The Value of a Business Impact Analysis · 10/17/2019 · • A . business impact analysis (BIA) collects information on . critical business functions, and then evaluates and quantifies

© Clearwater Compliance | All Rights Reserved

The Value of a Business Impact AnalysisOctober 17, 2019

2


Overview

1. Understanding the Business Impact Analysis (BIA)2. How to conduct the BIA and what information to gather3. The value of the BIA to your organization and how to incorporate the

results into your Business Continuity Planning

Title: The Value of a Business Impact Analysis

Learning Objectives Addressed in This Webinar:

3


Introductions

• 30+ years in Information Technology, 20 yearsworking in Healthcare IT

• 15+ years in Information Security, Risk Managementand Compliance

• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for

the Commonwealth of Virginia• Expertise and Focus: Developing and leading

Information Security and Risk Management teams,Healthcare and HIPAA Compliance

• Board Member of Virginia HIMSS Chapter, Chair ofWomen in Health IT SIG

• Active member of HIMSS, ISACA, Infragard andProject Management Institute

• https://www.linkedin.com/in/cathiebrown/

Cathie Brown | PMP, CGEIT, CISM, CISSP

Vice President, Professional Services

Dee Cruit | MSEd, MS Cybersecurity, CISSP, Epic SC

Principal Consultant

• 22 years experience developing, establishing and maintaining military communication networks.

• 11 years with Medical specific units providing communication and interface support.

• 3+ year experience as an Epic Security Coordinator

• 3+ years as an Information Security Analyst in the hospital setting.

• 5+ years experience conducting Risk Management and Security Compliance Assessments

• Extensive experience in information security policy, procedure and educational program development and implementation.

• Expansive expertise in the application of regulatory controls and safeguards pursuant to NIST cybersecurity best practices and associated compliance requirements

• https://www.linkedin.com/in/deidre-cruit-04433b117/

https://www.linkedin.com/in/cathiebrown/

https://www.linkedin.com/in/deidre-cruit-04433b117/

4


Pause and Quick Poll

1. Tell us about yourself. Who is in the audience?

CIOOtherCISO IT Compliance

Officer

Could your Organization Survive a Disaster?The Hard Questions Hospital and Health System Leaders Must Ask

6


Disasters and Disruptions Happen… It Could Never Happen to Me… OR Could It?

Disaster or Disruption

Natural Events

Physical Plant

Events

Cyber Security Events

Biological/ Chemical

Events

Pandemics

• Hurricanes• Floods• Tornadoes• Fires

• Explosions• Physical Attack/Accident• Fiber Seeking Backhoe• Power Outages

• Ransomware• Denial of Service

• Bioterrorism• Chemical Leaks

• Influenza • Ebola

7


Is your organization ready?

• Is there a continuity plan in place that covers the most critical business processes? Do we know what those critical processes are?

• Do you know what the vital systems and applications are in your organization?

• If disaster or disruption happens, could your organization continue to deliver services? Which services are most important? Do you understand the dependencies?

• How can you minimize the risk of disruption to your operations?

8


Business Impact Analysis results Inform other Critical Decisions

Business Impact

AnalysisResults

Recovery Sites

DR/ Planning

Backup and Recovery

Objectives

Down Time Procedures

Budgeting

• Cold• Warm• Hot

• A Teams• B Teams• C Teams

• Recovery Point• Recovery Time• Maximum

Tolerated Down Time

• Emergency Mode Planning• Paper/Manual Processes• Diversion point/plan

• Strategic• Tactical

What is a Business Impact Analysis?

Shaping the Conversation

10


What is a BIA?

• A business impact analysis (BIA) collects information on critical business functions, and then evaluates and quantifies the potential effects if a disaster occurs.

• A BIA is designed to determine the critical information system functions, processes and dependencies that are essential for continued business operations.

11


What is a BIA? - Defined

• The goal of a BIA is to identify information assets and tier them in order of criticality which can be used to determine the “the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO).

• Results from the BIA should be appropriately incorporated into the analysis and strategy development efforts for the organization’s Business Continuity Plan (BCP) and Disaster Recover Plan (DRP).

12


Business Impact Analysis is NOT

• An “IT” Project• Business Continuity Plan• Disaster Recovery Plan• Compliance Exercise (check the box)

13



2. Does your organization have a current (within the last 2 years) BIA for the enterprise?

NoYes Not Sure

Why is a Business Impact Analysis Important?Looking at the Big Picture and Regulatory Requirements

15


Required no Matter what Framework you Use

BIA ensures resources (e.g., hardware, devices, data, and systems) are prioritized based on their classification, criticality, and business value

16


HIPAA Security Rule Requirement

Continuity Plan

§164.308(a)(7)(i): Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.• Does the entity have

policies and procedures in place that include a formal contingency plan for responding to an emergency or other occurrences that damages systems that contain ePHI?

Contingency Plan – Data Backup

§164.308(a)(7)(ii)(A): Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.• Does the entity have

policies and procedures in place to create and maintain retrievable exact copies of ePHI?

Contingency Plan –Disaster Recovery Plan

§164.308(a)(7)(ii)(B): Establish (and implement as needed) procedures to restore any loss of data.• Does the entity have

policies and procedures in place to restore any lost data?

Contingency Plan -- Emergency Mode Operation Plan

§164.308(a)(7)(ii)(C): Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. • Does the entity have

policies and procedures in place to enable the continuity of critical business processes for the protection of ePHI while operating in emergency mode?

17


The 7 Steps of Business Continuity Planning (NIST)

The Nuts and Bolts of a Business Impact AnalysisThe Devil is in the Details


• Business Unit Survey• Identify in-scope business units• Identify business owners• Kick off meeting• Send out survey• Gather data• Target date for on-site discovery

• On-site Discovery• Schedule interviews • Gather outage impacts and downtime

estimates

Clearwater’s Business Impact Analysis Process

• Data Analysis• Establish recovery time objectives• Establish recovery point objectives• Create asset tiering

• Deliverables• Executive Out Brief• Summarized Findings Report• A list of tiered organizational assets

Business Unit Survey On-site Discovery Data Analysis Deliverables

20


Who should be involved in a Business Impact Analysis

Senior Leadership

Has the responsibility for ensuring that business continuity plans are sufficient to sustain the business in the event of a disaster. By authorizing and supporting the BIA process senior leadership is taking the first step toward informed disaster recovery planning.

Business Owners

Are primary responsible for understanding how information systems support business operation at the department level. Business owners should understand the impact of disruptions to business operation if business critical information systems are temporally unavailable. Business owner should be able to articulate the maximum tolerable downtime an information system can be unavailable for the organization to maintain business operations.

System Owners or Subject Matter Experts

The System Owners and Subject Matter Experts (SMEs) provide perspective on impacts to business operations went information system are not available and manual process must be implemented. SME’s also help formulate efficient and effective mitigation strategies.

21


What Business Functions Should Be In-Scope

• Mission Essential Function or Critical Business Function - functions that must be continued throughout, or resumed rapidly after, a disruption of normal operations. These are functions that cannot be deferred during an emergency or disaster.

• Primary Business Functions – supporting functions that an organization must conduct in order to perform its Essential or Critical functions.

22


Business Units In-Scope

Oversight Day-To-Day Operations

Senior Leadership - Organization Compliance & Audit Services Materials Management Revenue Cycle

Senior Leadership - OperationsContracts & Legal Administration Nursing Risk Management

Senior Leadership - Physician Relations Corporate Communications PerioperativeSafety & Emergency Preparedness

Senior Leadership - Information Technology Environmental Services Pharmacy Security

Senior Leadership - Strategy Ethics Physician Services Technology Services

Senior Leadership - Finance Facilities Quality & Patient Safety Women's Services

Key Leader - ClinicalHealth Information Management Radiology

Key Leader - Nursing Human Resources Rehabilitation Services

Key Leader - Physician & Medical Technology Laboratory Services Respiratory Care

23


Business Unit Survey – Identify Mission/Business Processes

Mission/Business Process Description

Maintain medication inventory Work with vendors and pharmaceuticals to order and maintain an inventory of medications

Dispense medications as prescribed Fill prescriptions and package for dispensing to patients

Etc.

Etc.

Business Unit Name: Pharmacy Operations Cost Center: 0452800

Description of Business Unit/Department Purpose:

Maintain inventory of medications and dispense medications as prescribed

List the business processes performed by the business unit/department:

24


Example: Pharmacy Business Functions

Pharmacy BusinessOperations

25


Business Unit Survey - Assess the Impact

Category ImpactPatient Safety Potential someone would harmed or die

Team Member Relations Potential unacceptable stress or limited staff available

Community Impression Potential loss of reputation

Productivity Potential for financial loss or non-compliance

QUANTITATIVE IMPACT ESTIMATESScoring Low Range High Range Impact to Business or Operations

1 0 < 500,000 No to Low 2 500,000 But < 1,500,000 Low to Moderate3 1,500,000 But < 3,500,000 Moderate4 3,500,000 But < 5,000.000 Moderate to High 5 5,000,000 And greater High to Catastrophic

QUALITATIVE IMPACT ESTIMATESScoring Impact to Business or Operations

1 No to Low

2 Low to Moderate

3 Moderate

4 Moderate to High

5 High to Catastrophic

Mission/Business Process Patient Safety

Team Member Relations

Community Impression

Productivity Impact Score

Maintain medication inventory 3 1 1 1 8Dispense medication as prescribed 4 4 1 1 13Etc.

26


Determine Business Functions and Recovery Criticality

• Maximum Tolerable Downtime (MTD)- The MTD represents the total amount of time the system owner/authorizing official is willing to accept for a mission/business process outage or disruption and includes all impact considerations.

• Recovery Time Objective (RTO)- RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.

• Recovery Point Objective (RPO)- The RPO represents the point in time, prior to a disruption or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) after an outage.

27


There are trade offs when assessing MTD, RTO and RPO

• The longer a disruption is allowed to continue, the more costly it can become to the organization and its operations.

• The shorter the Recovery Time Objective, the more expensive the recovery solutions cost is to implement.

• Leadership should determine the optimum point to recover the information system by addressing the factors mentioned above while balancing the cost of system inoperability against the cost of resources required for restoring the system and its overall support for critical mission/business functions

28


Business Unit Survey – Estimated Downtime

Mission/Business Process MTD RTO RPO

Maintain medication inventory 72 hours 48 hours 12 hours (last backup)

Dispense medications as prescribed 8 hours 4 hours 0 hours (requires failover)

Etc.

Outage Interval Guide

<4 Hours

<8 Hours

<12 Hours

<24 Hours

<48 Hours

29


Business Unit Survey – Determine Resources

Mission/Business Process Third Party Supplier System Resource Component

Platform/OS/ Server (as applicable)

Description

Maintain medication inventory Medication suppliers

Medication Inventory Management System

Omnicell Server

MIMS and interfaces to 3rd party suppliers for orders and reconciliations

Dispense medications as prescribed

N/A Robotic Dispensing Applications

Robotics Robotics application and interface to EHR for med admin

Etc.

30


Tiering Assets based on impact to the business

Impact Matrix

Calculated Outage Interval RPO + RTO Score

Tier 1 Critical 36 - 45

Tier 2 Very Important 30 - 35

Tier 3 Important 16 - 29

Tier 4 Not Important 13 - 15

Tier 5 Nominal 0 – 10

Numeric Weight Assigned to a Recovery Tier

How is a Business Impact Analysis Valuable to Your Organization?The Bang for the Buck

32


BIA Value

• Risk Management and Risk Mitigation• Comprehensive BIA gathers information for recovery strategies to minimize potential loss

• Inventory• Mission and Business Processes are defined and prioritized based on impact• Information Systems are defined mapped to mission and business processes• Workflows and data flows are identified

• Informed Decisions• Budgets based on impact to the business• Resources and dependencies defined (facilities, personnel, equipment, software, data files, system components, vital

records, third parties and suppliers, interfaces, etc.)

• Disaster Recovery and Business Continuity• Prioritized Mission and Business Continuity Plans and effective downtime procedures• Prioritized system recovery strategies structured for RTO/RPO values

Incorporating the Results of Business Analysis into your Business Continuity PlanWhere the Rubber Meets the Road

34


Step 3. Hot Site/Cold Site Options - placeholder

• Cold Sites are typically facilities with adequate space and infrastructure (electric power, telecommunications connections, and environmental controls) to support information system recovery activities.

• Warm Sites are partially equipped office spaces that contain some or all of the system hardware, software, telecommunications, and power sources.

• Hot Sites are facilities appropriately sized to support system requirements and configured with the necessary system hardware, supporting infrastructure, and support personnel.

Three Types of Alternate Sites

35


How does a BIA inform Business Continuity Planning

Identify Preventive Controls

In some case, the outage impacts identified in the BIA may be mitigated or eliminated through preventive measures that deter, detect, and/or reduce impacts to the system. Where feasible and cost effective, preventive are preferable to actions that may be necessary to recover the system after a disruption. A variety of preventive controls are identified in NIST SP 800-53

Create Business Continuity Strategies

Backup and Recovery StrategiesConsiderations for offsite storage facilitiesAlternate Data Center SitesService Level AgreementsCost Considerations

Development of an Information System Contingency Plan

Realistic recovery efforts require a thorough evaluation of the resources required to resume mission/business processes as quickly as possible. Developing recovery priorities is the last step of the BIA process. Recovery priorities can be effectively established taking into consideration mission/business process, outage impacts, tolerable downtime, and system resources.

Plan Testing, Training and Exercises

Testing enables plan deficiencies to be identified and addressed by validating one or more of the system components and the operability of the plan. Testing should be conducted in as close to an operating environment as possible.Training for personnel with BCP responsibilities should focus on familiarizing them with BCP roles and teaching skills necessary to accomplish those roles.

Plan Maintenance

To be effective, the BCP must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies.Functional Exercises- allow personnel to validate their operational readiness for emergencies by performing their duties in a simulated operational environment.

36


Upcoming Educational Events

October 24, 201911am – 12:00pm CTDuring this webinar, we will review how Enterprise Cyber Risk Management Software is enabling a major health system to maintain secure operations in today’s increasingly digitized care delivery environment. Register today!

October 30, 201911am – 12pm CTRegister to join Clearwater for a live demonstration of the power of the best tool in the industry used by hundreds of organizations to perform an OCR-quality HIPAA Security Risk Analysis.

https://clearwatercompliance.com/upcoming-webinars/the-state-of-cybersecurity-best-practices-for-an-enterprise-risk-analysis/

https://clearwatercompliance.com/upcoming-webinars/the-irmanalysis-demo-october-30-2019-11am-12pm-ct/

37


Thank You & Questions

Cathie BrownCathie.Brown@ClearwaterCompliance.com800-704-3394www.clearwatercompliance.com

Dee Cruit Deidre.Cruit@ClearwaterCompliance.com800-704-3394www.clearwatercompliance.com

mailto:[email protected]

http://www.clearwatercompliance.com/

mailto:[email protected]


38



3. Was the information in this webinar helpful?

NoYes Good food for thought


www.ClearwaterCompliance.com

800.704.3394

LinkedIn | linkedin.com/company/clearwater-compliance-llc/

Twitter | @clearwaterhipaa


https://www.linkedin.com/company/clearwater-compliance-llc/

40

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.


The Value of a Business Impact Analysis · 10/17/2019 · • A . business impact analysis (BIA) collects information on . critical business functions, and then evaluates and quantifies

Documents