Cyberattacks, major IT failures, fires, floods, staff shortages…
In a hospital or healthcare organization, any interruption in operations has a direct impact on the safety of patients and users.
This is precisely what the BCP (Business Continuity Plan) and the DRP (Disaster Recovery Plan) are for: to enable the organization to continue to provide care and support, even in the event of a serious crisis.
PCA/PRA: what exactly are we talking about?
The BCP: staying the course during a storm
A Business Continuity Plan (BCP) is a strategic document that describes how an organization maintains its essential functions during a major crisis (cyberattack, power outage, flood, pandemic, etc.).
It involves identifying vital activities (emergencies, accommodation, pharmacy, patient records, payroll, etc.) and planning for backup resources (premises, IT systems, paper procedures, additional staff, etc.).
In healthcare, the BCP is not limited to IT, and can be integrated into the contingency plan to cover human resources, buildings, suppliers, logistics, etc.
The DRP: restarting after the shock
The Disaster Recovery Plan (DRP) complements the BCP: it describes how to restart what has been shut down, in particular information systems.
The CNIL (French Data Protection Authority) points out that disaster recovery encompasses all the actions necessary to restart a system that has been shut down after an incident.
In concrete terms, the DRP specifies, for example:
- the order in which to restart applications (patient records, imaging, HR, etc.),
- which backups to use,
- the target timeframes (RTO, RPO),
In the public sector, as in healthcare, national guidelines recommend considering BCP and DRP together, sometimes in the form of a BDRP (Business Continuity and Disaster Recovery Plan).
Why is this crucial for hospitals and healthcare organizations?
Continuity of care and protection of vulnerable individuals
A well-designed BCP/DRP serves above all to ensure continuity of care and support, even in the midst of a crisis. For a hospital or healthcare organization, this means minimizing disruptions to care: avoiding the closure of entire departments, maintaining monitoring of fragile patients, ensuring the distribution of treatments, and preserving the reception and safety of residents.
Very real threats, particularly cyber threats
Today, a cyberattack can paralyze an entire hospital IT system and expose sensitive health data.
Without a BCP/DRP, teams are left without clear instructions, decisions are made in a hurry, and the risk of medical errors, loss of information, or organizational chaos skyrockets.
With a BCP/DRP worked out in advance, teams have a ready-to-go scenario: who does what, with what tools, and in what order. Feedback shows that:
- patients benefit from better continuity of care,
- data is better protected thanks to proven backups and restoration procedures,
- staff know what to do, which reduces stress and errors in the midst of a crisis.
A clear expectation from the authoritiesThe authorities (ANS, ANSSI, ARS) now require formalized BCPs and DRPs, particularly via the “business continuity and recovery strategy” function in cybersecurity programs such as CaRE. In short: for a healthcare institution, not having robust BCPs/DRPs is no longer an option—it is a requirement for protecting patients, staff, and data.
How to implement a BCP/DRP in a medical-social facility?
Step 1 – Establish governance and executive sponsorship
A BC/DR plan cannot be “an IT document”. It must be driven by top management and co-built with business teams.
In practice, this means identifying a sponsor (executive management or association leadership), setting up a BC/DR steering committee bringing together IT, nursing management, medical leadership, quality and risk management, logistics, HR, information security, etc., and appointing a clearly identified project manager.
This framework makes it possible to arbitrate priorities, budgets and technical choices without getting stuck.
Step 2 – Identify critical activities (business impact analysis)
The goal is to answer two simple questions:
Which activities must never stop? (emergency care, operating rooms, secure units, on-call services, medical hotlines, etc.)
What is the minimum acceptable service level and maximum downtime?
To do this, a Business Impact Analysis (BIA) is carried out: mapping critical processes, identifying dependencies (applications, facilities, suppliers, key staff), and defining recovery objectives (RTO/RPO). This analysis provides the compass for the BC/DR plan.
Step 3 – Work on crisis scenarios
The ANS BC/DR toolkit recommends covering at least four major scenarios:
unavailability of human resources (mass absenteeism, strikes, pandemics), facilities (fire, flooding, technical failure), suppliers (medications, catering, telecommunications), and of course the information system (cyberattack, major outage).
For each scenario, concrete impacts on critical activities are described: what becomes impossible, what must absolutely be maintained, and at what level. This helps move from theory to operational reality.
Step 4 – Build the BC plan: how to keep operating
The BC plan answers a simple question: “How do we continue working when everything goes wrong?”
The aim is to define realistic continuity solutions, sometimes imperfect but actionable: transferring services to another site, paper-based procedures for prescriptions and traceability when the HIS is unavailable, staff reinforcement or redeployment plans, safety stocks (medications, consumables, equipment), and backup communication methods (fallback telephony, radios, secure external messaging).
These choices are consolidated into a clear and usable plan, with short action sheets by department, up-to-date emergency contact lists, and a crisis management governance model (crisis cell, roles and responsibilities, meeting frequency, key decisions).
Step 5 – Build the DR plan: how to restart safely
The DR component focus
Phishia's expertise: a BCP/DRP rooted in the cyber reality of the healthcare sector
At Phishia, we work daily with hospitals, hospital groups (GHTs), and healthcare organizations on operational cybersecurity and resilience against cyberattacks (ransomware, account compromise, targeted phishing, etc.).
Our strength: connecting your BC/DR plans directly to your real digital risks, rather than producing yet another purely theoretical document.
What we do for you
-
BC/DR & cyber rapid assessment
Review of your plans, procedures, backups, and crisis organization; identification of gaps against ANS/ANSSI recommendations and the CaRE program; rapid mapping of critical activities and their digital dependencies. -
Co-building BC/DR plans with your teams
Workshops with caregivers, management, and support functions; development of realistic scenarios (cyberattack blocking the HIS, loss of a site, failure of a key supplier, etc.); creation of simple action sheets designed to be usable under stress. -
Integration wi
How about we talk about your BCP/DRP?
Whether you are starting from scratch or want to update an outdated BCP/DRP, now is the right time to:
- check that your plans adequately cover current risks (cyber, shortages, health crises),
- make them concrete and actionable for your teams,
- and align them with the requirements of the French authorities.
Would you like an outside perspective on your BCP/DRP or to develop an approach tailored to your hospital or healthcare association?
We can discuss this during a no-obligation consultation to understand your challenges and offer you customized support.
