Conference Session Recap: Improving Cybersecurity Management with a Business Impact Analysis


My colleague, Edward Henry from Princeton Healthcare System, and I had a great time talking with the audience at NJ/DVHIMSS last month. Our topic seemed to have struck a chord and the questions and reactions after the session have reinforced the need for business impact analysis in our healthcare organizations.

So, I thought we’d provide a brief recap of the salient points from the presentation and the follow-up questions we’ve received since. If you want to build a solid foundation for your business continuity and incident response program, please read on.

If you would like to download your own copy of our session slides, you may do so here.

Or, if you want to talk about your specific BIA concerns and questions, you can catch me here.

Point #1: BIA reveals cybersecurity impact

Effective cybersecurity management is critical to mitigating and minimizing the impact of an attack – financial, legal, compliance, productivity, reputation – even protecting your patient’s wellbeing. The BIA discovery process helps you inventory organizational risk and all systems potentially affected.

The BIA determines metrics related to impact, including:

  • Maximum Tolerable Downtime (MTD)
  • Recovery Time Objective (RTO)
  • Work Recovery Time (WRT)
  • Recovery Point Objective (RPO)

Point #2: BIA highlights 4 revelations

1. Maintain a current system/application inventory

2. Time of day matters

  • Consider the differences in days/times as they related to patient volume

3. Set realistic restore times

  • Account for data integrity validation, manual entry, and other workflow-related items necessary before resuming full system use

4. Determine interface decisions

  • Can systems be utilized without feeding interfaces being up?
  • In what order should interfaces be restarted once operational?

Point #3: Effective BIA examines downtime processes

A BIA isn’t complete without examining downtime processes and ensuring that priorities are defined and procedures are clear. Three areas are particularly critical:

  1. Secure disposal of sensitive data, including paper
  2. Access control – will certain resources need additional system access to assist during a downtime?
  3. Data classification – prioritize classification based on the data type (confidential, sensitive, internal or public), as well as based on the threat response e.g. breach, ransomware, etc.

Point #4: Engage leadership to ensure organizational depth & breadth

The BIA process should reflect organization-wide priorities and interdependencies. In particular, three areas should be reviewed and considered:

  1. What could impact patient safety? – ask this of every system, not solely clinical systems
  2. Quantify business impact – hard costs vs soft costs
  3. Restoration priorities – examine resource allocation priorities, departmental dependencies and IT resource capacity

Together with BluePrint Healthcare IT, the Princeton HealthCare System defined a BIA to govern
future business continuity decisions, as well as accomplish key goals to improve their cybersecurity approach and processes. Ultimately, we created a comprehensive business continuity plan that prioritized their work effort and unified their ERP process.

If your organization wants to better define cybersecurity priorities and foster organizational alignment to optimize business continuity and recovery capabilities, BluePrint Healthcare IT can help you develop the crucial “skill-set” every healthcare organization needs today.