Resiliency is no longer a mere concept for healthcare organizations as they face the increasing prevalence of cyberattacks, rising incident response and recovery costs, and greater impact on patient care delivery and outcomes. An organization’s readiness to respond to a cyber incident can mean the difference between mitigating an attack early and recovering with minimal impact and creating a snowball effect that’s hard to recover from and impacts the business for years.
Take, for example, the 2021 ransomware attack on St. Margaret’s Health in Illinois, which contributed to its closing in mid-June of this year. The organization’s parent company, SMP Health, told news outlets that the attack prevented it from submitting claims to Medicare, Medicaid, or insurers for several months, directly affecting financial operations. That, coupled with staff shortages and pandemic impacts, led to its shutdown.
More than a third of healthcare organizations have indicated they’ve had a ransomware attack in the past year. Of those attacks, 65% said that cybercriminals successfully encrypted data, and a third of those chose to pay ransom to get their data back. Even then, less than 70% of encrypted data was restored.
Resiliency plans like disaster recovery and business continuity plans can equip an organization to respond quickly when a cyberattack is discovered, isolate and mitigate the threat, and minimize the downtimes of their systems—an integral component of patient care delivery. Now, more than ever, healthcare organizations must focus on both cyber resilience and its role in ensuring business resilience.
What’s It Mean to Be Resilient?
Paul Kirvan, a writer and business resilience consultant, defines business resilience as an organization’s “ability to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets, and overall brand equity.”
Kirvan’s definition hits all the right notes, but what does that look like in healthcare specifically? Quite simply, healthcare resilience is business resilience. Not only is healthcare operations about running a business but the universal sacred mission to protect patients and deliver care can’t be met if the healthcare business fails.
Applying Kirvan’s definition to healthcare could look like this:
- Safeguarding people = patient safety
- Continuous business operations = care delivery
- Assets = patient data
- Brand equity = revenue/reputation
So, as a healthcare organization, how do you get there? That’s where your business impact analysis comes into play—it helps you understand your critical assets, functions, and procedures to build response plans and recovery strategies.
The Path to Resilience
A business impact analysis (BIA) should serve as the starting point for your resiliency plans, but note that a BIA isn’t solely for IT departments; it should also serve as a guide for operations and strategy across the organization. This is rooted in understanding the following five BIA components in order:
- Criticality: This is the cornerstone of a BIA and its role in informing your other resiliency plans—its job is to determine which assets you have and how critical they are in relationship to each other, including:
- Critical business functions
- Supporting processes
- Resources and systems
- Disruption impact
- Downtime and recovery expectations
- Priority: This one is often missed but is critical to the success of your BIA initiative.After determining criticality, you should set priorities based on alignment to your organization’s mission. This means taking the feedback and inputs from various departments to the leadership team for their insights into how these processes and functions align with the mission.
- Adjust criticality by scope, mission, strategy, and objectives
- Set priority by evaluating criticality with risk
- Use priorities for business unit and resilience planning, specifically response and recovery strategies
- Continuity: This is where you focus on how you’ll keep things running during an incident or downtimes, ensuring you have the ability to keep your healthcare organization running through the use of business continuity planning, business unit continuity of operations (COOP), downtime plans, and IT continuity plans – for example, alternate processing abilities, failovers, and redundancy plans.
- Response: This how your organization will handle whatever the problem is that is causing the disruption to your systems and processes. Consider how your organization focuses on handling an emergency, for example, ransomware or other type of cyberattack, including:
- Business response (incident command systems, hospital incident command systems, emergency operations plans, etc.)
- Business unit response (incident action plans)
- IT response (dealing with outages and interruptions)
- Cybersecurity incident response plan (CSIRP)
- Recovery: The final stage, recovery, is how you’ll restore operations to normal as outlined in your:
- Business recovery (enterprise resource plans)
- Business unit recovery (incident action plans)
- Additional IT recovery
- More CSIRP
Important Concepts for a Successful BIA
There are three key concepts that everyone should understand about the BIA process. These concepts help an organization quantify the dependencies and impacts of systems and processes to prioritize them accurately and objectively.
Maximum Allowable Downtime (MAD)
Also known as maximum tolerable downtime (MTD), MAD represents the duration a function can remain unavailable. For example, if a function cannot be offline for more than four hours, that becomes the MAD. The MAD plays a significant role in understanding the impact of taking a function or system offline. It helps us answer questions like: How long can we survive without this function? In the initial phase of the BIA, we assess the impact without considering any workarounds. This allows us to determine the maximum duration the function can be unavailable, focusing solely on the function itself.
Recovery Time Objective (RTO)
As we assess the time required to recover the function, we must consider more than just recovering the systems, like reassembling the staff if necessary. For example, if it takes two hours to bring the system back online but an additional 30 minutes to reassemble the staff, the complete duration would be considered part of the RTO. The goal is to compare the MAD with the RTO and identify any gaps. If the MAD is four hours, but the RTO is six hours, an RTO Gap exists, and adjustments should be made to align the RTO with the MAD.
Recovery Point Objective (RPO)
RPO focuses on the amount of data that can be lost before the function’s integrity is compromised. Unlike RTO, RPO is not time-dependent but rather information-dependent. For instance, if a function relies on electronic medical records (EMR) and can tolerate a two-hour data loss, the RPO would be set at two hours. It’s crucial to assess the impact of data loss on the function’s continued operation when determining the RPO.
It’s essential to set appropriate ranges for qualified impacts and establish standardized buckets that align with the organization’s needs. By gathering accurate and consistent data from business units, we can tailor the impact ranges to match the financial realities of each department. This ensures that the financial impacts align with the designated tiers, such as RTO 0, 1, 2, 3, 4, or 5, and accurately represent the potential losses different business units face.
By establishing these standards and aligning them with the organization’s specific needs, we can effectively identify and address gaps in recovery capabilities and develop a comprehensive understanding of the financial implications associated with different functions and departments.
Outcomes of the BIA
You should aim to achieve specific outcomes while conducting a BIA. Above, we discussed how the BIA provides a comprehensive understanding of the critical aspects within the organization—let’s take a look at the components that comprise these critical aspects.
Critical functions, processes, and technologies
It’s essential to identify the organization’s critical functions, as well as the processes and technologies associated with them. These functions encompass the operational requirements necessary for the organization’s effective functioning, with a particular emphasis on those that are critical. The objective is to prioritize and focus on the critical aspects rather than attempting to address every facet of the business. Additionally, consider the supporting processes and technologies that align with these critical functions. It is important to acknowledge that technology plays a pervasive role in the healthcare industry. Therefore, we need to ensure a harmonious alignment between the specific technologies and the critical functions they support.
Relationships and dependencies
The next aspect to consider is the interplay of relationships and dependencies. While understanding dependencies is crucial, it is equally important to comprehend the broader context. For instance, when examining a function, it becomes essential to identify its dependencies, which are the prerequisites for its execution. This analysis allows us to assess the positive aspect of dependencies. Conversely, we must also consider the potential downstream impact if a particular function is absent. Acknowledging the complex relationships of critical functions across the entire spectrum is vital rather than viewing it as a straightforward dependency. These relationships encompass the intricate connection between various components.
Impact of disruptions
The next analysis should consider the impact of disruptions, “what happens if we lose that system or function?” Impacts can be categorized as hard or soft and discrete or non-discrete, depending on their nature. In other words, can we quantify or qualify? Quantifying involves assigning numerical values to the impacts, such as estimating financial losses of $10 million or identifying the need for five essential components to ensure functionality. By quantifying the impacts, we can effectively assess and prioritize them.
On the other hand, qualifying involves assessing the severity of the impact, ranging from minor to major, critical, or even catastrophic. This qualification helps us evaluate the significance of impacts that may not have easily measurable metrics or are challenging to quantify. Thus, our goal is to comprehensively analyze and understand the impacts of disruptions from both a quantified and qualified perspective.
The final step involves ranking all the identified elements based on their criticality and interrelationships. This ranking process can be approached through various factors, such as the element’s impact, its level of criticality, the duration required for recovery, and the number of components involved in the restoration process. Additionally, we consider the cascading effects that reverberate throughout the entire system. By analyzing this comprehensive dataset, we can effectively categorize these elements into tiers: Tier 1, Tier 2, Tier 3, and so on. This tiering system is commonly utilized, particularly in the IT perspective. Thus, our approach encompasses evaluating critical functions, examining relationships and dependencies, assessing the impact of disruptions, and ultimately prioritizing them based on their criticality.
What Makes It Good?
Here are some tips to ensure your BIA serves your organization well.
Engaged executive sponsorship and an enterprise focus. Don’t neglect to involve your board and establish accountability.
Ownership. Motivate those responsible for managing the assessment, ensuring they understand its significance. It’s often observed that the IT side of the organization is eager to complete the assessment due to their dire need for this information. Assign someone who has the authority and support from leadership to drive the process forward.
Maintain a focus on function. Remember that we are analyzing critical functions, not just systems or support functions. Recognize that some departments may encompass multiple business units, so it’s essential to split them based on function rather than relying solely on departmental divisions. Avoid treating tasks as functions. For example, managing payroll is an important task, but it is not a critical function. Stay aligned with the main functions during the BIA.
Maintain consistency. When gathering data from different business units, ensure that you ask questions with predefined standards in mind. Train interviewees to respond accordingly. During validation interviews, cross-check their responses against these standards. It’s important to have a clear understanding of MAD, RPO, and RTO.
Keep it simple but comprehensive. Don’t overload the interviewees with unnecessary details or tasks that are outside the critical scope. Create a list of critical components in advance and allow them to add any additional relevant information during the interviews. This way, you focus on the essential aspects and avoid overwhelming participants.
Updating the BIA is crucial, but avoid excessive frequency. Conducting the assessment every quarter may lead to reduced focus and less impactful data. An annual update is typically sufficient, supplemented by triggers that prompt updates when significant changes occur. Rather than viewing the assessment as a recurring cycle, integrate it into your ongoing operations. When new components arise, incorporate them into the BIA to maintain an up-to-date and relevant analysis. Incorporate trigger points and consider integrating updates into your change management system. Routine updates are still important, but with a reduced frequency.
Treat the assessment as a project and apply standard project management principles. Set milestones, establish clear objectives, and don’t underestimate the effort required. Running it as a proper project will yield better results.
Resiliency Initiatives that use the BIA
Three major categories of resiliency initiatives serve your organization best when they utilize the outputs of your BIA.
Continuity planning: this initiative aims to ensure the uninterrupted operation of functions. It is akin to the organization’s immune system, focused on sustaining ongoing functionality rather than immediate recovery. This includes developing a comprehensive business continuity plan encompassing the entire organization and strategies for mitigating downtimes and preventing failures.
Response planning: response plans address incidents and emergencies. They involve effectively managing and resolving the problems that caused the disruption in the first place. This may include establishing incident command systems, action plans for cybersecurity incidents or even standard outage plans for IT-related disruptions such as data loss or internet downtime. The response plan is designed to guide organizations in handling emergencies and promptly resolving issues.
Recovery planning: these plans aim to restore operations to normalcy. This stage follows the response planning phase, where the organization has successfully maintained essential functions. The recovery plan includes a business recovery plan, incident action plans, and cybersecurity incident response plans, typically incorporating recovery components. It outlines the steps and strategies to transition from the continuity phase to regular operations.
The best resiliency plans integrate all three of these plans so it’s crucial to ensure that these plans are compatible and complement each other during their creation, considering the interdependencies and potential challenges that may arise.
Preparing for Your Next BIA
If you haven’t conducted a business impact analysis before, or you don’t feel your previous BIAs have been as effective as they should be, consider working with a professional who can help set process scope and guide your teams. How long this takes will depend on various factors, including your organization’s size, number, and types of business units, functions, assets, services offered, and more.
For Clearwater customers averaging 10 business units, a typical BIA can take about three months, which includes the scoping and planning during month one, conducting interviews during month two, and finally, creating and distributing reports. The larger the organization, the longer to complete, some lasting upwards of six months.