Legal Disclaimer Copyright Notice · HIPAA compliance software and solutions for healthcare....

1

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance | All Rights Reserved


Analyzing Business Impact to Inform Crisis Decision MakingMarch 31, 2020

3


Webinar Logistics

Slide materials – Link will be in the chat box (Should have also received in Zoom reminder email earlier today)

All attendees are in “Listen Only Mode”

Please ask content related questions in “Q&A”

In the event of technical issues, check “Chat”

Please complete the Exit Survey when you leave the webinar

Recorded version, final slides, & Certificate of Attendance will be shared with you within 48 hours


Founded in Nashville in 2009, colleagues in 20+ states, growing rapidly

Portfolio company of Altaris Capital Partners, a healthcare PE firm with $3B under management

Leading provider of enterprise cyber risk management and HIPAA compliance software and solutions for healthcare

Approximately 400 customers, including 60 IDNs, many with enterprise programs

100% success rate when deliverables submitted to the Office for Civil Rights (OCR)


Introduction to Clearwater

5


Overview

• New Reality• Understanding the Business Impact Analysis• How the BIA Informs Decision Making• Key Take-Aways

Title: Analyzing Business Impact to Inform Crisis Decision Making

Webinar Duration = 50 Minutes

Learning Objectives Addressed in This Webinar:

6


• 30+ years in Information Technology, 20 years working in Healthcare IT• 15+ years in Information Security, Risk Management and Compliance• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for the Commonwealth of Virginia• Expertise and Focus: Developing and leading Information Security and Risk Management teams, Healthcare

and HIPAA Compliance• Board Member of Virginia HIMSS Chapter, President-Elect, Chair of Women in Health IT SIG• Active member of HIMSS, ISACA, Infragard and Project Management Institute• Serve on advisory boards for cyber programs at the college level• https://www.linkedin.com/in/cathiebrown/

Cathie Brown, PMP, CGEIT, CISM, CISSP

Vice President, Consulting Services

Your Presenter

https://www.linkedin.com/in/cathiebrown/

New RealityResponse to a Global Pandemic

8


Our reality just a couple of weeks ago

Top 6 Challenges Healthcare Executives will Face in 2020

Value Based Payments and

Price Transparency

Rising Cost of Specialty Drugs Cyber Security

New Government

Requirements and Mandates

Big Data Insights and Data Privacy

Rising Cost of Healthcare

Healthcare Transformation was already challenging

https://www.managedhealthcareexecutive.com/news/top-6-challenges-healthcare-executives-will-face-2020

9


Boom! Just like that a Global Pandemic Changes Everything

Supply Chain Shortages

Self-Quarantine

Social Distancing

Relaxed Security Controls

Relaxed Regulations

Elective Services

Cancelled

Increased or New

Telework

Clinical Staff Shortages

Layoffs

Closed Businesses or Reduced

Hours

Increased Telehealth

servicesLack of Test

KitsSchools Closed

New Business

Processes

Increased Data Sharing

New Technologies and Vendors

COVID-19

The number of balls in the air just increased

10


This is hard!

Many organizations do not have an up-to-date Business Impact Analysis that would inform decision making during a crisis.

11


Terminology

Business Continuity Management

Business ContinuityEncompasses developing, testing, and managing business units and enterprise wide continuity plans

Disaster Recovery Process focused on building continuity capabilities for critical IT infrastructure and business applications

Crisis Management Steps to address and mitigate the effect of a negative event (e.g., fire, tornado, earthquake, pandemic)

Incident Response Management Steps to address and minimize the negative impact of a physical or logical incident (e.g. security breach, theft)

Contingency Planning Process of developing advance arrangements and procedures that enable response to an event that could occur by chance or unforeseen circumstances

12


Planning efforts are limited

Most of us have Business Continuity Plans and/or Disaster Recovery Plans, but these become shelf-ware, are not tested and don’t include pandemic situations.


Pause and Poll

1. Have your plans helped during the COVID-19 Crisis?

Yes No Some We don’t have BCP or DR Plans

Understanding the Business Impact AnalysisHow the BIA informs decisions

15


Informed Planning

Imagine if you had a blueprint to inform decisions while in crisis management and after. That’s what the BIA provides.

A BIA is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. Gartner

A BIA predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Identifying and evaluating the impact of disasters on business provides the basis for investment in:• Recovery strategies• Investment in prevention• Mitigation strategiesReady.gov

16


Foundation of Risk Management

Business Impact Analysis

Business Continuity Planning

IT Disaster Recovery Planning

Risk Analysis IT System Inventory

Foundational to Risk Management Program

Risk Management Objectives Required by HIPAA Outlined in NIST Security Best Practice

Input from Business UnitsDriven by the needs of the Business

17


The BIA Process

Step 1: Validate Mission Essential Functions to guide the process

Step 2: Determine the scope of primary business functions

Step 3: Schedule project kick-off meeting with stakeholders

Step 4: Send out Business Function Surveys

Step 5: Schedule and conduct interviews

Step 6: Analyze results and prepare report

Step 7: Socialize results with stakeholders

Step 8: Address identified gaps between needs and capabilities

Step 9: Update BIA as environment changes

Step 10: Perform comprehensive BIA every 3 years

Scope: Primary Business Functions

Administration

Cancer

Cardiac

Clinical Engineering

Critical Care

Compliance

ED

Finance and Accounting

HR

Lab and Respiratory

Nutrition Services

Patient Access

Pharmacy

Plant Engineering and Facilities

Procurement

Surgery

18


Senior Leadership

Senior Leadership has the responsibility for ensuring that business continuity plans are sufficient to sustain the business in the event of a disaster. By authorizing and supporting the BIA process senior leadership is taking the first step toward informed disaster recovery planning.

Business Leadership

Business Leadership should understand the impact of disruptions to business operation if business critical processes are temporally unavailable. Business Leadership should be able to articulate the maximum tolerable downtime an information system can be unavailable for the organization to maintain business operations.

System Owners or SMEs

The System Owners and Subject Matter Experts (SMEs) provide perspective on impacts to business processes when information systems are not available and manual processes must be implemented. SME’s also help formulate efficient and effective mitigation strategies.

Participants Include Leadership

19


Prioritizes Functions and Processes to meet the Organization’s Mission

Primary Business Functions and Supporting Business Processes

OrganizationMission Essential Functions

Function Processes

Finance and Accounting

Payroll

Surgery Elective Surgeries

Pharmacy Med Admin

Impact to the Organization if Function/Process is not available

QUALITATIVE IMPACT ANALYSISCategory Description Weight

Life Potential someone could die 5Safety Potential someone would be harmed 4Finances Potential assets or dollars would be lost 3Legality Potential compliance or other lawsuits 2Customer Service/Publicity

Potential harm to customer service level/base and/or harm from adverse publicity

1

QUANTITATIVE IMPACT ESTIMATES

Scoring Low Range High Range Impact to Business or Operations

1 0 < 500,000 No to Low

2 500,000 But < 1,500,000 Low to Moderate

3 1,500,000 But < 3,500,000 Moderate

4 3,500,000 But < 5,000.000 Moderate to High

5 5,000,000 And greater High to Catastrophic

Resources necessary to support most critical business functions and processes

Resources

People (SMEs)

Technology

Services

Equipment

20


Information Discovery Is Collected from Business Leadership

Mission Essential Functions

Primary Business Functions Business Processes Resources

Recovery Time Objective (RTO) – Determination of how quickly the supporting systems must be recovered to support the business process.

Recovery Point Objective (RPO) – Determination of how much data loss is tolerable before a business process is significantly impacted. The date of the most recent data backup or snapshot, located off-site, determines the maximum data loss.

“RTO 0” Recovered within 12 Hrs

”RTO 1” Recovered within 24 Hrs

“RTO 2” Recovered within 48 Hrs

“RTO 3” Recovered within 5 Days

“RTO 4” Recovered within 10 Days

“RPO 0” Less than 1 Day

”RPO 1” 1 Day

“RPO 2” 2 Days

“RPO 3” 5 Days

“RPO 4” Greater than 5 Days

Systems

Provide Quality Care Emergency Department Triage/Registration Triage NurseMedical Equipment

EMR SystemLabel Printer

Maximum Tolerable Downtime (MTD) – Determination of how quickly a business process must be recovered during a disaster, influenced by factors such as the ability to provide reasonable level of service through alternative means; financial impacts; intangible impacts such as the loss of customer confidence.

EX:

21


Information Discovery is more than ‘Just IT Systems’

Business Unit Overview Business Processes Dependencies Systems

Contact information for business leadership and SMEs

Can this process be performed manually? How long? Documented?

What are the inter-dependencies (work received, and work sent) with internal business units?

Type of data stored, processed or transmitted? (i.e., PHI, PII, PCI)

How many people work in the department? What are the normal working hours?

Are there regulatory, legal, service level requirements?

Are there key personnel necessary? Number of records? (over 500)

What is the average work volume processed? Is there a peak volume or critical time for your workload?

Are there vital records associated? Are there 3rd party services or products?

Systems Classifications (High, Medium, Low)ConfidentialityIntegrityAvailability

What anticipated changes over the next 12 months could affect business impacts as identified above?• Acquisitions• New computer systems• Mergers• New federal, state regulations• New market introductions

How the BIA Informs Decision MakingValue of the BIA

23


BIA Engages Business and IT

Engage the Business

• Business Functions• Business Processes• Essential Personnel• Dependencies • IT Systems

Business Unit SurveyConduct Interviews

Engage IT

• IT System Inventory• Tier Systems • Data Flows• Essential System SMEs• Current Recovery

Prioritize Requirements for DR based on Impact to

the Business

Identified Gap between

Business Needsand

Current DR Capability

Socialize the GapInformed Leadership

Business and IT

Build the Blueprint for Business Continuity


Opportunity to Educate, Maximize Business Resiliency

24


Opportunity to Close the Gap

BIA-Derived RTOsVs

Current RTOs

BIA Derived RTO 0

Business Processes

BIA Derived RTO 1

Business Processes

BIA Derived RTO 2

Business Processes

CURRENT RTO for

Key Business

Processes

12 Hrs 1 Day 2 Days 3 Days 4 Days 5+ Days

Recovery Time Objectives

ImpactQualitative Life/Safety Safety Safety/Legal

Quantitative > $5M >$3.5M >$1.5M

Identified Gap

Options for closing the Gap

Business Continuity PlanningBusiness Units develop documented plans to continue processes until systems and resources are available• Forms to capture data• Manual procedures

Disaster Recovery PlanningIT revise plans to recover systems within BIA derived RTOs• High availability configurations• Hot Site• Increased Cloud Provider SLA

Combination of BCP and DRP result in Maximized Business Resiliency

25


BIA Results


Mission Essential Functions (MEFs), the limited set of functions that must be continued throughout, or resumed rapidly after, a disruption of normal operations.

Primary Business Functions (PBFs) and specific supporting processes that the organization must conduct to perform its MEFs. PBFs are enablers that make it possible to perform the mission.

Assessment and prioritization of PBFs and processes.

Identification of systems and applications used to perform MEFs and PBFs.

Maximum Tolerable Downtime (MTD), the amount of time the business function can be down before there is a considerable impact to the mission.

Recovery Time Objectives (RTOs), the amount of time after which the supporting systems must be recovered.

Recovery Point Objectives (RPOs), the amount of data the business unit can afford to lose due to an outage.

Specific Business Function information regarding key personnel, normal work hours, peak periods, vital records, and dependencies.

26


How does the BIA help with COVID-19 Response

A Business Impact Analysis provides the opportunity to engage with business leaders, prioritize business functions, tier critical systems and identify essential personnel. These important elements are core to crisis management and response planning

27


Crisis Management and Response Planning

Incident/Crisis Management Information Available in the BIA Contact information for key business leaders Primary business functions, operations and locations IT systems necessary to support primary business functions Information to develop a plan to deliver all primary business functions that includes staffing and

resources Non-essential business functions that can be suspended during the duration of the incident Vendor services and supply needs to support primary business functions “Non-essential workers” to be re-assigned for other “essential” duties in other units Internal and external dependencies for primary business functions

SummaryTake-Aways

29


BIA Take-Aways

• Prioritizes mission/business processes• Identifies risk mitigation and recovery strategies based on criticality • Identifies resources needed to resume mission/business (facilities, personnel,

equipment, software, data files, system components, vital records) • Identifies dependencies (suppliers, 3rd parties, data feeds, interfaces)• Informs an overall Risk Management Program• Builds “Enhanced Resilience” (Health & Public Health Critical Infrastructure)• Allows for informed decisions to Business Continuity/Disaster Recovery planning

(budget, resources)• Provides information needed for Incident/Crisis Management


Pause and Poll

2. Did you find this webinar helpful?

Yes No

31


Thank you & Questions

Cathie [email protected](434) 665-0345 www.clearwatercompliance.com

mailto:[email protected]

http://www.clearwatercompliance.com/

32


Upcoming Educational Events

Learn more and register for additional upcoming educational events

https://clearwatercompliance.com/upcoming-educational-events/

https://clearwatercompliance.com/upcoming-webinars/how-to-conduct-ocr-quality-risk-analysis-4-8-2020-11am-12pm-ct/

https://clearwatercompliance.com/upcoming-webinars/coming-to-terms-with-new-privacy-regulations-apr-15-2020-11am-12pm-ct/

https://clearwatercompliance.com/upcoming-webinars/complying-data-exchange-requirements-ny-march-24-2020-11am-12pm-ct/

https://clearwatercompliance.com/upcoming-webinars/irmanalysis-demo-april-29-2020-11am-12pm-ct/


www.ClearwaterCompliance.com

800.704.3394

LinkedIn | linkedin.com/company/clearwater-compliance-llc/

Twitter | @clearwaterhipaa

http://www.clearwatercompliance.com/

https://www.linkedin.com/company/clearwater-compliance-llc/

Legal Disclaimer Copyright Notice · HIPAA compliance software and solutions for healthcare....

Documents

Transcript of Legal Disclaimer Copyright Notice · HIPAA compliance software and solutions for healthcare....