ARTICLE

Staying Afloat: Strategies for Business Continuity and Disaster Recovery in a Pharma Lab

Introduction

People use the term “disaster” to describe nearly any kind of calamity, and for this reason, it’s often used colloquially or in jest. However, when it comes to pharmaceutical laboratory work, a disaster is anything but a joking matter. The products of a pharma lab are ultimately intended to help patients and consumers, so when research and development are jeopardized, so is the potential well-being of this important client base.

No matter what the source - fire, tornado, loss of electricity, cyber attack, compromised assay components, etc. - any event that leads to instability or unreliability can translate to an outright loss of usability2. This can have a profound impact on profitability and results, so it makes sense that many modern pharma labs feel the need to develop specific preventative measures to help adapt to unexpected circumstances, as well as realistic post-event response plans.

Disaster recovery is not necessarily the same as business continuity. Rather, business continuity is the goal of adequate disaster prevention and recovery measures7. Achievement of business continuity in the setting of a disaster requires agility and forethought and should incorporate a three-sided approach to disaster management: prevention, short-term recovery, and long-term recovery. In this white paper, we will discuss all three aspects of a robust disaster management strategy, while highlighting specific actions labs can take in the present to mitigate the damage of a future disaster.

Ahead of the game: disaster prevention strategies

Try as you might, complete avoidance of setbacks is next to impossible to achieve. This is large part due to the intrinsic “unknowns” of a disaster; no one can truly predict when or how a hurricane may make landfall, or whether a regular shipment of assay materials may have been contaminated without anyone’s knowledge.

For this reason, it can be helpful for labs to frame their disaster prevention strategy as not a singular solution, but rather a bulkhead behind which to build a more robust response plan. The disaster prevention strategy should be detailed enough to provide direction in a number of situations, but not itemized to the point of lacking adaptability.

The most resilient research organizations are known to test their plan by conducting disaster training sessions using their preparedness strategy. And, when necessary, these organizations tend to not hesitate to activate their disaster management plan when it appears daily tasks may be affected by a situation5. With a solid plan in place, it’s easier to “communicate and escalate” in a confident and efficient manner.

In terms of prevention, preparing for a total system loss, rather than a partial failure, is one of the most comprehensive actions a lab can take. Examples of valuable actions for deterring large-scale experiment failure could include purchase of backup generators capable of running specimen fridges/freezers during a power outage; utilizing cloud or virtualization technology to prevent loss of data in the event of technology failure; investing in offline IT backup solutions for critical systems, or purchasing fire-proof lab cabinets for storage of volatile materials.

In a bid to protect their assets, a number of labs have even opted to include vendors in their “ready response teams” by outsourcing disaster management to companies with divisions focused on managing this type of work, such as the PerkinElmer’s OneSource Relocation Services3.

While these investments may prove costly upfront - and possibly seem excessive - they actually tend to be less expensive than the alternative, which involves simply cleaning up whatever mess is left and starting over from scratch. Physical damage not only costs money to repair, but also results in lost productivity; any chance to keep the lab functioning, even partially, can help to mitigate profit loss.

Many North American labs have federal requirements guiding their emergency management plan; in the United States, these agencies would include OSHA, the College of American Pathologists (CAP) and/or The Joint Commission (TJC), which regulates hospital operations. Requirements put forth by CAP, for example, require policies and procedures for internal disasters (technology failures, staff shortages, fires, etc.) as well as external.

The Joint Commission requirements are similar, mandating that all hospital-affiliated labs have a plan that outlines the department’s response and functional capabilities for up to 96 hours post-event1. This plan must also highlight how a lab intends to resume normal functions after the event, including identification of those employees who perform critical and essential functions.

The overall goal of disaster prevention in the laboratory setting is maintenance of lab functionality and integrity in conditions of uncertainty. Being able to conduct as much “business as usual” during the hours and days immediately following an event can buy time for organizations trying to implement their disaster management plan.

First steps after the disaster

The short-term response to a disaster depends on the nature of the event and for this reason, requires a great deal of agility in executing even the best-laid disaster management plan. The first step in any immediate disaster response should be ensuring the safety of employees if the situation warrants such consideration. Beyond this, the plan must include provisions for both direct and indirect damage to the laboratory.

Direct damage is defined as “material losses that occur as an immediate consequence of a disaster.” This mainly includes loss of physical assets like computers, instruments and assay materials, or, in the event of a cyber attack, hardware and software that must be replaced, and pre-purchased data.4

Indirect damage, on the other hand, can refer to things that impact profitability or future business practices. This includes immediate and future loss of income from goods and/or services not being provided due to a disaster, whether it’s an inability to carry out tasks with remaining instruments or perhaps loss of accreditation or reputation due to an egregious breach of lab protocol. 4In the case of direct damage, having a pre-built compliance/QA process in place can be an ideal preventative measure.

For example, in the case of a natural disaster like a hurricane, earthquake or landslide, or during a building fire, direct damage to buildings, instruments and assays will be a key focus, after ensuring the safety and well-being of lab employees and research animals. It may take a while to fully appreciate losses, as in the case of lab instruments that might need to be tested and evaluated prior to further use, necessitating a robust QA plan. Due to the fact that natural disasters tend to affect entire geographic areas, indirect damage will likely need to be assessed in an ongoing manner, as lab functionality is determined and clients begin to understand their own situation.

The response to other disaster situations may focus more equally on direct and indirect damage, as in the case of a cyber attack or large-scale compromise of assays. In these instances, efforts should be more rapidly directed toward preservation of protected health information (PHI) and existing data, as well as prevention of further damage to specimens. Both categories of disaster involve a degree of direct damage, in the form of malware abatement, HIPAA violation fines, and lost supplies.

However, the indirect damage carries equal weight; cyberattacks may result in breaches of PHI that lead to loss of accreditation, as well as proprietary data losses. According to recent data, the annual cost of cybercrime in the life sciences industry increased from $5.87 million in 2017 to $10.91 million in 2018, with information loss being a top target6. Having some sort of readily-accesible plan for data governance can be highly valuable in this instance. Compromised assays, while presenting a similar reputational risk to the reliability of a lab, can also undermine the progress of existing research endeavors, threatening indirect losses in the form of research setbacks.

While a good disaster management plan can help direct short- and long-term recovery efforts following an event, a solid communication strategy will also assist with business continuity. This includes both internal communications - being able to disperse messages amongst key lab personnel - and external communications, often in the form of public relations. In the wake of a disaster situation, a lab may need to answer to a number of entities, including a board of directors, IRB, grant organizations, or even the public, which is conducted via various media channels. In this instance, it can be helpful to have the support of an organization’s communications or public relations staff, who will help package and deliver crisis communications in an appropriate manner.

If communications support is not available, labs may want to consider incorporating a communications framework into their overall disaster management plan. This might include a list of media contacts and designation of individuals who will interface with external entities. It is important to remember the value of consistent messaging during times of crisis, particularly as an organization shifts its focus from short-term disaster recovery efforts to long-term business continuity.

The journey ahead

Once the initial disaster recovery efforts have been implemented, it comes time to consider long-term strategies for continued recovery and business continuity.

Much of this will depend on the nature of the disaster and the degree of recovery achieved during the hours and days following an event. In the instance of a building fire, longer-term disaster recovery could involve finding a new permanent location for the lab and possibly having to start over on certain assays; whereas in the event of a cyberattack, it might mean developing a better framework for data collection and encryption.

Business continuity in the long run can be subdivided into two categories: everyday tasks and stakeholder relationships. The daily tasks of a lab should ideally resume as instruments and data come back online, assays and specimens are determined viable and/or employees otherwise return to their normal duties. However, it would be a mistake to resume day-to-day business without forethought to the impact a lab disaster has on relationships with stakeholders8.

Labs are held to high standards of precision and reliability, and it can be concerning for clients, research participants and patients when this image is distorted by catastrophic events like breaches of data. To this end, it is often beneficial to employ the support of communication specialists to help deliver appropriate messaging during the extended disaster recovery process, and in doing so, hopefully maintain stakeholder relationships8.

Conclusion

Lab disasters come in many shapes and sizes, from natural disasters to data breaches, all sharing a common threat of lost income, delays in research and prolongation of time-to-market for drugs that could potentially save lives. Disasters are often inevitable, but with proper guidelines in place for prevention, management and business continuity, it is possible to reduce their impact on a lab.

Sources:

  1. Scungio, Daniel J. “Disaster and the Laboratory: Preparation, Response and Recovery.” Medical Laboratory Observer. Published June 19, 2014. Accessed July 7, 2019. URL: https://www.mlo-online.com/home/article/13006800/disaster-and-the-laboratory-preparation-response-and-recovery
  2. n vli>Whitworth, Neil. PerkinElmer. Interview date: June 21, 2019.
  3. r21hjun bbbgvbli>Jamison et. al, Disease Control Priorities in Developing Countries. World Bank Publications, 2006. P. 1152.
  4. “Response and Recovery Planning.” National Academy of Sciences. Published 2017. Accessed July 7, 2019. URL: https://www.ncbi.nlm.nih.gov/books/NBK464149/
  5. Accenture and Ponemon Institute LLC: “The Cost of Cybercrime: Ninth Annual Cost of Cybercrime Study.” Accessed July 7, 2019. URL: https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf
  6. Potts, Jarrett. “Industry Perspectives: Disaster Recovery is Not Business Continuity.” DataCenter Knowledge, Jan. 4, 2013. Accessed July 7, 2019. URL: https://www.datacenterknowledge.com/archives/2013/01/04/disaster-recovery-is-not-business-continuity
  7. Seeger, Matthew W., Sellnow, Timothy L., Ulmer, Robert R.; “Public Relations and Crisis Communication: Organizing and Chaos.” Handbook of Public Relations. Chapter 11. Accessed July 7, 2019. URL: http://sk.sagepub.com/reference/handbook-of-public-relations/n11.xml