“The business impact analysis engagement with Clearwater surpassed our expectations. Beyond simply documenting the information required in order to begin creating a business continuity plan, this work facilitated a thorough comprehension of our business processes and the underlying critical capabilities that supported them. In all actuality, it would have been very advantageous for us to have done this project with Clearwater much earlier because now I have a much clearer understanding of my organization.”
– Jeremy Singleton, U.S. Anesthesia Partners Information Security Director
COVID-19 changed the world as most of us know it, both personally and professionally. And few industries may have felt the breadth of its impact as those in healthcare.
As the need for healthcare services accelerated at an unprecedented pace and level, so did the changes associated with delivery models for how to get those services to patients in non-traditional environments. Along with it was a rapid adoption and acceleration of digital and telehealth services.
And, if we can take the past year into account as a measuring stick, these changes are likely here to stay. As a result, the healthcare attack surface is larger. Healthcare covered entities and business associates face a growing number of vulnerabilities and weaknesses that attackers are eager to exploit. We’ve moved beyond the traditional wall around healthcare internal IT infrastructure to more cloud and hybrid models, more software-as-a-service solutions, more remote teams, and more digital health services.
As these attack surfaces evolve and expand, many security and risk management teams struggle to keep up. They also face new and critical risks with supply chains and supply chain management, as well as increased reliance on these third-party vendors and business associates to deliver day-to-day core services.
On top of all of these challenges, the number of cyberattacks on healthcare, such as ransomware, are also skyrocketing, leading to record numbers of exposures as well as related compliance and regulatory fines, penalties and corrective measures.
Sadly, what we’ve learned through a lot of these changes is many healthcare organizations just are not at the level of preparedness they need to be at. Many don’t have the executive leadership and key stakeholder engagement they need to build truly resilient business continuity and related programs. Far too many don’t understand the real risk landscape for their organizations, and, as we’ve seen from commentary from the Office for Civil Rights (OCR), many struggle to conduct HIPAA-compliant risk analysis and ongoing risk management processes.
But there is a way to help healthcare organizations and business associates get to where they need to be and that begins with a business impact analysis.
The Need for BIA
Why is a business impact analysis (BIA) so important? A BIA can help your organization better understand where you have risks, what you need to prioritize for focus now, and in the longer-term, can help you improve your operational resilience.
Like many healthcare organizations, our customers at U.S. Anesthesia Partners (USAP) have committed to improving and evolving their approach to BIAs and the role BIAs play in operational resilience, cybersecurity, risk management, and compliance.
The question often front-of-mind for organizations is if they can successfully respond to disruptions – for example, a cyberattack or other security issue.
The answer for many organizations is subjective, as it once was at USAP, where executive leadership and program managers had very different ideas based on very different goals, objectives, and priorities.
“We all knew that we needed to have an objective way to figure out which processes that we wanted to invest the time to do continuity planning,” Mike Spies, USAP CIO said. “What we talked about a lot was that the business impact analysis really reached into the business, but it wasn’t enough to just engage the business, we also had to engage our teams.”
Spies said everyone at USAP understood continuity planning was important, but people were split about what that actually meant in terms of preparation.
“For some, it was a complete focus on disaster response planning with the thought that if we are prepared for a disaster, then we’ve got our continuity plans and there’s nothing left to worry about. We’re prepared.”
But the reality for USAP, as other healthcare organizations have learned from recent ransomware attacks, is that even with the best forethought, planning, and testing, one successful cyberattack can cripple an organization.
USAP understood it needed plans to respond to and recover from disruptions, but team members also knew that to protect the business, it had to incorporate key business objectives, like understanding Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), and the role response plans play in achieving important milestones.
“This is where BIA really shines,” Spies said.
The BIA for USAP
For USAP, that business impact analysis meant analyzing more than 30 processes and understanding operational impact as well as interdependencies to discover which processes were most critical for response and recovery and where to prioritize time and effort first.
To get started, USAP conducted cross-team interviews to learn more about the processes and to educate its team about the role of disaster response and business continuity in its success.
At first, some of the team members were focused on only thinking about the processes directly involved in their systems. It was highly system-focused. But over time, they were able to break through and refocus on understanding the BIA wasn’t about systems, it was about the work and processes each team did. From there, they had to narrow those down to about five most critical processes and where they fit in the larger resiliency picture.
That gave the BIA the right context. The organization could better understand which system supported which process and how. That then helped put into focus the impact of loss of any of those processes from both qualitative and quantitative perspectives.
“That’s been helpful for us to know what the expectation of the business is in terms of the recovery time and recovery point,” Spies said. “And now we can go back and shore up some of the systems that we have to make sure we meet that and even close the gap if we can. But now they’ve got the proper context.”
Critical Success Factors
Looking back at the evolution of business impact analysis for USAP, Spies notes several important success factors such as:
- Better understanding your organization
- The value of utilizing BIA tools and templates
- The implementation of the BIA process
- Accurately documenting and capturing findings in a comprehensive BIA report
All of these things also help build that important engagement factor of getting executive leadership support.
USAP also had additional support and momentum through its private equity partner, which has specific cybersecurity standards it expects the organization to meet, including having business continuity plans in place and tested at least annually.
Another critical success factor for USAP was the value of pre-work used for those cross-departmental interviews (including with executive leadership) and determining critical processes for the organization.
At USAP, this consisted of a survey about roles and responsibilities. They were designed to take about an hour for each interviewee to fill out. Then the team spent about another hour with each going through those surveys in interviews.
This pre-work helped the team keep goals and objectives top of mind and properly established goals and a common understanding.
“It laid the groundwork for this,” Spies said.
This pre-work and the interviews also carried over into other leadership team meetings, which generally happen on a weekly basis. They helped shift the focus from getting bogged down in the technical IT stuff, to focusing on work and processes in a way the leadership team understood and could relate to.
“My airtime mostly was around the fact that we needed to have our systems be reliable, but it was also their responsibility to make sure they can run the business if these things were disrupted,” Spies explained.
Now, on a regular basis, he is able to give leadership updates about plans, how they’re put in place, and how they will get structured along the way.
“I think that just making sure they understood, and again that they got in that whole chicken-or-the-egg conversation, because there were some folks that just felt like this was an IT responsibility, but through education and knowing the difference between a disaster recovery plan and a continuity plan and how those work really helped distinguish them so they knew what we were responsible for,” Spies said. “And it is about making sure we had disaster recovery plans and that the plans met the expectations of the business and that the business could define and set those.”
This helped emphasize how a business impact analysis is a business exercise.
“The engagement that we got was outstanding,” Spies explained. “And now I think they see the process and we’re now moving forward to actually working with you to build out the continuity plans. We’re seeing they’re going to reap the benefit of the strong data that we captured. That’s going to accelerate efforts.”
An Objective Approach
If your organization is looking to improve your business impact analysis and move toward similar milestones as USAP, first consider prioritizing your functions and processes to meet your organization’s mission. USAP collected valuable information like this through those pre-work surveys and interviews.
For your organization, this should lead to an understanding of all of your primary business functions and supporting business processes. You should also be in a position where you can better understand the qualitative and quantitative impact of those processes to your business if you’re not able to do that process, not if the system is down.
Here’s an example. Let’s say your finance and accounting team can’t run payroll. Here are a few questions to consider:
- What is the impact of not running payroll on your business?
- What does that impact look like in dollars and cents?
- Then, once you understand that impact, which resources must you have to complete that function both from a qualitative and quantitative perspective?
“I think during the interviews, that really helped people to prioritize their functions,” Spies reflected. “When we put it all together, we were really able to look at the big picture.”
In an example like this, that might include working with your CFO to determine the high and low ranges of the qualitative impact in dollar amounts of not being able to run payroll. Sharing those numbers can help your organization better understand the scope of that impact.
Once you understand the functions and impact, then it’s all about determining which resources you need to support those critical functions and processes, such as the right people, technology, services, and equipment.
Key Takeaways
Looking back at their journey and toward the future, Spies recommends others working on their business impact analysis ensure they allow enough time for the entire process (think pre-work, interviews, reviewing information, documentation, and developing a comprehensive report).
It’s also important to take into consideration the fact that most, if not all, of your team members may have other responsibilities and objectives. Can you be flexible in working with them for the time involved in doing the pre-work and for the follow-on meetings and discussions?
Another important takeaway is how vital it is to ensure you’re building involvement and ownership, especially with your executives and key stakeholders. Don’t forget to get program sponsors, ensure they’re involved and that they understand your goals and objectives with a tie-in to organizational mission and goals.
In the end, your business impact analysis should help accelerate and mature your business continuity planning by ensuring proper scope and due diligence.
“I think we’ve become a very resilient workforce and we take pride in that,” Spies said, “but we’re not going to want to figure out how to do some of the stuff under duress of an incident.”
Need help with conducting an effective business impact analysis? Clearwater can help you structure and facilitate your next BIA including the ability to capture information with an objective viewpoint, understand what your critical processes are, and deliver comprehensive BIA results in an objective way. Contact a Clearwater advisor for more or go deeper with Mike Spies about USAP’s BIA experiences in this on-demand webinar, “Business Impact Analysis in Action at USAP.”
