Legal Disclaimer Copyright Notice · HIPAA compliance software and solutions for healthcare....
Transcript of Legal Disclaimer Copyright Notice · HIPAA compliance software and solutions for healthcare....
1
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
© Clearwater Compliance | All Rights Reserved
© Clearwater Compliance | All Rights Reserved
Analyzing Business Impact to Inform Crisis Decision MakingMarch 31, 2020
3
© Clearwater Compliance | All Rights Reserved
Webinar Logistics
Slide materials – Link will be in the chat box (Should have also received in Zoom reminder email earlier today)
All attendees are in “Listen Only Mode”
Please ask content related questions in “Q&A”
In the event of technical issues, check “Chat”
Please complete the Exit Survey when you leave the webinar
Recorded version, final slides, & Certificate of Attendance will be shared with you within 48 hours
© Clearwater Compliance | All Rights Reserved
Founded in Nashville in 2009, colleagues in 20+ states, growing rapidly
Portfolio company of Altaris Capital Partners, a healthcare PE firm with $3B under management
Leading provider of enterprise cyber risk management and HIPAA compliance software and solutions for healthcare
Approximately 400 customers, including 60 IDNs, many with enterprise programs
100% success rate when deliverables submitted to the Office for Civil Rights (OCR)
© Clearwater Compliance | All Rights Reserved
Introduction to Clearwater
5
© Clearwater Compliance | All Rights Reserved
Overview
• New Reality• Understanding the Business Impact Analysis• How the BIA Informs Decision Making• Key Take-Aways
Title: Analyzing Business Impact to Inform Crisis Decision Making
Webinar Duration = 50 Minutes
Learning Objectives Addressed in This Webinar:
6
© Clearwater Compliance | All Rights Reserved
• 30+ years in Information Technology, 20 years working in Healthcare IT• 15+ years in Information Security, Risk Management and Compliance• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for the Commonwealth of Virginia• Expertise and Focus: Developing and leading Information Security and Risk Management teams, Healthcare
and HIPAA Compliance• Board Member of Virginia HIMSS Chapter, President-Elect, Chair of Women in Health IT SIG• Active member of HIMSS, ISACA, Infragard and Project Management Institute• Serve on advisory boards for cyber programs at the college level• https://www.linkedin.com/in/cathiebrown/
Cathie Brown, PMP, CGEIT, CISM, CISSP
Vice President, Consulting Services
Your Presenter
New RealityResponse to a Global Pandemic
8
© Clearwater Compliance | All Rights Reserved
Our reality just a couple of weeks ago
Top 6 Challenges Healthcare Executives will Face in 2020
Value Based Payments and
Price Transparency
Rising Cost of Specialty Drugs Cyber Security
New Government
Requirements and Mandates
Big Data Insights and Data Privacy
Rising Cost of Healthcare
Healthcare Transformation was already challenging
9
© Clearwater Compliance | All Rights Reserved
Boom! Just like that a Global Pandemic Changes Everything
Supply Chain Shortages
Self-Quarantine
Social Distancing
Relaxed Security Controls
Relaxed Regulations
Elective Services
Cancelled
Increased or New
Telework
Clinical Staff Shortages
Layoffs
Closed Businesses or Reduced
Hours
Increased Telehealth
servicesLack of Test
KitsSchools Closed
New Business
Processes
Increased Data Sharing
New Technologies and Vendors
COVID-19
The number of balls in the air just increased
10
© Clearwater Compliance | All Rights Reserved
This is hard!
Many organizations do not have an up-to-date Business Impact Analysis that would inform decision making during a crisis.
11
© Clearwater Compliance | All Rights Reserved
Terminology
Business Continuity Management
Business ContinuityEncompasses developing, testing, and managing business units and enterprise wide continuity plans
Disaster Recovery Process focused on building continuity capabilities for critical IT infrastructure and business applications
Crisis Management Steps to address and mitigate the effect of a negative event (e.g., fire, tornado, earthquake, pandemic)
Incident Response Management Steps to address and minimize the negative impact of a physical or logical incident (e.g. security breach, theft)
Contingency Planning Process of developing advance arrangements and procedures that enable response to an event that could occur by chance or unforeseen circumstances
12
© Clearwater Compliance | All Rights Reserved
Planning efforts are limited
Most of us have Business Continuity Plans and/or Disaster Recovery Plans, but these become shelf-ware, are not tested and don’t include pandemic situations.
© Clearwater Compliance | All Rights Reserved
Pause and Poll
1. Have your plans helped during the COVID-19 Crisis?
Yes No Some We don’t have BCP or DR Plans
Understanding the Business Impact AnalysisHow the BIA informs decisions
15
© Clearwater Compliance | All Rights Reserved
Informed Planning
Imagine if you had a blueprint to inform decisions while in crisis management and after. That’s what the BIA provides.
A BIA is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. Gartner
A BIA predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Identifying and evaluating the impact of disasters on business provides the basis for investment in:• Recovery strategies• Investment in prevention• Mitigation strategiesReady.gov
16
© Clearwater Compliance | All Rights Reserved
Foundation of Risk Management
Business Impact Analysis
Business Continuity Planning
IT Disaster Recovery Planning
Risk Analysis IT System Inventory
Foundational to Risk Management Program
Risk Management Objectives Required by HIPAA Outlined in NIST Security Best Practice
Input from Business UnitsDriven by the needs of the Business
17
© Clearwater Compliance | All Rights Reserved
The BIA Process
Step 1: Validate Mission Essential Functions to guide the process
Step 2: Determine the scope of primary business functions
Step 3: Schedule project kick-off meeting with stakeholders
Step 4: Send out Business Function Surveys
Step 5: Schedule and conduct interviews
Step 6: Analyze results and prepare report
Step 7: Socialize results with stakeholders
Step 8: Address identified gaps between needs and capabilities
Step 9: Update BIA as environment changes
Step 10: Perform comprehensive BIA every 3 years
Scope: Primary Business Functions
Administration
Cancer
Cardiac
Clinical Engineering
Critical Care
Compliance
ED
Finance and Accounting
HR
Lab and Respiratory
Nutrition Services
Patient Access
Pharmacy
Plant Engineering and Facilities
Procurement
Surgery
18
© Clearwater Compliance | All Rights Reserved
Senior Leadership
Senior Leadership has the responsibility for ensuring that business continuity plans are sufficient to sustain the business in the event of a disaster. By authorizing and supporting the BIA process senior leadership is taking the first step toward informed disaster recovery planning.
Business Leadership
Business Leadership should understand the impact of disruptions to business operation if business critical processes are temporally unavailable. Business Leadership should be able to articulate the maximum tolerable downtime an information system can be unavailable for the organization to maintain business operations.
System Owners or SMEs
The System Owners and Subject Matter Experts (SMEs) provide perspective on impacts to business processes when information systems are not available and manual processes must be implemented. SME’s also help formulate efficient and effective mitigation strategies.
Participants Include Leadership
19
© Clearwater Compliance | All Rights Reserved
Prioritizes Functions and Processes to meet the Organization’s Mission
Primary Business Functions and Supporting Business Processes
OrganizationMission Essential Functions
Function Processes
Finance and Accounting
Payroll
Surgery Elective Surgeries
Pharmacy Med Admin
Impact to the Organization if Function/Process is not available
QUALITATIVE IMPACT ANALYSISCategory Description Weight
Life Potential someone could die 5Safety Potential someone would be harmed 4Finances Potential assets or dollars would be lost 3Legality Potential compliance or other lawsuits 2Customer Service/Publicity
Potential harm to customer service level/base and/or harm from adverse publicity
1
QUANTITATIVE IMPACT ESTIMATES
Scoring Low Range High Range Impact to Business or Operations
1 0 < 500,000 No to Low
2 500,000 But < 1,500,000 Low to Moderate
3 1,500,000 But < 3,500,000 Moderate
4 3,500,000 But < 5,000.000 Moderate to High
5 5,000,000 And greater High to Catastrophic
Resources necessary to support most critical business functions and processes
Resources
People (SMEs)
Technology
Services
Equipment
20
© Clearwater Compliance | All Rights Reserved
Information Discovery Is Collected from Business Leadership
Mission Essential Functions
Primary Business Functions Business Processes Resources
Recovery Time Objective (RTO) – Determination of how quickly the supporting systems must be recovered to support the business process.
Recovery Point Objective (RPO) – Determination of how much data loss is tolerable before a business process is significantly impacted. The date of the most recent data backup or snapshot, located off-site, determines the maximum data loss.
“RTO 0” Recovered within 12 Hrs
”RTO 1” Recovered within 24 Hrs
“RTO 2” Recovered within 48 Hrs
“RTO 3” Recovered within 5 Days
“RTO 4” Recovered within 10 Days
“RPO 0” Less than 1 Day
”RPO 1” 1 Day
“RPO 2” 2 Days
“RPO 3” 5 Days
“RPO 4” Greater than 5 Days
Systems
Provide Quality Care Emergency Department Triage/Registration Triage NurseMedical Equipment
EMR SystemLabel Printer
Maximum Tolerable Downtime (MTD) – Determination of how quickly a business process must be recovered during a disaster, influenced by factors such as the ability to provide reasonable level of service through alternative means; financial impacts; intangible impacts such as the loss of customer confidence.
EX:
21
© Clearwater Compliance | All Rights Reserved
Information Discovery is more than ‘Just IT Systems’
Business Unit Overview Business Processes Dependencies Systems
Contact information for business leadership and SMEs
Can this process be performed manually? How long? Documented?
What are the inter-dependencies (work received, and work sent) with internal business units?
Type of data stored, processed or transmitted? (i.e., PHI, PII, PCI)
How many people work in the department? What are the normal working hours?
Are there regulatory, legal, service level requirements?
Are there key personnel necessary? Number of records? (over 500)
What is the average work volume processed? Is there a peak volume or critical time for your workload?
Are there vital records associated? Are there 3rd party services or products?
Systems Classifications (High, Medium, Low)ConfidentialityIntegrityAvailability
What anticipated changes over the next 12 months could affect business impacts as identified above?• Acquisitions• New computer systems• Mergers• New federal, state regulations• New market introductions
How the BIA Informs Decision MakingValue of the BIA
23
© Clearwater Compliance | All Rights Reserved
BIA Engages Business and IT
Engage the Business
• Business Functions• Business Processes• Essential Personnel• Dependencies • IT Systems
Business Unit SurveyConduct Interviews
Engage IT
• IT System Inventory• Tier Systems • Data Flows• Essential System SMEs• Current Recovery
Prioritize Requirements for DR based on Impact to
the Business
Identified Gap between
Business Needsand
Current DR Capability
Socialize the GapInformed Leadership
Business and IT
Build the Blueprint for Business Continuity
Business Impact Analysis
Opportunity to Educate, Maximize Business Resiliency
24
© Clearwater Compliance | All Rights Reserved
Opportunity to Close the Gap
BIA-Derived RTOsVs
Current RTOs
BIA Derived RTO 0
Business Processes
BIA Derived RTO 1
Business Processes
BIA Derived RTO 2
Business Processes
CURRENT RTO for
Key Business
Processes
12 Hrs 1 Day 2 Days 3 Days 4 Days 5+ Days
Recovery Time Objectives
ImpactQualitative Life/Safety Safety Safety/Legal
Quantitative > $5M >$3.5M >$1.5M
Identified Gap
Options for closing the Gap
Business Continuity PlanningBusiness Units develop documented plans to continue processes until systems and resources are available• Forms to capture data• Manual procedures
Disaster Recovery PlanningIT revise plans to recover systems within BIA derived RTOs• High availability configurations• Hot Site• Increased Cloud Provider SLA
Combination of BCP and DRP result in Maximized Business Resiliency
25
© Clearwater Compliance | All Rights Reserved
BIA Results
Business Impact Analysis
Mission Essential Functions (MEFs), the limited set of functions that must be continued throughout, or resumed rapidly after, a disruption of normal operations.
Primary Business Functions (PBFs) and specific supporting processes that the organization must conduct to perform its MEFs. PBFs are enablers that make it possible to perform the mission.
Assessment and prioritization of PBFs and processes.
Identification of systems and applications used to perform MEFs and PBFs.
Maximum Tolerable Downtime (MTD), the amount of time the business function can be down before there is a considerable impact to the mission.
Recovery Time Objectives (RTOs), the amount of time after which the supporting systems must be recovered.
Recovery Point Objectives (RPOs), the amount of data the business unit can afford to lose due to an outage.
Specific Business Function information regarding key personnel, normal work hours, peak periods, vital records, and dependencies.
26
© Clearwater Compliance | All Rights Reserved
How does the BIA help with COVID-19 Response
A Business Impact Analysis provides the opportunity to engage with business leaders, prioritize business functions, tier critical systems and identify essential personnel. These important elements are core to crisis management and response planning
27
© Clearwater Compliance | All Rights Reserved
Crisis Management and Response Planning
Incident/Crisis Management Information Available in the BIA Contact information for key business leaders Primary business functions, operations and locations IT systems necessary to support primary business functions Information to develop a plan to deliver all primary business functions that includes staffing and
resources Non-essential business functions that can be suspended during the duration of the incident Vendor services and supply needs to support primary business functions “Non-essential workers” to be re-assigned for other “essential” duties in other units Internal and external dependencies for primary business functions
SummaryTake-Aways
29
© Clearwater Compliance | All Rights Reserved
BIA Take-Aways
• Prioritizes mission/business processes• Identifies risk mitigation and recovery strategies based on criticality • Identifies resources needed to resume mission/business (facilities, personnel,
equipment, software, data files, system components, vital records) • Identifies dependencies (suppliers, 3rd parties, data feeds, interfaces)• Informs an overall Risk Management Program• Builds “Enhanced Resilience” (Health & Public Health Critical Infrastructure)• Allows for informed decisions to Business Continuity/Disaster Recovery planning
(budget, resources)• Provides information needed for Incident/Crisis Management
© Clearwater Compliance | All Rights Reserved
Pause and Poll
2. Did you find this webinar helpful?
Yes No
31
© Clearwater Compliance | All Rights Reserved
Thank you & Questions
Cathie [email protected](434) 665-0345 www.clearwatercompliance.com
32
© Clearwater Compliance | All Rights Reserved
Upcoming Educational Events
Learn more and register for additional upcoming educational events
© Clearwater Compliance | All Rights Reserved
www.ClearwaterCompliance.com
800.704.3394
LinkedIn | linkedin.com/company/clearwater-compliance-llc/
Twitter | @clearwaterhipaa