To quote Warren Buffet, “it takes 20 years to build a reputation and only 5 seconds to destroy it.”
It’s a truth the people at Common Spirit, one of the largest nonprofit health systems in the U.S., will likely soon be attesting to. They were the target of a recent ransomware incident that brought their facilities to a standstill in multiple states, shuttered patients’ ability to contact clinicians and providers, and resulted in nefarious actors gaining access to patient electronic health records and other personally identifiable information.
It’s every healthcare organization’s worst nightmare. And an area that holds particular challenges in the healthcare industry.
Nearly every business can expect a cyberattack at some point. Still, advanced planning from a business continuity, disaster recovery, and crisis management standpoint can help mitigate some of the worst impacts.
Does your healthcare business have a plan for its next cybersecurity incident?
Here’s what you need to know.
3 Things Healthcare Organizations Need to Know About Business Continuity
1. Business continuity planning is not the same as emergency management.
“We don’t need a business impact analysis. We just need you to come in and create some business continuity plans, kind of like our emergency management plans.”
It’s a common misunderstanding I often hear from new healthcare clients. They think business continuity planning is simply tacking on to their existing emergency management plans, like luxury upgrades to a vehicle.
Here’s how the two are different. And why it matters.
Emergency management, or crisis management, is about managing the disruption—what to do when things catch on fire, a mass casualty event, or the power goes out, for example. When your pharmacy burns down, your emergency plan is calculated to help you find the drugs you need to meet critical patient needs and triage the situation until you find a permanent fix.
Business continuity is about planning for the disruption before it happens and takes a primarily offensive approach. It helps you anticipate and understand your most likely disruptions, your dependencies, and your capabilities around those disruptions. Then, it helps you create a plan to make those dependencies more resilient so you can manage the next emergency smoothly and with as little disruption as possible.
With a business continuity approach to our burning pharmacy example, there is no last-minute scramble to find the critical drugs your patients need; you’ve already stockpiled supplies in an alternate location, have agreements with nearby pharmacies to fill orders, and know which critical vendors have the capability of quickly replenishing your supplies.
Along with misunderstanding the difference between business continuity and emergency management, many healthcare organizations underestimate the importance of the research phase of business continuity planning – the business impact analysis.
Suppose your business continuity plans ensure you have the snow chains to get you through the blizzard. In that case, the business impact analysis is the assessment of alternative routes, your vehicle’s condition, and the need for additional equipment so you have the chains when you need them, or better yet, can make an informed decision that doesn’t require you to face those adverse conditions at all.
Many inputs – weather, construction, traffic patterns, and your vehicle’s capabilities – are required to create an informed roadmap to get you safely from point A to B. Similarly, an effective business continuity plan is only as good as the data that informs it. This requires a thorough evaluation of your company’s critical systems and processes, dependencies, and current resources and redundancies for responding to a disruption.
2. Don’t underestimate your dependencies.
By the time a patient confers with their doctor, they are at the tip of a very long spear. Layers of technology, staff, physical assets, and other elements must work together to get the end healthcare service to its target patient.
The many components involved in healthcare delivery include things like:
- Electronic medical records systems
- Medical device software
- Vendors who provide claims authorization, management, and collection services
- Medical suppliers, like oxygen delivery and pharmacy products
- Support staff, including nurses, receptionists, and medical transcriptionists
- Real estate and other capital assets, like ambulances, CAT scanners, and MRI machines
The interdependencies between these various elements are increasingly complex and often poorly understood. Business continuity planning aims to uncover these dependencies and their ripple effects so healthcare businesses can better prepare for disruption.
3. The stakes are higher than you know
Surprisingly, the healthcare industry in the United States is relatively unregulated regarding business continuity and crisis management requirements. But like many other areas in which the U.S. has followed in the steps of its more highly regulated counterparts in the EU–like finance and data privacy rules—it’s coming.
And for a good reason.
It’s hard to imagine a form of data any more sensitive than healthcare. This highly personal and private information informs our health and medical care and is also affiliated with other personally identifiable and financial information. It’s a lucrative and sought-after target for determined adversaries who seek to use it nefariously or profit from its blackmail.
These risks will only be magnified as the healthcare industry continues to grow in its dependency on technology. Electronic medical records, telehealth operating systems, payment and revenue applications, along with medical technologies like imaging, robotic surgery, and implants controlled by software are all vulnerable to cybersecurity threats. Healthcare businesses must adopt a forward-thinking approach to protecting this highly sensitive data to protect both their reputation and bottom line.
Bryghtpath has worked extensively with healthcare technology companies, revenue cycle organizations, insurance providers, hospital & clinic providers, and other healthcare-adjacent businesses to build resilient organizations.
Our work has included all aspects of resilience, including business continuity, crisis management, crisis communications, and cybersecurity response planning.
How Healthcare Organizations Can Prepare for Disruption
Assess
The first step in preparing your healthcare business for its next cybersecurity breach or disruption is to evaluate your current capabilities, along with the likely impacts of disruption, through the business impact analysis. This usually includes a review of your existing documentation, including your current response plans and capabilities, along with your enterprise crisis management framework.
Plan
Once you understand your baseline and what you want to achieve, you can begin working with your internal teams to craft specific, actionable checklists for their areas of responsibility. These should clearly outline the roles, responsibilities, and interdependencies of each team during a response. In addition, you should work with your internal teams to clearly define engagement requirements and interactions with external resources, such as outside counsel, public relations firms, and other third-party providers
Exercise
Once you’ve built your business continuity plans, you should exercise those plans to both validate them and build confidence and muscle memory for the teams who will exercise them in response to a disruption. This can start with a simple walkthrough or tabletop exercise. Over time, exercises can progress to multi-day simulations designed to stress all aspects of the response, including crisis communications, business continuity & disaster recovery, executive decision-making, and the integration of specific third-party service providers into their response process.
Mature
This is perhaps the most underrated and important part of the business continuity life cycle.
Your business continuity plans should incorporate a review and update at least annually, in addition to after each incident and exercise, to identify key learnings and implement improvements to your crisis management and cybersecurity incident response process.
Want to work with us or learn more about Business Continuity?
- Our proprietary Resiliency Diagnosis process is the perfect way to advance your business continuity program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
- Our Business Continuity services help you rapidly grow and mature your program to ensure your organization is prepared for the storms that lie ahead.
- Our Ultimate Guide to Business Continuity contains everything you need to know about Business Continuity.
- Our free Business Continuity 101 Introductory Course may help you with an introduction to the world of business continuity – and help prepare your organization for your next disruption.
- Learn about our Free Resources, including articles, a resource library, white papers, reports, free introductory courses, webinars, and more.
- Learn more about our healthcare industry experience
- Set up an initial call with us to chat further about how we might be able to work together.
How to Maximize Your Business Impact Analysis (BIA)