📍 Today in health, it will change healthcare case. Finally, make providers do a business impact. Analysis today. We take a look at that. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health set of channels and events dedicated to transform health care. One connection. At a time. We want to thank our show sponsors who are investing in developing the next generation of health leaders.

Notable service now, enterprise health. Parlance certified health and Panda health. Check them out at this week. health.com/today. All right, this story and all new stories that we cover, you can find on this week health.com/news. If you want to become a contributor at the top of that page, you can click on, become a contributor and go ahead and fill out the form. All right.

One last thing, share this podcast with a friend or colleague use it as a foundation for daily or weekly discussions on the topics that are relevant to you in the industry. Use it as a foundation for mentoring. They can subscribe wherever you listen to podcasts. All right. Here's today's story. It is found on S C media. And it is, will change healthcare case.

Finally make providers do a business impact. Analysis. So let's see. Let me just dive right in here. It's just over a month since the cyber attack on change healthcare disruptive business operations. Prescription access and billing for providers across the country. United health group last week confirmed what industry leaders have suspected patient data was compromised during the incident. For several weeks, a second ransomware group. Known as ransom house cleaned to have access and acquired over four terabytes of data. Tied to change health. Early reports show that United health subsidiary already paid black cat. Or Let's see cliffs 20.

Is that 2 million? No. 22 million. No common, no period there. 22 million. To restore access to encrypted data. These claims have not been verified by the insurance shine, both Axios and Reuters reported to have seen the data proofs that included patient data. If ransom house's actions are true, we are now in double extortion scenario for change healthcare. And it goes on and talks more about the breach itself, which we've covered pretty extensively in Drexel talking about on the two and a half minute trial, two minute trial. The fallout takes shape.

The most concerning news this week is not the staggering numbers, but reports that United health or change healthcare won't see any real fallout. The biggest losses are being seen right now with the smallest providers, the rural hospitals specialists. And other health systems. A pointed piece from the Minnesota public radio. Describes in detail, what providers face across the U S. Impacts akin to those faced during COVID-19 pandemic. And one example of small practice of licensed social workers. Saw all existing claims for payments stop immediately after the outage as changed health, pulled those systems offline while workarounds were provided to dampen the blow providers faced small. Providers, clinics and hospitals across the country. Have been borrowing from mortgages, requesting payment, leniency, and other financial work rounds. Just to maintain payroll.

Some clinics have reported a 70% decrease in revenue. In just one month, what's more, the workaround was equipped. With a challenging application form that even when accepted did not offer enough financial support.

Okay. And then it gets into the business impact analysis. So it gives you that, that backdrop.

And by the way, I've had conversations with some of these providers that relied extensively on change healthcare and Optum. For payment and processing of services. And that's not an exaggeration. They were taking out mortgages. They were looking for loans. They were looking for money to keep their staff employed.

And it's not people stopped coming in. They just had money stopped coming in. Anyway. So we get to, no one has conducted an adequate business impact analysis, the complete picture of the cyber attack impact. May not be seen for months or even years, but it's painfully clear that none of the impacted healthcare entities have conducted an adequate business impact analysis and because of rampant. A third party relationships or. Party relationships cause you have fourth and fifth. In healthcare it's possible.

Wondering why contingency. We're not put in place. To ensure employees were paid. This consensus was that healthcare entities. Needed to leverage accurate. BIA to determine system critical. To business operations and contingencies that would ensure operations could continue. But as media coverage waned progress on shoring up the contingencies faded. Hospitals and healthcare delivery organizations that face some of the most historically stressful situations in recent years. But compliance checklists, free resources and security standards have proved that enough for a majority of healthcare entities, limited security, talent, and lack of understanding of how to prior to size. Remediation have enabled. Persistent gaps to essentially leave the door open to attacks. Let's see.

Let's see. I want to talk about BIA. So here we go. If enterprise security leaders can't eliminate the risk, it's clear what needs to happen in healthcare entities need to. Have an effective BIA business impact analysis with a well-practiced incident response plan to establish the systems that are mission critical. And the processes or work arounds needed to prevent massive financial losses and patients' safety risks. Instead of BIA.

As many organizations have been leaning heavily on the cyber insurance policies, but this transfer of risk no longer works as a viable option to insurance firms are now requiring specific action plans without preventative measures. And BIA, his insurance premiums are are being increase. Oh, typo are increasing. By as much as 50% or coverage is being denied altogether. Let's talk about BIS. It's interesting because prior to my work in healthcare, BIS we're common practice.

I did work in financial services and manufacturing. And banking in defense contracting and whatnot. So I did a lot of it work around. Those systems and a business impact analysis was pretty much standard practice. Understanding which systems were critical, not only the systems, the applications themselves, but the data and the downstream processes that they fed was a pretty common practice in every other industry.

Now, I'm not saying every, in every other industry, all organizations had a practice of having an effective. Business impact analysis in place, but I am saying that it was. Fairly common practice amongst the large organizations that is. Billion dollar players had them. Now I don't expect the small rural health system to have it, although it is a good practice. And, but I do expect the billion dollar players to take the time. To map out their applications, their data, their workflow. And they're a critical dependencies on that data across the entire organization.

And then marry that with remediation plans in the case of critical systems going down. We've talked about this on the show before. How important it is to have that list of tiered applications. That's the first step in a business impact analysis. And we did cover with. And one of the one of the webinars that we did, we talked to one of the players that was ransomed and the fact that they didn't even have a list of tiered applications.

And so when they lost everything, they had to start rebuilding. They didn't know where to start. They didn't even have a list of applications to go. All right. This is the most critical applications to bring back. 1, 2, 3, 4, 5. In that order. And know how to rebuild them. And so the business impact. Starts with some very basic stuff. List of every application. Now. I know how difficult it is to get an accurate inventory in such a complex system as healthcare. I remember when we started our application rationalization project. We started with I don't know, let's say it was somewhere around 900 applications.

Let's say we started with 900 applications. We started doing a application rationalization project that is two minute to cut down on the number of applications and reduce the complexity in the organization. And after about three to six months, we had more applications than what we started with. And that's the nature of healthcare.

We don't know all the applications we do have. And when we start to do a project like this, they uncover themselves. We find them all over the place. It's really it's an interesting thing. That should not be an excuse, not to do a business impact analysis. It's still important to do business impact analysis by definition, if you're finding these applications later. They're probably not critical to the entire organization, to the billion dollar organization.

They're critical to probably a department or a department operation and those kinds of things. So start with what you have, start with what, but don't stop with just the applications you have to look at the data and the downstream effect. That's what happened here. The downstream effect of that data, not moving through the system and not being able to do that validation, not be able to being able to. Process claims. Would have been found by business by a proper business impact analysis.

And I'm not even talking a good one. I'm just talking one where you looked at it. And you said, oh my gosh, look, here's what this is. And some of these contracts were written a long time ago and it's not obvious. But if you map out all your workflows, one of the first projects I did at St Joe's we hired a firm, they came in, they mapped out all of our workflows, as many of our workloads as they possibly could.

And then they tied them to applications and they tied them to the data source. And that for us was critical. To really understanding it. And I felt the need to do that mostly because I needed it anyway, as a new CIO in that system. Eh, there's a handful of ways that you can do this. And by doing that project, we were able to identify the fact that we had 900 applications. Even though we didn't identify all the applications, we identified a fair number of them.

And then through interviews and discussions, we were able to map those applications out. So my coaching to you is do a business impact analysis today. Just get started. At organizations like credit card companies and whatnot, there's somebody dedicated to it. There is somebody who's dedicated to maintaining that business impact analysis and continually updating that business impact analysis.

Probably not a bad practice. If you're a billion dollar company. To have somebody who's building that out and processing that. It is really valuable. It's Val. Especially valuable when you go down, but it's still valuable information, even if you're not going down. All right. That's all for today. Don't forget, show this, by the way.

I understand it's a really hard job. I understand that it's a very complex environment, but that's part of the job is to map out the complexity of the environment and the dependencies across the system. That's all for today. Don't forget to share this podcast with a friend or colleague. You said it's the foundation for mentoring.

We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Notable service now, enterprise health. Parlance certified health and 📍 Panda health. Check them out at this week. Dot com slash today. Thanks for listening. That's all for now.