- This year, healthcare has been hit by multiple cyber events that have demonstrated the importance of and just how critical contingency planning is to providing care. Furthermore, massive DDoS attacks using the thousands of IoT devices connected to the internet as attack platforms show how critical healthcare disaster recovery planning can be.
Regardless the reason or the method when a cyber event occurs, it is often the organization’s preparedness and ability to respond and restore its systems and operations that makes the difference between a crippling event and dodged bullet.
One of the things that is consistently identified as a high risk during assessments is many organizations lack an effective disaster recovery (DR) process. There are often several reasons for this ranging from a lack of knowledge and/or experience, a lack of resources, or a failure to prioritize the need.
Disaster recovery planning can be both scary and overwhelming. The size and complexity of an organization only compounds the problem. There are a few key principles and practices that can make the whole process much more approachable and workable.
The Planner Role
Organizations need to define the need for contingency planning and provide executive leadership. The first step is to appoint someone who will own and drive development of the DR plan.
What should be expected of the individual assigned that role? Is that individual responsible for everything needed in development of the plan?
A lack of understanding or clearly defining the role expectations is often one of the biggest challenges. I have experienced too many examples in which the individual assigned to own the DR process is expected to do everything, often in addition to their normal duties. But what happens? Often, development of the plan gets ignored.
Instead, the DR planner role should be viewed more as a project manager type of role. They will ultimately be driving the development activities and pulling everything together into a cohesive and comprehensive plan, but they will be relying on the rest of the organization to develop processes and associated documentation.
Ownership and Support
Another thing that organizations often fail to recognize is that disaster recovery, and ultimately business continuity, is a key responsibility for every employee. Why? Each employee is the best available resource for outlining process details, workarounds, recovery actions, training requirements, etc., involved in their particular position.
Several events this year highlighted the weaknesses in continuity planning such as the cumulative effect of a long-term outage, staff who were not prepared to operate with computer-aided support and staff that did not know how to perform basic functions manually. Many new generation workforce members had never operated in an environment devoid of computer support. The organization needs to communicate the need and importance of supporting the DR plan development process.
Now that we have a driver and everyone knows to support that individual, what’s next? We need to identify criticality of applications, processes, systems, personnel, etc.
Understanding criticality of assets allows us to prioritize components of the plan development process by focusing on the more important aspects today and the less critical components at some future date. We do not need the DR plan to account for everything immediately - think of it as a phased project that will eventually address everything over time.
Most organizations rely on a formal business impact analysis (BIA) for determining criticality and the associated details. While this is ideal, even that practice can be a bit overwhelming.
Do not be afraid to define a process that makes sense and is workable for those involved in defining criticality based on their experience and understanding of the organization. For example, I know of many organizations that utilize a simple three-tier system - critical, important, and everything else. It is more important to start with some basic understanding of criticality that could then be improved over time to include more details, eventually resulting in a BIA.
What is most important is that this analysis be practical and realistic, addressing both the best case scenario as well as the worst case. Determining criticality must also take into account the various dependencies between systems and processes.
Data that is critical for forming the total picture necessary for clinical decision processes may originate from multiple ancillary systems that feed the EHR for instance. Focusing solely on the most important systems and not understanding these critical relationships can be a mistake.
One of the most important aspects for developing an effective DR plan is the ability to collect and document the necessary details and processes. As identified earlier, each employee should understand and have details on their position that need to be collected. Organizations could try and get the individual to document the details, but they often have competing priorities.
It’s much better to define a formal interview and data collection process in which those details are discussed and captured. The details will eventually be collated into the larger plan, so consistency of the data collection method is very important.
Contingency planning, like many other business processes, requires a specific knowledge of and training in understanding various key aspects of disaster recovery and business continuity. In the IT field, those individuals who typically perform this function carry the Certified Business Continuity Planner certification and have trained on not only the key concepts in this practice such as Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) but also the methodology for conducting this analysis and planning.
Organizations involved in doing this planning internally should afford the individuals assigned these responsibilities the opportunity to receive this training, or seek external support from those experienced in contingency planning. Ultimately, the quality of the contingency plan is dictated by the quality of the data collected, the analysis performed and the appreciation of the organization’s operations and processes.
Continuous Testing and Revision
Another key aspect for development is to understand that DR planning is a continuous process; there is no end date. Practices and processes need to be constantly tested and revised to account for both organizational changes over time as well as to account for parts of the plan that simply do not work.
A plan for periodically testing each component of the plan should be developed and implemented. That plan must include workforce member participation and input. It is critical they own those plans and prepare for the eventuality that they may actually have to use them.
Staying HIPAA Compliant
The OCR has focused a lot of attention on contingency planning in healthcare as a HIPAA priority.
This year’s events have bolstered their resolve in this arena, so much so that this is one of the areas that will receive focus during this year’s OCR audits of both covered entities and business associates. It’s an area that is routinely looked at during investigations involving lost or corrupted data.
Disaster recovery planning is an extremely important activity that an organization should ensure it has appropriately addressed, for both compliance and risk related reasons. Every organization has events that impact the enterprise or systems. The difference between the ones you read about and the ones you don’t, is often a factor of how well they plan for contingencies and their readiness to respond and restore when they happen.
Jeremy Molnar is vice president of services for CynergisTek, Inc. Molnar has over 15 years experience dedicated to information security, with 9 years focused on healthcare IT. Molnar leads several company-wide initiatives to develop processes and procedures for CynergisTek’s technical testing services and security assessments, and leads the team to continuously improve service and analysis. He has participated in hundreds of assessments and remediation plans with CynergisTek’s clients to help them build comprehensive information security programs.