event of an emergency. Typically they focus on the people being cared for – how can we care for people if there was a power cut for example, local flooding, a pandemic.

However, having records of personal data available is also important for care and for staff – e.g. people’s medication records, staff rota etc

They should also cover data and cyber security e.g. how you would access your records if there was a a fire in the office, or the internet goes down or you are hacked for example.

WHERE TO START?

7.1.2 Does your organisation have a business continuity plan that covers data and cyber security?

7.2.1 How does your organisation test the data and cyber security aspects of its business continuity plan?

A BCP will need some time and consideration. You need to identify all IT systems, devices and paper files that are critical to your business, or what you need to be able to keep your service running on a daily basis. Think about what you rely on day-to-day e.g. do you use rostering, care planning or electronic medicine administration record (MAR) charts, person’s care file.

DEVICES

What devices hold or allow access to in terms of critical data? For example, in smaller organisations is there a laptop with everything on it. What could go wrong if you can’t access the data on it? Do the management team or other staff have smart phones with access to personal data via email or company systems?

We will look at more scenarios and what could potentially go wrong and what you need to plan for. Here are some typical things that might happen:

LOSS OF PHONE LINE/INTERNET

LOST, STOLEN OR BROKEN COMPUTER OR SMART PHONE OFFICE UNAVAILABLE

E.g. through fire

YOUR SUPPLIER’S SYSTEM IS DOWN

E.g. the rota system won’t work and it’s the supplier’s fault

YOU ARE HACKED POWER CUT

There may be others that might affect you

THINKING ABOUT YOUR CRITICAL SYSTEMS AND CRITICAL DEVICES.

For your plan, you need to think about each scenario:

• Think about how it might affect your organisation – just how bad could it be?

• How likely is it to happen?

• What steps you would take if it did happen

• Is there anything you could do to prepare just in case

Phone line / internet goes down. Think about:

• What systems would you lose access to?

• Would you still be able to direct staff to where they need to be?

(E.g. You could print a hard copy of a rota once a week or download a copy to another device.)

• Which mobile/s could you use to make calls?

• Would numbers for your main contacts be easily accessible?

• Is there a temporary alternative if you’ve lost the internet? (Eg, you could use a mobile phone to give an internet connection to a laptop by tethering.)

• Could office staff work from another place e.g. at home using their own Wi-fi?

Much of this would also apply if there was a power cut. For a power cut you could use the battery on a laptop or invest in an Uninterruptible Power Supply (UPS) system that holds power, so your plugged-in devices remain powered for a few hours despite a black out.

EXAMPLE SCENARIO 2

You were hacked (a criminal uses their computer to break into your computer system)

Prevention is the key!

• Very Important! To minimise the possibility of being hacked make sure you have the right software and staff training in place to help prevent this happening

• If you suspect you are currently under attack, and your data is at risk, call Action Fraud 0300 123 2040 immediately. Action Fraud will guide you through what you need to do during and after the attack

• Follow your breach reporting procedure

• Change your passwords (passwords should only be changed if they have been compromised)

• Contact your IT supplier/IT support, if you have this (they can help to restore and repair if needed)

• Check that you have a backup (so you can restore you data without having to pay the attackers).

EXAMPLE SCENARIO 3

Your Supplier’s system has a fault.

Major suppliers typically have arrangements in place to make sure their systems are not down for long. Eg Google Drive or Dropbox. It’s more important to check this for suppliers of sector specific software eg electronic MAR sheets or care planning software.

AN EXAMPLE STRUCTURE FOR YOUR PLAN:

Link to this plan: https://www.hcpa.info/wp-content/uploads/BCP-template.xlsx

This is a basis for a more robust plan. It is high level info that can be used to put into a more detailed BCP template if you already have one, or you can input it into the DSC document.

It can take a bit of time to put together but once in place the reviewing is quite quick. It should be added into your overall disaster planning.

Lead person = who is responsible to put the steps in place and ensure this is communicated and tested.

To make sure the plan works, it needs to fit in with your organisation’s policies and procedures – store this alongside those.

HOW TO MAKE SURE YOUR PLANS WILL WORK

• Make sure staff are aware of the plan and what to do

• Update policies and procedures to match your plan

• Test your draft plan to see if the actions would really work in practice e.g.

• Mimic a power cut or phone/internet problem

• Hide’ a computer or smartphone

• Lock the office door and ‘hide’ the key

• Send a ‘pretend’ phishing email to staff to see if they open it

• Test your plan again at least annually

CONSIDERATIONS….

• Think about the plans that you have in place at the moment – how much do they cover the kinds of events we’ve outlined?

• What sorts of things might be needed to help make sure your plans will work?

• How could you test your plans?

• Do you have a hard copy of your plan in case your electronic systems go down?

GENERAL TIPS FOR BCPS

• Keep a hard copy of your BCP in a secure place (especially if it contains sensitive information).

• Do not share your master plan with everyone if it is likely to contain sensitive data. Strip out sensitive information when sharing with wider staff. Limit access to the master plan to a small number of senior people – it should be on a ‘need to know’ basis.

• BCPs work well for auditors. It shows them that risks are being identified and managed.

• NHSmail/secure email is a must to ensure you are protecting personal and sensitive data. It reduces risk of hacks and data being lost/sent to the wrong person.

• If you have your policies with QCS, check if a BCP is included in your package.

FURTHER INFORMATION AND GUIDANCE

1

2

3

4

5

6

FREE LOCAL HELP IN EAST OF ENGLAND

BEDFORDSHIRE – CENTRAL BEDFORDSHIRE COUNCIL

Bedfordshire Care Group

https://dspt.bedscaregroupltd.co.uk/

SCHHServiceDevelopment@centralbedfordshire.gov.uk

CAMBRIDGESHIRE AND PETERBOROUGH

The Care Alliance (Cambridgeshire, Northamptonshire and Peterborough)

www.thecarealliancecnp.co.uk

admin@thecarealliancecnp.co.uk

07831597711

A business continuity plan template for data and cyber security and how to test your plan is available from Digital Social Care

A template business continuity plan is available from the Care Provider Alliance

Find out about the different types of scams with Action Fraud (Worth checking on a regular basis to get news on latest scams)

NCSC - Up-to-date cyber security guidance for small businesses

NCSC - Small business guide to help with response & recovery from a cyber incident

Exercise in a Box which could help you test your BCP (registration is required)

HERTFORDSHIRE, ESSEX, THURROCK AND SOUTHEND

Hertfordshire Care Providers Association*

https://www.hcpa.info/data-protection/

DataProtection@HCPA.co.uk

01707 708 018

NORFOLK

Norfolk & Suffolk Care Support Ltd

https://norfolkandsuffolkcaresupport.co.uk/bsbc

helpdesk@norfolkandsuffolkcaresupport.co.uk

01603 629211

SUFFOLK

Suffolk Association of Independent Care Providers

www.saicp.org.uk

admin@saicp.org.uk

07949 381686