1

DISASTER RECOVERY/BUSINESS CONTINUITY AUDITING: A CASE STUDYWAYNE PURVESWAYNE PURVESDIRECTOR

CHRISTA VOIECHRISTA VOIEIT AUDITOR

MULTICARE HEALTH SYSTEMTACOMA WATACOMA, WA

AHIA 32nd Annual Conference – August 25-28, 2013 – Chicago, Illinois

www.ahia.org

Learning Objectives

Explain Disaster Recovery (DR) and Business

2

Explain Disaster Recovery (DR) and Business Continuity Process (BCP) core concepts and critical risks.

Share best practices in DR and BCP auditing approaches.

Discuss the unique considerations when auditing DR and BCP requirements within the healthcare industry.

Presenters

Wayne Purves, Director – Corporate Compliance and

3

Wayne Purves, Director Corporate Compliance and Internal Audit Certifications: MBA, CIA, CISA, CFE, CHC, CRMA 20+ years experience in internal audit, regulatory

compliance, risk advisory and consulting

Ch i V i A d C C l d Christa Voie, IT Auditor – Corporate Compliance and Internal Audit Certifications: CISA PCIP Certifications: CISA, PCIP 10 years experience in internal audit, compliance, finance

and accounting

MultiCare Health System (MHS)

Located in Tacoma, Washington, serving Pierce and

4

Located in Tacoma, Washington, serving Pierce and South King County regions

5 Hospitals, 100+ Clinics with Diagnostic Imaging p , g g gCenters and Laboratory Services

9K+ employees, $1.6B Annual Revenuep y ,

Presentation Outline5

Definitions Definitions Setting the Stage: Healthcare Industry Our Approach Our Approach

Current Environment Frameworks Frameworks

Scope, Objective, Audit Program L L d / Oth C id ti Lessons Learned / Other Considerations

Question

What comes to mind when you think about disaster

6

What comes to mind when you think about disaster preparedness in the workplace?

What is Disaster Recovery?

Disaster Recovery (DR) is the process of rebuilding

7

Disaster Recovery (DR) is the process of rebuilding your operation or infrastructure after the disaster has passed. (SANS Institute)

What is Business Continuity?

Business Continuity (BC) refers to the activities

8

Business Continuity (BC) refers to the activities required to keep your organization running during a period of displacement or interruption of normal operation. (SANS Institute)

BC is the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (ISO 22301 2012)22301:2012)

Setting the Stage: Healthcare Industry

In emergencies, the community runs TO a hospital, NOT

9

In emergencies, the community runs TO a hospital, NOTaway from it! Caring for patients, visitors, employees, community Criticality for testing surge plans, simulations Practice, training, more practice, and more training!

Integrated Electronic Medical Record System 24x7 operations (hospitals) vs. limited hours (clinics) Simultaneously offline – limited paper records Downtime procedures = Possible lives saved!

Our Approach: Assess Current Environment

Comments from prior IT risk assessment

10

Comments from prior IT risk assessment Corporate communications Discussions with Information Services department Discussions with Information Services department Internal Survey

Our Approach: Select A Framework

Option: Kitchen Sink / FishNet Approach

11

Option: Kitchen Sink / FishNet Approach “I NEED EVERYTHING I can find on the topic.” Result: Overwhelmed. Forced to sift out essentials.

Option: Default Approach “Just use COBIT. I always use COBIT.” Result: Decide v4 vs. v5, may not align with company

standards or have buy-in with client.

O S l / H b d A h Option: Selective / Hybrid Approach “Use a mix of select sources with the most authority.” Result Winning combination! Result: Winning combination!

Our Approach: Selected Frameworks

Joint Commission Standards

12

Joint Commission Standards Emergency Management Chapter Information Management ChapterM g C p

MHS Company Policies Technology: Disaster Recovery policy Technology: Disaster Recovery policy Comprehensive Emergency Management Plan (CEMP)

COBIT 5 Framework COBIT 5 Framework DSS04 – Manage Continuity

Audit Scope

Technology disaster recovery program, including

13

Technology disaster recovery program, including planning and testing efforts for critical systems and applications.

Centralized activities for managing business continuity plans, including the overall continuity strategy, development and testing of the emergency management plans, staff training, and

i ticommunications.

Audit Objective

To assess whether MHS has established and tested a

14

To assess whether MHS has established and tested a comprehensive business continuity and technology disaster recovery strategy.

To assess whether MHS could resume critical operations in response to a declared disaster or emergency event.

Audit Program15

Disaster Recovery Business Continuity Disaster Recovery Technology Recovery

Strategy

Business Continuity Continuity Strategy Continuity Plans and

Business Impact Analysis Recovery Objectives

C yProcedures

Communications Test Plans and

Schedules Training

Test Results and Remediation

DR - Technology Recovery Strategy

Review the strategy for managing recovery of

16

Review the strategy for managing recovery of technology and systems.

The process for managing the data centers and p g grecovering servers during an emergency.

Recovery processes for non-IS managed systems. y p g y

DR - Business Impact Analysis

Review the Business Impact Analysis (BIA) and verify:

17

Review the Business Impact Analysis (BIA) and verify: It is current It is complete p It documents risks and outcomes

Update the BIA after major changes.Upda e e a e ajo c a ges.

DR - Recovery Objectives

Review the recovery objectives and timelines for

18

Review the recovery objectives and timelines for system downtime and minimizing lost data. Recovery Time Objectivey jMaximum tolerable time limit within which the data must

recovered.

Ob Recovery Point ObjectiveMaximum tolerable data loss that is acceptable in a

disaster situation.disaster situation.

DR - Test Plans and Schedules

Review process for scheduling and planning disaster

19

Review process for scheduling and planning disaster recovery tests.

Review a sample of Mission Critical systems to verify: p y y Test plans exist Test plans are current p Test plans identify responsibilities and actions

DR - Test Results and Remediation

Review a sample of Mission Critical systems to verify:

20

Review a sample of Mission Critical systems to verify: Recovery testing has occurred Testing is documentedg Post-exercise reviews were documented, with

recommendations to improve continuity identified

Audit Program21

Disaster Recovery Business Continuity Disaster Recovery Technology Recovery

Strategy

Business Continuity Continuity Strategy Continuity Plans and

Business Impact Analysis Recovery Objectives

C yProcedures

Communications Test Plans and

Schedules Training

Test Results and Remediation

BC - Continuity Strategy

Review the enterprise-wide business continuity

22

Review the enterprise wide business continuity strategy and processes including: Corporate emergency management plans p g y g p Management oversight/governance Hazard vulnerability assessments (HVAs) Hospital planning for 96-hours of self-sustainment Partnership with community resources Tracking/management of emergency supplies and

equipment

BC – Continuity Plans and Procedures

Emergency plans in place for each hospital/facility.

23

Emergency plans in place for each hospital/facility. Current Approved by Managementpp v y M g Coverage for offsite locations, clinics

BC - Continuity Plans and Procedures (cont.)

Review emergency operations plans and validate

24

Review emergency operations plans and validate they: Exist Are current Define key roles, persons Outline procedures/actions to be performed Have associated test results / lessons learned Includes defined follow-up, assigned actions and owners

BC - Continuity Plans and Procedures (cont.)

Review that testing occurs twice annually for each

25

Review that testing occurs twice annually for each hospital (per Joint Commission requirements).

Tests include: A simulation of a surge/influx of patients The local community is unable to support the hospitaly pp p Participation in a community-wide exercise

BC – Communications

Review the tools and processes for managing

26

Review the tools and processes for managing communications during an emergency.

Review processes for maintaining current contact p ginformation.

Review processes during an emergency response p g g y pexercise to monitor and assess the effectiveness of communications (both internal and with external entities).

BC – Communications (cont.)

Notification processes in place for:

27

Notification processes in place for: Staff & personnel Patients/Families, esp. if relocating patients/ , p g p External authorities Media/Community/ y Vendors/Suppliers Regional healthcare partners

BC – Training

Review employee training on emergency practices.

28

Review employee training on emergency practices. Training on emergency equipment and supplies. Managing emergency volunteers Managing emergency volunteers.

Licensed independent practitioners

MHS Lessons Learned

Corporate Executive Buy-In / Executive Advocacy

29

Corporate Executive Buy In / Executive Advocacy Tell a Compelling Story – Mercy Hospital in Joplin, MS Associate risks and impact of issues with organization’s

mission (MHS: Quality Patient Care) Actual disruptions to business continuity assisted with this point

I t ERM Eff t t t d Incorporate ERM Efforts to promote preparedness Ask Management: “Do we want to be the hospital system

that evacuates or stands firm during an emergency?”g g y

MHS Lessons Learned (cont.)

Business Impact Analysis

30

Business Impact Analysis Process managed through I.S. or within Operations? I.S. assumes priorities on behalf of Operations.S p Op Disconnect between priorities, recovery timelines “What are the mission critical systems?” – Different answer

depending on who you ask

General (but undocumented) understanding of actual impact/risks to operations in the event of system impact/risks to operations in the event of system downtime.

MHS Lessons Learned (cont.)

Sample Selection

31

Sample Selection Even if policy states all ‘Mission Critical’ systems require

the same standard for continuity, try to include judgmental sampling to include major EMR system/s, not just select a random sample.

Other Considerations

Understanding Hospital Incident Command System vs.

32

Understanding Hospital Incident Command System vs. Business Continuity Client confusion on differences HICS – Centralized Communication/Framework for Control BC – Overall continuity activities, includes HICS

Resource Plans 96 hour Self-Sustainability Rule Single resource provider and proximity plans Back-up, and back-up to the back-up…

Resources

Addendum 1: MHS DR/BC Audit Program

33

Addendum 1: MHS DR/BC Audit Program FEMA – Federal Emergency Management Agency

NIMS – National Incident Management Systemg y

State Emergency Management Department State LawsS a e aws

Revised Code of Washington (RCWs)

Local County Requirementsy q OSHA – Occupational Safety and Health Admin.

Resources (cont.)

OMB Circular A-13334

Joint Commission Standards Emergency Mgmt, Info Mgmt Chapters

COBIT 5 Framework – DSS04 (Manage Continuity) www.isaca.orgM H l hC S (J li Mi i) Mercy HealthCare System (Joplin, Missouri) YouTube: “Mercy/ROi Joplin Story”

The Business Continuity Institute The Business Continuity Institute www.thebci.org

Resources (cont.)

SANS Institute – Info Sec Reading Room

35

SANS Institute Info Sec Reading Room White Paper: “Introduction to Business Continuity

Planning”

The Institute of Internal Auditors – Global Technology Audit Guide GTAG #10 – Business Continuity Management

Questions?36

Thank you!

Wayne Purves

Wayne.purves@multicare.org, (253) 459-7865

Christa Voie

Christa.Voie@multicare.org, (253) 459-8171

Save the DateS b 2 2 2September 21-24, 2014

33rd Annual Conference Austin TexasAustin, Texas

37