A hospital does not need to experience a major flood, fire or ransomware attack before its services are considered disrupted. Sometimes, all it takes is a failed network switch, an inaccessible Hospital Information System, a prolonged power interruption, a shortage of essential medication or several critical employees being unavailable at the same time.
In an ordinary business, disruption may result in delayed sales or reduced productivity. In healthcare, disruption can delay diagnosis, interrupt treatment, compromise medication safety and place patients at immediate risk.
This is why healthcare organisations in Malaysia need more than a document labelled "Business Continuity Plan" sitting in an administrative folder. They need a functioning Business Continuity Management system, supported by practical departmental plans, trained employees, tested recovery procedures and clear leadership.
Understanding the Difference Between BCM and BCP
The terms Business Continuity Management and Business Continuity Plan are often used interchangeably, but they are not exactly the same.
Business Continuity Management, or BCM, is the overall management process used to identify risks, assess the effect of disruptions, develop continuity strategies, train employees, conduct exercises and continually improve organisational resilience.
A Business Continuity Plan, or BCP, is one of the main documents produced through that process. It explains what employees must do when a disruption happens.
A simple way to understand the difference is this:
BCM is the entire programme. The BCP is the documented response plan within that programme.
Malaysia's Ministry of Health reflects this broader approach in its General Hospital Operational Policy 2025. It recommends establishing a BCMS Steering Committee and an implementation task force, using the Plan-Do-Check-Act approach to coordinate activities before, during and after disruptions. It also identifies Recovery Time Objectives, Maximum Tolerable Period of Downtime and workaround strategies as important planning elements.
Why Business Continuity Is Different in Healthcare
Healthcare continuity planning cannot simply copy a plan from a bank, factory or commercial office.
Hospitals operate continuously. Patients cannot always be sent home when systems become unavailable. Emergency treatment cannot wait for a server to be restored. Intensive care equipment requires stable electricity, operating theatres depend on sterile supplies, pharmacies require accurate medication information, and laboratories must preserve specimens even when their information systems are offline.
Healthcare operations also contain tightly connected dependencies.
For example, an operating theatre may still have electricity and available surgeons, but surgery may still be delayed because:
This means a healthcare BCP must examine complete patient-care pathways rather than looking at departments in isolation.
The World Health Organization similarly recommends facility-level continuity planning that helps healthcare organisations minimise disruption and maintain essential services during public health emergencies. Its guidance is intended for healthcare facilities, managers, healthcare workers and authorities responsible for emergency management and service continuity.
Start With Leadership, Not Templates
One of the most common mistakes is asking the IT department or Quality Department to prepare the entire BCP alone.
IT may manage servers, networks and clinical systems, but it does not own patient registration, medication administration, surgery scheduling, specimen collection, nursing care or clinical decision-making.
Business continuity must therefore be led at organisational level.
A suitable BCMS governance structure may include:
The steering committee should approve the continuity framework, priorities, budgets, acceptable downtime levels and major recovery strategies. The task force should maintain documents, coordinate exercises, track improvements and help departments develop their plans.
The Ministry of Health's General Hospital Operational Policy places similar emphasis on leadership commitment, formal documentation, resource availability, communication requirements, BCM awareness and ongoing evaluation.
Define the Scope Before Assessing Risks
The organisation should first define what its BCM programme covers.
A large hospital may begin with critical clinical and operational services before expanding the programme. A smaller healthcare facility may be able to include its entire operation from the beginning.
The scope could include:
The scope statement should also identify locations, buildings, external clinics, cloud systems, outsourced providers and shared group services.
Without a clear scope, departments may assume that another team has covered an important dependency when nobody actually has.
Conduct a Healthcare-Specific Risk Assessment
The next step is to identify events that could interrupt healthcare services.
Healthcare organisations in Malaysia should consider both local and operational risks, including:
A useful assessment should identify the hazard, affected services, existing controls, remaining exposure and required improvements.
For example, a hospital may have a standby generator, but that does not automatically mean the electrical risk has been fully controlled. The assessment should determine:
The goal is not to produce the longest risk register. It is to identify realistic weaknesses before they become operational failures.
Perform a Business Impact Analysis (BIA)
Risk assessment focuses on possible threats. A Business Impact Analysis, commonly known as a BIA, focuses on the consequences of losing a service.
Every critical department should identify:
The BIA should not simply classify every department as "critical." If everything is given the highest priority, the organisation has not actually prioritised anything.
A simplified BIA may look like this:
| Service | Impact of Disruption | Maximum Tolerable Downtime | Target Recovery Time | Minimum Continuity Arrangement |
| Emergency registration | Delayed identification and treatment | 15 minutes | Immediate | Manual registration and temporary patient numbers |
| Pharmacy dispensing | Delayed or unsafe medication supply | 30 minutes | 15 minutes | Printed medication forms and controlled manual dispensing |
| Laboratory urgent testing | Delayed diagnosis and clinical decisions | 30 minutes | 15 minutes | Manual request forms and telephone result verification |
| Radiology image access | Delayed diagnosis and surgery | 1 hour | 30 minutes | Emergency workstation or controlled image export |
| Finance reporting | Administrative and financial delay | Several days | 24 hours | Offline records and deferred processing |
These times are examples only. Each healthcare organisation must determine its own targets based on clinical risk, resources and service design.
Set Clear Recovery Objectives
Several technical terms are commonly used in BCM:
Maximum Tolerable Period of Disruption or Downtime (MTD)
This is the longest period a service can remain unavailable before the consequences become unacceptable.
Recovery Time Objective (RTO)
This is the targeted period within which the service should be restored.
The Recovery Time Objective should normally be shorter than the maximum tolerable downtime. Restoring a service exactly at the point where patient safety becomes unacceptable leaves no margin for complications.
Recovery Point Objective (RPO)
This identifies the acceptable amount of data loss measured in time.
For example, if a clinical system has an RPO of 15 minutes, the recovery arrangement should aim to prevent the loss of more than approximately 15 minutes of information.
Minimum Acceptable Service Level
Healthcare continuity is not always about restoring full operations immediately. The organisation should determine the minimum service it can safely provide during disruption.
For example, during a prolonged system outage, a specialist clinic may reduce elective consultations while maintaining urgent reviews. An operating theatre may postpone elective procedures while preserving capacity for emergency surgery.
The Ministry of Health's policy specifically connects BCMS planning with Recovery Time Objectives, Maximum Tolerable Period of Downtime and service workaround strategies.
Develop Continuity Strategies Across Six Key Areas
Once priorities are understood, the organisation can decide how services will continue.
People
Plans should address situations where key personnel are absent or unable to reach the facility.
Possible strategies include:
A plan that depends on one specific employee is not resilient. If only one person knows how to recover a system, contact a supplier or operate an essential process, that person has become a single point of failure.
Premises and Facilities
Alternative areas should be identified for essential services.
For example:
The plan should also address electricity, water, air-conditioning, medical gases, lifts, fire protection, waste disposal and access control.
Technology and Information
Healthcare technology continuity should cover more than backing up servers.
The organisation should consider:
The MOH General Hospital Operational Policy states that the IT department should establish an ICT BCP, make manual forms and patient information available for downtime, and test the plan through walkthroughs or simulations.
Suppliers and Medical Resources
A hospital may have strong internal controls but still fail because a critical supplier cannot deliver.
Continuity planning should identify:
Contracts should include service expectations, escalation contacts, incident-notification requirements and recovery commitments.
Critical suppliers should also be asked whether they maintain their own continuity plans. A supplier's promise to "support the hospital during emergencies" is not enough without clear arrangements.
Clinical and Operational Workarounds
Every critical service should have a safe temporary method of operating.
For an HIS outage, this may include:
Workarounds should reduce risk, not create new problems. Departments must agree on how patient identity will be confirmed, how forms will be numbered, who can authorise medication, how urgent results will be communicated and how records will later be reconciled.
Communications
Confusion often causes more damage than the original disruption.
The continuity plan should identify:
Pre-approved message templates can save valuable time. However, messages should still be reviewed against the actual situation before release.
Create Departmental Continuity Playbooks
A single hospital-wide plan is not enough. Each critical department needs a short, practical playbook.
The hospital-wide plan explains governance, command, escalation and organisation-wide priorities. Departmental playbooks explain exactly what employees in each area must do.
A departmental plan should include:
The document should be usable during an emergency. Employees should not need to read 80 pages before discovering the first action they must take.
Checklists, flowcharts, contact cards and action sheets are usually more useful during an incident than long paragraphs.
Prepare Downtime Kits
Departments that depend on electronic systems should maintain downtime kits.
A kit may contain:
The kits should be sealed, labelled, accessible and checked regularly. They should not be stored in a locked office that becomes inaccessible after hours.
Forms should also have version control. Using an outdated medication or consent form during downtime may introduce avoidable clinical and legal risks.
Define Activation Levels and Authority
Employees must know when normal incident management becomes a business continuity event.
A hospital might use three activation levels:
Level 1: Local Disruption
The problem affects one department and can be managed using local resources.
Example: A single clinic's network connection fails.
Level 2: Significant Operational Disruption
Several departments are affected, or the incident may exceed the capability of one team.
Example: The Hospital Information System becomes unavailable across the hospital.
Level 3: Major Organisational Crisis
The incident threatens essential services, patient safety, hospital reputation or regulatory obligations.
Example: A ransomware attack affects clinical systems while attackers claim to have stolen patient information.
The plan should identify who has authority to activate each level. It should also name alternates because the primary decision-maker may be unavailable.
Activation criteria should be based on impact, not only duration. A five-minute failure affecting a life-supporting system may be more serious than a two-hour interruption to an administrative platform.
Integrate Cybersecurity and Data-Breach Response
Cybersecurity plans and business continuity plans should support each other.
The cyber-incident team may focus on containment, investigation and system security. Clinical and operational teams must focus on maintaining safe patient care while systems are isolated or unavailable.
A ransomware response, for example, may require IT to disconnect systems to prevent further spread. While technically necessary, that decision may immediately affect registration, medication, imaging and laboratory services. The BCP should therefore define safe downtime arrangements before such an incident occurs.
Private hospitals must also consider Malaysia's personal-data protection requirements and the Code of Practice for Private Hospitals, which applies to private hospitals licensed under the Private Healthcare Facilities and Services Act and addresses the handling of personal and sensitive personal data in the private hospital environment.
Malaysia's current data-breach notification materials ask whether a notification is being submitted within 72 hours after the organisation becomes aware of the breach. The notification process allows available information to be submitted first, with additional details provided later.
This means the BCP should connect IT, management, legal, corporate communications and the Data Protection Officer early. Waiting until the technical investigation is completely finished may leave insufficient time to assess notification requirements.
Healthcare organisations designated as National Critical Information Infrastructure entities must also consider obligations under Malaysia's Cyber Security Act 2024. The Act covers the management of cybersecurity threats and incidents involving NCII entities and came into operation on 26 August 2024. Not every healthcare organisation is automatically an NCII entity, so applicability should be confirmed rather than assumed.
Plan the Recovery and Reconciliation Process
Many plans explain how to start downtime operations but say very little about returning to normal.
Recovery is not complete simply because the system is online again.
After an HIS outage, the hospital may have hours of paper records, medication orders, laboratory results, patient movements and financial transactions that must be entered or reconciled.
The recovery plan should specify:
A controlled recovery may take longer than the technical restoration itself.
For example, IT may restore the HIS at 2:00 p.m., but nursing, pharmacy and medical records may need several more hours to reconcile everything recorded during downtime. The incident should not be formally closed until these activities are completed or transferred to an accountable recovery team.
Exercise the Plan Regularly
A plan that has never been tested is largely theoretical.
Testing should begin with simple exercises and become more realistic over time.
Document Review
Plan owners check contacts, procedures, forms, responsibilities and dependencies.
Walkthrough Exercise
Department representatives discuss each step of the plan and identify gaps.
Tabletop Exercise
Participants respond to a realistic scenario introduced in stages.
For example, the exercise may begin with an HIS outage. It may then reveal that the outage was caused by ransomware, patient data may have been copied, telephone lines are overloaded and the media has contacted the hospital.
Functional Exercise
Specific procedures are physically performed, such as activating manual registration, using downtime forms or recovering a backup system.
Full Simulation
Multiple departments participate in a coordinated exercise that tests command, communications, clinical workarounds and recovery.
The MOH policy specifically recommends regular walkthroughs or simulations to improve readiness and keep continuity plans relevant.
Every exercise should produce an improvement plan containing:
An exercise that produces no corrective actions may not have been challenging enough.
Use Practical Performance Indicators
BCM should be monitored like any other quality and safety programme.
Useful indicators may include:
Indicators should measure readiness and performance, not merely document completion.
Having 100 percent of departments submit plans is not meaningful if employees do not know where those plans are or how to use them.
A Practical Hospital Example: Total HIS Downtime
Imagine that a hospital's HIS becomes unavailable at 10:15 a.m. on a busy weekday.
The helpdesk receives reports from registration, pharmacy, wards and specialist clinics. IT confirms that the issue affects the entire hospital and restoration may take several hours.
A functioning BCP could trigger the following sequence:
Without a coordinated plan, each department may invent its own temporary process. That creates inconsistent patient identifiers, duplicate prescriptions, missing clinical information and confusion over whether systems are safe to use.
Common BCM Mistakes in Healthcare
Treating BCM as an IT project
Technology is important, but healthcare continuity also depends on clinical workflows, staff, buildings, equipment, suppliers and communications.
Producing one generic plan
A generic plan cannot adequately explain how pharmacy, emergency services, laboratories and operating theatres should continue working.
Focusing only on disasters
Most continuity events are not dramatic. Hardware failure, staff absence, a failed supplier or an application error can still interrupt critical services.
Setting unrealistic recovery targets
Declaring that every system must be restored immediately does not create the resources needed to achieve that result.
Keeping plans only on the affected system
If the BCP is stored only on the hospital network, employees may lose access to it during the exact incident for which it is needed.
Ignoring third parties
Cloud vendors, telecommunications providers, laboratories, oxygen suppliers and outsourced service providers can become major continuity dependencies.
Testing only during office hours
Hospitals operate around the clock. A response that works at 11:00 a.m. may fail at 2:00 a.m. when fewer employees and managers are available.
Skipping post-recovery reconciliation
This can leave missing medication orders, incomplete patient records and inaccurate billing long after the system has returned.
A 90-Day BCM Implementation Roadmap
Healthcare organisations starting from the beginning can divide the project into manageable stages.
Days 1–30: Establish the Foundation
- Obtain executive approval.
- Appoint the steering committee and task force.
- Define the BCM scope and policy.
- Identify critical departments.
- Appoint departmental coordinators.
- Develop risk and BIA templates.
- Review regulatory, contractual and accreditation requirements.
Days 31–60: Analyse and Develop
- Conduct departmental BIAs.
- Identify critical dependencies.
- Establish MTPD, RTO and RPO targets.
- Select continuity and recovery strategies.
- Prepare departmental playbooks.
- Standardise downtime forms.
- Assemble downtime kits.
- Update emergency contacts and escalation arrangements.
Days 61–90: Train and Test
- Brief management and employees.
- Conduct departmental walkthroughs.
- Run an organisation-wide tabletop exercise.
- Test selected manual workflows.
- Test backup restoration.
- Record gaps and corrective actions.
- Obtain final approval for the plans.
- Establish a review and exercise calendar.
The BCM programme does not end after 90 days. This period simply establishes the first working version. Plans must continue evolving as services, buildings, systems, suppliers and regulatory obligations change.
MOH Guideline Documentation
This gude was drafted based on the guideline defined by Ministry of Health. Refer below.
Final Thoughts
Business continuity in healthcare is ultimately about maintaining safe patient care when normal operating conditions no longer exist.
A strong BCM programme does not promise that disruptions will never happen. Instead, it ensures that the organisation understands its priorities, knows its dependencies, has safe alternatives and can make coordinated decisions under pressure. For healthcare organisations in Malaysia, the most practical approach is to begin with leadership commitment, establish clear governance, conduct healthcare-specific risk assessments and BIAs, develop departmental playbooks, prepare downtime resources and repeatedly test the arrangements.
The real measure of a BCP is not how professional the document looks. It is whether a nurse, doctor, pharmacist, technician, registration employee or manager can use it effectively during a stressful incident—without guessing what to do next.


Comments