So welcome back, you cyber a tornado chasers and hurricane hounds to our next lecture in the implementing a HIPPA compliance program for leadership Siri's. And this lesson is on business continuity and disaster recovery. Or, if you want to sound really important when you talk about it, B c D r. I just call it the plan that when stuff breaks and you need to get things back up and running so you can keep your day job
and payroll while they can print everybody's paychecks and that really important computer stuff in the back room.
Well, those computers can make worrying fan noise again. And there's a bunch of blinky lights and some of those lights or even green colored instead of red. You know the cool stuff.
Okay, you continuity cosmonauts. Today's lecture is about a very important concept to any security program, but of critical importance when building out a HIPPA compliance program for your health care organization, we're gonna review the core concepts around business and contingency planning, you know, kind of like the stuff they taught you back in elementary school when you were just a kid
that if a nuclear bomb goes off the safest place for the students is to crawl into your desk.
Well, I don't know about you, but I think our health care organization requires a little bit better emergency and data backup recovery plan than that. So we're gonna review today some of the required versus addressable components of contingency planning with the hippy security rule. And we're gonna look at some of the fundamentals of data backups like R. P O S and R T. O S. And if you're a Star Wars fan, three pos,
we're gonna break down the difference between threats to our data versus risk to our data.
And we're gonna talk about planning and practicing our business continuity and disaster recovery plans. They're really fun and useful to perform as a team tabletop exercises. So if you're ready, let's get this rocket off the ground already.
So for most of us during our workday, the closest we're ever going to get to BC DRS toe having to run control, all delete and recover our computer at the speed of windows. So, like 14 hours later, we're back in our spreadsheet before our HIPPA compliant health care program. We need to maintain several other programs to improve our critical systems, including vulnerability management, device hardening, risk management
and contingency planning and business continuity and disaster recovery.
So, in this case, for our hippest system, well, we need to maintain are protected health information controls and our electronic health system controls in case of an emergency or outage. The hippest security rule has several components listed as required for our security program, including that we have a documented
and keep maintained, a data backup plan, a disaster recovery plan
and an emergency mode operations plan. So basically, our health care organization needs to be sure we can still maintain our critical health care capabilities and maintain our e p h i systems when problems arise, including backing up our data, recovering our data and the HR systems in this case of business or economic disaster
that we can run those systems in an emergency mode,
and we will define that here in a bit. And we need to address or what HIPPA calls addressable testing procedures version in controls and documenting our systems on how our organization assesses the criticality of systems when emergency occurs. What systems have to stay up in operational when an emergency really does hit us.
We take a lot of risk by choice in the security industry, you hear the term risk acceptance, which is why we roll the dice and accept the risk of a threat were ever to really happen. But there a risk that we have to prepare for, like our data center catching fire or tornado wipes out our headquarters. Or we were the victim of a denial of service, cyber attack and if he starts, were ever realized.
How do we first prepare for the risk to our organization?
Mitigate those risks or minimize them and plan accordingly If the worst were to occur? Well, there are seven key steps to business continuity, planning and continued operations. The first one while we establish a planning committee. This is an important team that has to be made up of key stakeholders in the organization
where every critical business department is represented from I T T Human resource is in accounting.
If we rely on that department for critical business operations, that department must be represented. And once we have built this team, we perform a business impact analysis What I prefer to call it business impact assessment. A business impact assessment evaluates the threats to our business inside outside accidental or intentional
technical and environmental, and then assesses the impact of the organization if the threat is realized.
If a tornado wipes out our data center, what is the financial impact? The reputation impact, employee impact client impact, etcetera? Thebe I A looks across all critical components of the organization and risks and evaluates them based on their likelihood.
So now that we have our arms around our threat store enterprise and the rest of the business, if any of those threats were to occur, our next move is to do everything we can within our human and financial capital to minimize those risks. And this will make our job much easier. So when we have a power loss or water has damaged to a critical server,
well, our lives got easier because our attack surface is smaller. So the damage to our systems is smaller,
and thus the recovery is gonna be that much faster and much easier. So we begin to craft our continuity strategies on what systems are critical and what the downtime is going to be that we need to have to make sure that we can survive and what our recovery times need to be to keep our patients well cared for and r p h I secure.
Then we draft those plans in writing and then train our department heads on what to do and how to do it
if and when a disaster occurs and to keep everyone sharpen to keep everyone ready. Well, we're gonna perform BCD are testing by running practice exercises and run throughs. That air called tabletop exercises Really fun stuff.
So we can talk much further about business continuity without talking about recovery point objectives and recovery time objectives. So basically, what we're gonna do is ask about ourselves. What are our critical systems? So let's call it a sequel database server that houses are patient records. How far back do we have to go before the disaster strikes that we need to restore our data to to get our database back up and running?
How long will it take us to recover and restore our database to that recovery point?
So these are two objectives that we have to determine for every one of our critical systems. How far do we have to go back. And how fast will it be for us to restore? And these targets are color recovery point objectives and our recovery time objectives are databases backed up every night at 2 a.m. So we have to go back to 1 a.m. On any night before we lost the database to get our recovery point target.
But we have to restore the full archive of patient records in the database
so the recovery time can't be any faster than six hours. So to create a new sequel database from scratch and recover all the data from the backup, Well, it's an eight hour recovery time objective. Now we incorporate our database are pose and Rto s in our business continuity plan. And for starters, we asked the business, What does it cost us in human and financial capital
to lose the database for eight hours?
If the costs are high? Well, we might buy redundant hardware or cloud backup technologies to reduce the downtime and reduce the risk of the business.
So we have a lot of choices as an organization know what to do with risk. But as your organization security leader, most of those choices won't be up to you. Your job is to minimize risk, and the first step in minimizing risk is to identify the threats to the business. All kinds. Environmental terrorism, your CEO even dying in a car accident on the way to the office. How does that impact your business?
Well, that's a threat assessment.
What threats might occur to the business in which of those threats come to the front page so that you can get your plan ready? This is a threat assessment, a very different exercises, a risk assessment. A risk assessment evaluates all the various risk to the business if a threat were to occur, how does it impact you financially? Your reputation, the customer impact
so while we can do with these risks
is we can accept the risk, limit the risk, transfer the risk or avoid the risk. And that's all put together in this thing called the risk assessment. And a gap assessment is the result of comparing our organization toe a standard or best practice guidelines and framework. And then the gaps are identified on where we fall short from that standard, and as a security leader in the organization,
you're gonna perform all three of these types of assessments and repeat them often
as your business and environment will always be changing.
So is part of our continued operations were required by hip, a security rule to maintain data backup plans, data recovery plans and emergency mode operation plans. In our health care organization three emergency mode Operation Plan satisfies the ph I availability goal of the security rule. And so once are planning committee has built and developed these various business continuity emergency operation plans.
Well, you have to test them.
You're gonna pick a threat this month called the team leaders in the conference room tell them that they are to make calls or step away unless absolutely business essential. And for now, the data center in the basement. Well, it was just flooded. And we need to execute our business continuity plan and this run through, make sure your documentation is current. Everyone understands their roles in the recovery operations and recovery procedures
and that your organization is truly ready for continued operations.
Okay, space heads. It's time to quit floating around in zero gs and get back in your seat because it's time for another quiz question.
So what are the three types of assessments you and your team are going to perform in your health care organization to improve its critical systems while you're gonna run three different types of assessments to test your security programs, posture and compliance readiness? The first is a threat assessment to make sure organization has its awareness of all the possible threats to your data and critical infrastructure
the risks posed if any of those threats were to come to fruition, well, that's where a risk assessment comes in.
Does your organization have its arms around managing and minimizing those risks? And then you're gonna run a gap assessment against your technical systems by running technical scans, looking for risks and vulnerabilities in the hardware, software and configuration if your network devices in the infrastructure that supports them.
So in today's lecture, we got our arms around some of the basic business continuity and disaster recovery concepts like contingency planning, our Porthos and our robot droid friend Threepio. We look to contingency and disaster planning and then how we're going to test our program with threat risks and gap assessments. Really good stuff.
So our next lecture is gonna be on managing a HIPPA compliance program. But for now, thanks for joining us is part of the implementing a HIPPA compliance program for leadership Siris. On behalf of all of us here at Cyber, our astronauts are rocket scientists, all who made this course possible. So thank you for joining us. We want you to have fun out there. Take care.
Thanks for choosing to fly with us