Speaker 1: You are listening to Your Practice Made Perfect, support, protection, and advice for practicing medical professionals, brought to you by SVMIC. Renee Tidwell: Hey, everyone, welcome back to Your Practice Made Perfect. My name's Renee Tidwell and I'm going to be your host for this episode. In today's show, we're going to be discussing business continuity plans, what they are, why you need one, and how you can create one fairly easily. To walk us through this conversation, we've got Bill Dean with us. Welcome, Bill. Bill Dean: Good morning. Renee Tidwell: I'm glad to have you today. Before we get started, why don't you start by telling us just a little bit about yourself? Bill Dean: Sure. Well, first, thank you for allowing me to speak with you today. My name's Bill Dean. I am currently a shareholder at LBMC Information and Security. I work in our risk services division. I've been here about six years. Prior to that, I worked for a firm called Sword & Shield Enterprise Security in which we worked on sub risks. Prior to that, I actually spent 10 years with East Tennessee's largest healthcare provider. Renee Tidwell: Great. Let's go ahead and get started if you don't mind, and I'd love to start out with just a little bit of background information on what exactly is business continuity. Bill Dean: Sure. Well, business continuity, disaster recovery, those terms are used interchangeably. We'll kind of speak to them as they're somewhat the same. But overall it's just the ability to conduct business, or for most of your listeners, to provide patient care if technology's not available. So we rely so heavily on technology from every aspect of our lives. When it's not available, sometimes we've forgotten how we used to do business. That's what business continuity actually is. If technology's not available, can we still conduct business and more importantly, can we provide patient care? Renee Tidwell: So talk about that just a little bit more if you don't mind. You said disaster recovery can sometimes be used kind of the same as business continuity, but they're same. Do you mind kind of explaining a little bit what the difference in those two things are? Bill Dean: Sure. Disaster recovery is many times the short-term fix to the problem, whereas business continuity is the overall macro of, okay, long term, how are we going to conduct business? How are we going to bill? How are we going to pay our people? How are we going to provide patient care? The disaster recovery aspect of it is how do we recover this system from a step-by-step perspective, or how do we access this data in a different way? So the disaster recovery are the processes to build into the overall business continuity objective. Renee Tidwell: Okay. I hear a lot about the cloud. What kind of role does that play in business continuity? Bill Dean: The cloud started off actually for business continuity or disaster recovery. What organizations would do is say, "Well, we don't want to have another data center. We don't want to have another set of systems that we're going to leverage if something happens to these." So cloud providers began providing that offering. You can host your systems in our data center, which is not yours. You can have your applications here. And so while they were getting some efficiencies from a disaster recovery perspective, probably 8, 9, 10 years ago the evolution began to where people were actually moving their business processes to the cloud. So Office 365 is probably one that most everyone is aware of. Why do we need to maintain our email systems in-house when we can just have Microsoft take care of that for us? Which you kind of get a really good deal there because you're not having to make the capital investments for the people and the processes and the technology to host email. You just pay Microsoft a monthly fee to do that, which is great. So you've taken your CapEx expenses and you've turned it more into operational expenses. The potential downside that we've seen, and I'll go through some examples of this probably a little later in the discussion, is what if Microsoft's not available? Now you don't have any other options. So you now have to find other ways to send email if your email systems aren't available. A recent example, I think last year, Kronos, which is a large payroll provider for a lot of organizations, they are completely cloud-based. Most organizations aren't doing their payroll local anymore. It's happening within Kronos' cloud. Kronos' cloud was hit with ransomware, right toward the end of the year. Its businesses really had to find a way to pay their people, and that was a really big deal at that time. So what started out is our systems are now going to be in the cloud or disaster recovery systems. We've completely surpassed that and we have critical applications that are just cloud-based, which provides the potential point of failure there. Renee Tidwell: That's pretty interesting. It sounds like a lot of this cloud-based stuff started before the pandemic, but I'm guessing the pandemic brought a bunch of changes to business continuity approaches. Can you talk about that just a little bit? Bill Dean: It did. It was really interesting. So disaster recovery, business continuity, leading up until the pandemic, of course, a lot of things changed to the pandemic, but the focus was on our EMR system. So Cerner or McKesson or speaking from a healthcare perspective, those systems in our data center, we need to be sure that that's going to be available. We need to be sure that it's going to be accessible, that we can conduct patient care. Or maybe if you're using Cerner or another EMR that's in the cloud, the focus was on being sure that the application was available to the users. Well, when COVID occurred, we realized that we can have all of those applications available, but if our users and our clinicians cannot access that, it really doesn't matter. So what COVID did is it expanded the realm of the need for business continuity not to just include your mission critical systems, but also the users that are going to access it. So a lot of organizations, even if it was cloud-based, you still had to be in the office to access it or you had to have a specific type of system. Well, in March of 2020, I think, I've lost track of time it's been so long at this point, we sent everyone home and the safeguards that we had in place to access those cloud systems, the cloud systems were still available, but the users didn't have a way to access them. They didn't have work laptops or they didn't have the particular security controls in place. We realized that the realm of business continuity includes the users, not just the applications themselves. Renee Tidwell: So it sounds like there's a lot involved with that. I'd love for you to talk a little bit about just what are some of the commonalities between business continuity and cybersecurity. We hear a lot about cybersecurity right now. You already kind of touched on ransomware a little bit. Talk to us about what are those commonalities there, how do they each affect each other or impact each other? Bill Dean: So in our risk services practice, I actually lead our technical services group. So we do incident response services, penetration testing, those types of things. Through the pandemic, what really became popular with organizations of all sizes were to do tabletop exercises, specifically incident response tabletop exercises, and this plays into disaster recovery really nicely. So I had a lot of disaster recovery experience working in healthcare. Then I began working in cybersecurity and working in incident response during the tabletop exercises specifically with ransomware. So ransomware is similar to a situation in which your systems are not available. So the old school disaster recovery was fire, earthquake, flood, hurricane, whatever that is, that our systems are physically not available, we can't conduct business. Ransomware is a cyber attack that makes your systems unavailable. Either one of those scenarios leads you to the same spot. Your systems aren't available and you have to conduct business. So through these tabletop exercises, and I probably conducted 60 of them or have since COVID, real quickly, if you had a cyber attack that took down your systems, you were in the same situation that you had a fire or a flood. So the disaster recovery teams, your technology, your expertise, and your incident response and cybersecurity teams had to work very closely together to bring the systems back up again. So that convergence was really interesting. Most people consider cybersecurity to be data theft, which is completely accurate. We know about Target and Home Depot and we lost credit card numbers, and healthcare was a large target in which we were losing patient records or they were being taken and sold on the black market. The angle that ransomware brings is that disaster of business continuity in which your systems are locked up and until you pay the ransom, they're not available. So if it's a fire, flood, or ransomware, you're in the same spot and the same teams need to be working together. It's the same processes. Renee Tidwell: It feels like there is a lot that goes into this, and I know for me, it feels a little overwhelming sometimes to think about what exactly does a business continuity plan look like? What things do I need to have in it, and how can I tackle creating a business continuity plan? Walk us through a little bit like where would I even start to build a business continuity plan? What does that actually look like? Bill Dean: Sure. Well, with most things technical, those of us that have worked in technology for a while, we really overcomplicate things. This does not have to be as complicated as what we try to make it. If an organization or an office just looks at their critical business operations and pays attention to the day-to-day as to how they're leveraging technology, that's a start. So figure out your critical operations. So for instance, writing prescriptions and fulfilling prescriptions or providing patient care is much higher on a level as to something that's monitoring the Coke machine as to whether or not it's running out of refreshments. So looking at the systems and understanding the workflow as to what you're needing and it's called a business impact analysis. Look at your systems and tier them. These are the systems that we really need to have operational for us to conduct business and for us to provide care to our clients. Then once you've identified those different tiers, the users, the systems, the applications, then the next step is say, "Okay, well, let's walk through some different types of scenarios. They would impact the availability of those devices." So whether it's a ransomware attack, or whether it is a hardware failure, or whether you have an internet outage, or fire, flood, earthquake, whatever those are, let's think about the ways that would impact our ability to leverage that technology. Then what you do is you say, "Okay, how would we work around that? What are the steps that we can put into place to recover the operations or to get aspects back?" But not every system or application has the same priority. With that, you have to have communication plans. So COVID, we'll use that as an example. So when all the users went home and they needed to access Cerner, what they realized was we can't access Cerner. We have to have a way to communicate with the users to say, "Okay, use your home computer. Go to this website, authenticate here." So identify your critical systems, figure out what could happen, communicate the processes people need to follow to get the systems back available or to access the systems. And then long-term have that backup plan of Kronos, for example. They were down for weeks. What some organizations had to do was say, "We don't have any control on bringing that back up. How can we do things? How can we go back to paper?" So when I worked in healthcare, that was always a big thing. If the systems aren't available, we need to have paper charts. So having the processes to be able to sustain a short outage with a long-term plan of what are we going to be able to do long term. Renee Tidwell: So it feels like once you get that plan in place, I know you talked earlier about leading these tabletop exercises and that sounds like a great opportunity to test out a plan, but are there any best practices that you recommend for how often to reevaluate or test out your business continuity plan? Bill Dean: On an annual basis is probably enough because whether you're running a tabletop exercise for a cyber incident or an outage, it's a high stress, similar situation. It takes a lot of mental energy to go through that. Renee Tidwell: Right. Bill Dean: An annual basis, in my opinion, is sufficient, with the exception of major changes. So let's say you're using application A and the tabletop exercise revolves around how do we pay our people if the online payroll provider is not available? If you switch out that payroll provider, then you may want to do another one because sometimes it can take eight or nine months just to remediate the findings from the tabletop exercise to test it again. So an annual is probably very good. You can do small ones maybe on a quarterly basis if you want to test something specific. And keep them short, short meaning a two-day event is not going to make any friends. Two hours, two and a half hours, just walk through the conversations. I find that to be most valuable in the time that I conduct those. Renee Tidwell: It sounds like you've got a lot of experience, and I'm guessing with that comes some stories you've got up your sleeve. Do you have any that you can share with us from your experience? Bill Dean: Well, unfortunately, I work in cybersecurity, so I'm not a motivational speaker, but I do have stories. Healthcare in particular. I can definitely speak of one that was in the news of a healthcare organization that was actually hit with ransomware. And so when I worked in healthcare, we would fail over our systems to be sure that everything would work, and it was planned. We knew that it was coming. We had all the resources available. We knew what our obstacles were going to be. We could print out the needed charts for ER or whatever that was to prepare for that failover. The attackers don't give you a heads-up when they're going to infect you with ransomware. So this healthcare organization was hit with ransomware, and it really took them quite a bit of time. They had to reschedule a lot of critical care. They had to rely on some other healthcare organizations to do telehealth. They learned that they had to really bolster their cybersecurity posture quite a bit compared to where they felt that it was before, and it had a true impact to their patient care. That's the last thing that we ever want as healthcare professionals or those that work in the industry, is there are a lot of things that we can kind of do without, but being able to provide on-time patient care is not one of those luxuries. We have to be able to do that. And it really impacted them greatly. And so I'd hate to see anyone go through that, but the organizations that we have worked with that have experienced ransomware attacks, once it's you're complete with whatever had to occur to recover, you are better because of it, because you learned a lot of things. Again, going back to the tabletop, that's why I strongly recommend organizations do tabletop exercises in a safe environment to where they kind of prepare for it if it were to actually happen. My opinion is that the reason I keep weaving the cybersecurity aspect into it is the opportunity for most organizations to experience a ransomware attack is much higher than what it's going to be for an earthquake, fire, or a flood. And so preparing for a ransomware attack will actually prepare you for some of the other things. I don't know if this organization had done those in the past, but the organizations that I see that do prepare by doing the tabletops, they're much better prepared than those that do not, obviously. Renee Tidwell: Wow. This has been pretty interesting and I'm sure very helpful for our listeners. Before we wrap up, are there any last minute tips or advice you want to leave us with or any other stories? Bill Dean: Yeah. A tip would be if you develop a plan, disaster recovery plan or business continuity plan, don't just write a plan and save it and everyone sign off on it and agree that it's good. If you don't test it, it really doesn't matter. If you think the plan is good, then you may be a bit naive. You need to test it. The best plans that I've reviewed before doing tabletop exercises found that there's a lot of different ways to improve it. So it is a continuous process and you get the benefit of both initiatives, of disaster and cybersecurity, by developing your plans, testing your plans. That will just make any organization better prepared for something that's going to be extremely difficult to go through if you're really not prepared at all. Renee Tidwell: Bill, are there any resources that our listeners could go to help them get started or to create a business continuity plan? Bill Dean: Sure. Most everyone that's listening, they have technical resources available to them. They're the ones that are maintaining the day-to-day for them. Whether it's outsourced, if it's a smaller practice or a large hospital, you have technical resources that are familiar with these needs. Start off by asking them, especially if it's a third party that you're relying on. "Do you have other clients that are going through disaster recovery planning? Can you work with us to develop one?" Because you're going to rely on those people to do that. The same thing with large healthcare organizations. Every IT person has this in the back of their mind working with them, which is key. Because if you allow the business to come up with a plan and not involve technical, or the technical groups to develop a plan and not consult with the business, it's not going to work out well. That gives an opportunity for everyone to work together to be sure that they're on the same page and there's no surprises. And NIST, which is a government organization that provides a lot of guidelines. If someone will just Google NIST disaster recovery and business continuity, they have very detailed plan examples and lots of documentation on the best ways to test and develop those types of plans. Renee Tidwell: Great. I'll get that link and we will link that in our show notes for today's episode. It sounds like business continuity planning is a great opportunity for just different groups within an organization, practices, hospitals to work together to make sure that the business and that life can go on if a disaster does occur. So we've really appreciated everything that you've shared with us today. I know I've learned a lot that I can take back in my role. And thank you. Just thank you for being here and sharing that information with us. Bill Dean: Thank you again for having me. Renee Tidwell: Absolutely. And with that, we're going to say goodbye. Thanks for listening. Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect. Listen to more episodes, subscribe to the podcast, and find show notes at svmic.com/podcast. The contents of this podcast are intended for informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice as specific legal requirements may vary from state to state and change over time. All names in the case have been changed to protect privacy.