Legal Disclaimer Copyright Notice · HIPAA compliance software and solutions for healthcare. Approximately 400 customers, including 60 IDNs, many ... Encompasses developing, testing,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
• 30+ years in Information Technology, 20 years working in Healthcare IT• 15+ years in Information Security, Risk Management and Compliance• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for the Commonwealth of Virginia• Expertise and Focus: Developing and leading Information Security and Risk Management teams, Healthcare
and HIPAA Compliance• Board Member of Virginia HIMSS Chapter, President-Elect, Chair of Women in Health IT SIG• Active member of HIMSS, ISACA, Infragard and Project Management Institute• Serve on advisory boards for cyber programs at the college level• https://www.linkedin.com/in/cathiebrown/
Business ContinuityEncompasses developing, testing, and managing business units and enterprise wide continuity plans
Disaster Recovery Process focused on building continuity capabilities for critical IT infrastructure and business applications
Crisis Management Steps to address and mitigate the effect of a negative event (e.g., fire, tornado, earthquake, pandemic)
Incident Response Management Steps to address and minimize the negative impact of a physical or logical incident (e.g. security breach, theft)
Contingency Planning Process of developing advance arrangements and procedures that enable response to an event that could occur by chance or unforeseen circumstances
Most of us have Business Continuity Plans and/or Disaster Recovery Plans, but these become shelf-ware, are not tested and don’t include pandemic situations.
Imagine if you had a blueprint to inform decisions while in crisis management and after. That’s what the BIA provides.
A BIA is the process of determining the criticality of business activities and associated resource requirements to ensure operational resilience and continuity of operations during and after a business disruption. Gartner
A BIA predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Identifying and evaluating the impact of disasters on business provides the basis for investment in:• Recovery strategies• Investment in prevention• Mitigation strategiesReady.gov
Senior Leadership has the responsibility for ensuring that business continuity plans are sufficient to sustain the business in the event of a disaster. By authorizing and supporting the BIA process senior leadership is taking the first step toward informed disaster recovery planning.
Business Leadership
Business Leadership should understand the impact of disruptions to business operation if business critical processes are temporally unavailable. Business Leadership should be able to articulate the maximum tolerable downtime an information system can be unavailable for the organization to maintain business operations.
System Owners or SMEs
The System Owners and Subject Matter Experts (SMEs) provide perspective on impacts to business processes when information systems are not available and manual processes must be implemented. SME’s also help formulate efficient and effective mitigation strategies.
Life Potential someone could die 5Safety Potential someone would be harmed 4Finances Potential assets or dollars would be lost 3Legality Potential compliance or other lawsuits 2Customer Service/Publicity
Potential harm to customer service level/base and/or harm from adverse publicity
1
QUANTITATIVE IMPACT ESTIMATES
Scoring Low Range High Range Impact to Business or Operations
1 0 < 500,000 No to Low
2 500,000 But < 1,500,000 Low to Moderate
3 1,500,000 But < 3,500,000 Moderate
4 3,500,000 But < 5,000.000 Moderate to High
5 5,000,000 And greater High to Catastrophic
Resources necessary to support most critical business functions and processes
Information Discovery Is Collected from Business Leadership
Mission Essential Functions
Primary Business Functions Business Processes Resources
Recovery Time Objective (RTO) – Determination of how quickly the supporting systems must be recovered to support the business process.
Recovery Point Objective (RPO) – Determination of how much data loss is tolerable before a business process is significantly impacted. The date of the most recent data backup or snapshot, located off-site, determines the maximum data loss.
“RTO 0” Recovered within 12 Hrs
”RTO 1” Recovered within 24 Hrs
“RTO 2” Recovered within 48 Hrs
“RTO 3” Recovered within 5 Days
“RTO 4” Recovered within 10 Days
“RPO 0” Less than 1 Day
”RPO 1” 1 Day
“RPO 2” 2 Days
“RPO 3” 5 Days
“RPO 4” Greater than 5 Days
Systems
Provide Quality Care Emergency Department Triage/Registration Triage NurseMedical Equipment
EMR SystemLabel Printer
Maximum Tolerable Downtime (MTD) – Determination of how quickly a business process must be recovered during a disaster, influenced by factors such as the ability to provide reasonable level of service through alternative means; financial impacts; intangible impacts such as the loss of customer confidence.
Information Discovery is more than ‘Just IT Systems’
Business Unit Overview Business Processes Dependencies Systems
Contact information for business leadership and SMEs
Can this process be performed manually? How long? Documented?
What are the inter-dependencies (work received, and work sent) with internal business units?
Type of data stored, processed or transmitted? (i.e., PHI, PII, PCI)
How many people work in the department? What are the normal working hours?
Are there regulatory, legal, service level requirements?
Are there key personnel necessary? Number of records? (over 500)
What is the average work volume processed? Is there a peak volume or critical time for your workload?
Are there vital records associated? Are there 3rd party services or products?
Systems Classifications (High, Medium, Low)ConfidentialityIntegrityAvailability
What anticipated changes over the next 12 months could affect business impacts as identified above?• Acquisitions• New computer systems• Mergers• New federal, state regulations• New market introductions
How the BIA Informs Decision MakingValue of the BIA
Business Continuity PlanningBusiness Units develop documented plans to continue processes until systems and resources are available• Forms to capture data• Manual procedures
Disaster Recovery PlanningIT revise plans to recover systems within BIA derived RTOs• High availability configurations• Hot Site• Increased Cloud Provider SLA
Combination of BCP and DRP result in Maximized Business Resiliency
Mission Essential Functions (MEFs), the limited set of functions that must be continued throughout, or resumed rapidly after, a disruption of normal operations.
Primary Business Functions (PBFs) and specific supporting processes that the organization must conduct to perform its MEFs. PBFs are enablers that make it possible to perform the mission.
Assessment and prioritization of PBFs and processes.
Identification of systems and applications used to perform MEFs and PBFs.
Maximum Tolerable Downtime (MTD), the amount of time the business function can be down before there is a considerable impact to the mission.
Recovery Time Objectives (RTOs), the amount of time after which the supporting systems must be recovered.
Recovery Point Objectives (RPOs), the amount of data the business unit can afford to lose due to an outage.
Specific Business Function information regarding key personnel, normal work hours, peak periods, vital records, and dependencies.
A Business Impact Analysis provides the opportunity to engage with business leaders, prioritize business functions, tier critical systems and identify essential personnel. These important elements are core to crisis management and response planning
Incident/Crisis Management Information Available in the BIA Contact information for key business leaders Primary business functions, operations and locations IT systems necessary to support primary business functions Information to develop a plan to deliver all primary business functions that includes staffing and
resources Non-essential business functions that can be suspended during the duration of the incident Vendor services and supply needs to support primary business functions “Non-essential workers” to be re-assigned for other “essential” duties in other units Internal and external dependencies for primary business functions
• Prioritizes mission/business processes• Identifies risk mitigation and recovery strategies based on criticality • Identifies resources needed to resume mission/business (facilities, personnel,
equipment, software, data files, system components, vital records) • Identifies dependencies (suppliers, 3rd parties, data feeds, interfaces)• Informs an overall Risk Management Program• Builds “Enhanced Resilience” (Health & Public Health Critical Infrastructure)• Allows for informed decisions to Business Continuity/Disaster Recovery planning
(budget, resources)• Provides information needed for Incident/Crisis Management