© 2016 Manuel W. Lloyd Consulting® | Staying Alive: Medical Manager’s HIpAA Security Guide to Business Continuity and Disaster Recovery Page 1 of 7

Medical Manager’s HIPAA Security Guide to Business Continuity & Disaster Recovery for Medical Practices

Ask About Our Free Diaster Recovery Assessment Why are we doing this for free? Because we know that once you see our expertise and what we can do to put your medical practice on the road to operational efficiency in your Healthcare IT systems (EHR, EPM, HR & Financial), for the sake of your medical practice, you’ll become a client.

vmanuel.w.lloydconsulting®

Lunch Provided By:

Prepared for: Lunch-N-Learn Attendees

© 2016 Manuel W. Lloyd Consulting® | Staying Alive: Medical Manager’s HIpAA Security Guide to Business Continuity and Disaster Recovery Page 2 of 7

Manuel W. Lloyd Consulting® | +1.910.210.0485 | www.mwlconsulting.com | operationaleffeciency@mwlconsulting.com v As a medical practices administrator, you owe it to yourself, your employees, stakeholders, and any patient you serve to honestly answer this one question: Is your medical practice resilient enough to withstand short or long- term interruptions to its operations? The answer should be immediate. If you have to pause or think for one second before responding, the answer is no. Each day of business brings with it unforeseen risk. Whether it’s catastrophic weather conditions, cybersecurity threats, or the vulnerabilities of the technology we’re dependent on to perform daily work functions, there must be both a business continuity (BC) and disaster recovery (DR) plan. The truth of the matter is most medical practices aren’t doing nearly enough when it comes to continuity and disaster planning. It’s inconceivable that in this era where practices store more sensitive data than ever before, and the risk of losing this data is so great, that a 2011 Systematic survey revealed that up to 57% of medical practices still have no business continuity or disaster recovery plan in place. A few years ago, a study conducted by Forrester Research concluded that 66% of practices with fewer than one hundred employees admitted to having no tested response to not just tech issues like a downed server or network but disasters, emergencies, and power outages. This e-guide breaks down some of the potential costs of short and long-term business interruptions, why far too many practices don’t have a solid business continuity/disaster

recovery plan in place, and the necessary steps practices can take to get prepared. A Competent BC/DR Strategy Is a Must Often misconceived as a problem for the “big guys,” business continuity is a concern for practices of all sizes – whether there are 5 or 5,000 employees. The costs of having no solutions in place are too high for many smaller practices to rebound from. Several hours of unplanned downtime can result in thousands of dollars lost each hour. That’s the kind disruption a medical practice may face from a shorter duration tech issue or power outage. Imagine the consequences of longer lasting outages, where a practice may be down for days or weeks, as seen in natural disasters like Hurricane Sandy and Hurricane Katrina, or acts of terror like the 2001 World Trade Center attack. Beyond the immediate tangible costs of outages like HIPAA fines, law suits, lost productivity and revenues, there is also an intangible domino effect that may be harder to quantify. The repercussions can greatly exacerbate the total losses over time, for instance: —Patients Jumping to a Competitor: The web hosting company 1&1 Internet, Inc. reported that 72% of web users admit to abandoning a practice for a competitor if they can’t instantly access a company website, or encounter numerous error messages, or issues accessing online patient portal features and support. People want immediate gratification today and

© 2016 Manuel W. Lloyd Consulting® | Staying Alive: Medical Manager’s HIpAA Security Guide to Business Continuity and Disaster Recovery Page 3 of 7

Manuel W. Lloyd Consulting® | +1.910.210.0485 | www.mwlconsulting.com | operationaleffeciency@mwlconsulting.com v will take their dollars elsewhere if they don’t get it. Even more alarming is the fact that 58% are likely to never return, which means the loss of long-term revenue streams. Perhaps they may be more forgiving in the event of a crisis like a natural disaster but there will still be those who go to a competitor and never come back. —Word-of-Mouth/Negative Brand Reputation: Thanks to the power of social media, those frustrated by instances of downtime will take to Facebook or Twitter to quickly spread their vitriol. Brand building and reputation management are critical to medical practices. Any negative attention and publicity brought on by downtime can have long lasting consequences. —Disgruntled Employees: In small medical practices, the burden of troubleshooting recurring tech issues or getting a system back online will typically fall upon the shoulders of an already busy, possibly overworked, employee. This multi-tasking employee will have to sacrifice bigger priorities to constantly play damage control. He or she will sometimes have to do this outside of normal work hours and may be pulled away from projects that generate revenue. If they aren’t happy about this, they may seek employment elsewhere. Both high turnover and the inability to use an employee’s knowledge and skill set for revenue generating tasks are costly to small-to-medium sized medical practices.

Too Many Medical Practices Aren’t Prioritizing BC/DR Plans Practices are fueled by ePHI and PII (Personally Identifiable Information). They are defined by their ability to efficiently and safely handle the data and vital information they generate or process on a daily basis. It is this data that keeps their day-to-day business functioning, ensuring optimal patient care, service and interaction. While protecting data is a priority for large enterprises, medical managers have the same responsibility but are challenged by limited budgets. For a start-up practice, the entire focus must be patient-facing, with few resources directed at anything not driving short-term revenues. This means far too many medical practices today are failing to employ some very basic safeguards to ensure BC/DR. A September 2011 CDW Business Continuity Straw Poll suggested that 82% of U.S. service disruptions could be reduced or altogether eliminated by even the most basic BC/DR plan. So why aren’t more medical practices taking these precautions? #1 — Failure to Recognize a Problem: Most medical practices don’t think about business continuity or disaster recovery until it’s too late and they’re scrambling to recover after being taken down. It’s ironic since so much focus goes into keeping a business side sustainable by growing your patient base, or outdoing the competition, yet a vital part of “staying in business” is overlooked when it comes to their supporting technology.

© 2016 Manuel W. Lloyd Consulting® | Staying Alive: Medical Manager’s HIpAA Security Guide to Business Continuity and Disaster Recovery Page 4 of 7

Manuel W. Lloyd Consulting® | +1.910.210.0485 | www.mwlconsulting.com | operationaleffeciency@mwlconsulting.com v #2 — Intimidating and Complex Planning Tools: Medical Practices looking to streamline costs and simplify procedures will sometimes write off BC/DR practices as unnecessary. Those who do recognize the importance of preparedness are often overwhelmed by the complex technical jargon that accompanies business continuity planning and don’t know where to begin when they hear terms like “business impact analysis” and “risk assessments.” #3 — They Feel as if They Can’t Afford It and They’re On Their Own: Practice Managers may know they’re living on the edge without a tested strategy, however, they don’t realize that new technology trends, and the availability of products like managed service providers (MSPs), can reduce costs and save on resources. MSPs can leverage their knowledge of a medical practice’s specific needs with the numerous cloud and hosted backup and recovery tools currently available today. 3 Steps to Improved BC/DR Planning Step 1 – Recognize the Need and Importance Business continuity and disaster recovery strategies tend to be on the to-do lists of many medical practices, but they are often delayed as more urgent business issues emerge. U.S. businesses lose roughly $1.7 billion in profit each year from network outages according to the same 2011 CDW business continuity survey referenced earlier. Obviously, it isn’t smart business for a practice to let business continuity and disaster recovery planning become an afterthought.

To structure a solid business continuity plan, practices must be prepared for all possible disruptions. It is important to note that business continuity goes beyond being prepared for natural or man-made disasters. We are now so technologically dependent that BC/DR plans must be in place to counter any disruption, big or small, that threatens patient care, business and profitability. Internal technical or infrastructure failures or cyber-attacks are obvious examples. Small internal “single-points-of-failure” can bring down an entire operation. Step 2 — Impact Analysis and Risk Assessment Constant availability is critical to success. In order to minimize downtime, it’s important to determine what technology is behind each phase of your medical practice’s business operations. Knowing the technology infrastructure of your practice allows for a comprehensive impact analysis and a better grasp of the impact on business operations when specific technology fails or becomes unavailable — even for a short period of time. Determining what could unexpectedly bring down each piece of that infrastructure is risk assessment. Risks come in the form of either internal or outside threats. Internal threats can be anything from an application failure, disk crash, and server malfunction to human error or a bitter employee. External threats can vary depending on location — natural disasters like hurricanes,

© 2016 Manuel W. Lloyd Consulting® | Staying Alive: Medical Manager’s HIpAA Security Guide to Business Continuity and Disaster Recovery Page 5 of 7

Manuel W. Lloyd Consulting® | +1.910.210.0485 | www.mwlconsulting.com | operationaleffeciency@mwlconsulting.com v earthquakes, tornados, floods, and fires, as well as man-made events like power outages, acts of terror, and accidents can knock out services. Additionally, our dependency on technology leaves practices susceptible to cyber-attacks like ransomware, computer viruses, phishing schemes, and the theft of personal mobile devices used for work purposes. *** Ask me about mobile security. *** While major disasters do occur, and shouldn’t be overlooked, it is the smaller everyday disruptions like power outages, server crashes, email issues, equipment failure, and lost or corrupted data that pose the bigger risk to medical practices. Doomsday prepping may be the rage these days, but a sound BC/DR plan typically begins by focusing on addressing the day-in and day-out disruptions first. Documenting, reviewing, communicating, and testing the effectiveness of smaller response scenarios will better prepare practices for potential disasters and longer-term disruptions. Step 3 — Look to Recent Tech Trends That Simplify Planning Recent technology developments like server and desktop virtualization, cloud computing, and mobile devices are beneficial to medical practices looking for BC/DR solutions. Virtualization — BC/DR preparedness may be the most compelling reason to consider virtualization. Virtualization allows practices to condense data and applications onto fewer servers — taking up less space and consuming less power. Virtualization allows small-to-

medium sized practices the benefit of high availability (HA) without the added expense of building a backup data center. Operations can be restored faster as the entire system can be brought back in a single virtual container. Cloud Computing — More medical practices are moving to the cloud for backup services. The cloud has enabled small and medium sized practices to backup operations away from their primary location and enhance their business continuity process at a reduced cost. Cloud-based Software-as-a-Service (SaaS) packages often come with built in business continuity solutions that can automate data backup processes on-site or off-site — spreading out risks and minimizing the impact of a disaster. Data (especially ePHI), servers, software, and tools can be stored in the cloud and remain safe if a medical practice is hit by ransomware or disaster. The cloud also allows remote workers to access a practice’s communication and collaboration tools, further allowing for “business as usual” in the event of a serious disruption. Conclusion: Although it is understandable that Physician and Practice Administrators at small to medium sized practices are hesitant to spend money, BC/DR planning is a lot like medical insurance. It’s human nature to think that bad things won’t happen to you, but the investment pays off when you’re hit by an extreme event or emergency. I’m sure you agree J.

© 2016 Manuel W. Lloyd Consulting® | Staying Alive: Medical Manager’s HIpAA Security Guide to Business Continuity and Disaster Recovery Page 6 of 7

Manuel W. Lloyd Consulting® | +1.910.210.0485 | www.mwlconsulting.com | operationaleffeciency@mwlconsulting.com v New technology trends and the backup-as-a-service, DRaaS, remote backup, and online backup services provided by MSPs have given medical practices the ability to safeguard their business operations at a reasonable cost.

Money and resources can no longer be an excuse for a lack of solid BC/DR solutions. There is way too much at risk. We can help you. Listen to what these folks had to say…

Company Wilmington Health Company Size: 850 Employees Position: Office Manager

Manuel Lloyd has provided invaluable leadership and strategic direction as our Virtual CIO. He is very adept and up to date with new technologies, but is able to balance with excellent communication and negotiation skills with stakeholders and vendors.

But what sets Manuel apart is his energy and enthusiasm and he is always there when needed, throttling his output up or down, depending on our needs.

And it's rare to find someone with those characteristics that also has a great and congenial mentality. Manuel is doing some excellent work for us, and I'm excited to continue working with him on future projects and initiatives.

Kerri Andrews, RN Mark Johnson Todd Richardson

Company Wilmington Health Company Size: 70 Employees Position: Office Manager

Every day, Manuel provides clarity, insight and vision into information systems decision making at our community health center.

As the Virtual CIO, his expertise in information systems design, planning and implementation transformed our raw set of networking devices into a truly scalable and unified infrastructure.

Enhancements to our fail-over capability, cloud based backups and network security were introduced at a level unachievable without the business intelligence provided by Manuel W. Lloyd.

Company Wilmington Health Company Size: 25 Employees Position: Office Manager

Manuel Lloyd is a phenomenal communicator, making our time together enjoyable and complex IT issues understandable for those of us challenged by IT and its ever-changing security issues and environment.

I left with very usable and pertinent information that I could share immediately with my workplace.

His support and knowledge is readily offered and given along with quick follow-through and with integrity at its highest levels.

I am thrilled to have found him and his team

© 2016 Manuel W. Lloyd Consulting® | Staying Alive: Medical Manager’s HIpAA Security Guide to Business Continuity and Disaster Recovery Page 7 of 7

Manuel W. Lloyd Consulting® | +1.910.210.0485 | www.mwlconsulting.com | operationaleffeciency@mwlconsulting.com v

If you have this guide, you either came ot one of my events and I’d like to say thank you. I’d like to offer your medical practice a free Buinsess Impact Analysis. This BIA will: • Identify all critical business functions within your medical practice and how to put them into a

thorough HIPAA Compliant Contingency Plan per §164.308(a)(7).

• Identify the essential aspects of the critical business functions including all dependencies (information, infrastructure, support facilities, key personnel, technology, etc). to prepare for the Required HIPAA Security Implementation §164.308(a)(7)(ii)C Emergency Mode Operations Plan.

• Assess the likely disruption to operations in the event of loss of each of these elements for various periods of time to comply with Required HIPAA Security Implementations §164.308(a)(7)(ii)A Data Backup Plans, and §164.308(a)(7)(ii)B Disaster Recovery Plans

• Assess the cost of the disruption and the effect on the business and the recovery timescale for each business unit.

Just call me at 910.210.0485 ext. 101 or 910.509.7128. If you want to get to me quicker, you can call me on my cell phone at 910.538.3196. I sleep with the darn thing J. Why am I doing this for free? Because I know that once you see our expertise and what we can do to put your medical practice on the road to operational efficiency in your Disaster Recovery Plans, for the sake of your medical practice, you’ll become a client. Wishing You Much Success!

��

�

�

�

Manuel W. Lloyd, ITIL® Certified� Manuel W. Lloyd Consulting®, LLC p: +1 910.509.7128 o: +1 910.210.0485 m: +1 910.538.3196 e: manuel@mwlconsulting.com w: www.mwlconsulting.com a: 1213 Culbreth Drive | Wilmington, North Carolina 28405 Operational Efficiency/Excellence In Healthcare IT Using Effective Thought Leadership, Business Insight & Leading Edge Thinking For Hospitals, Medical Practices & Health Clinics

Free Offer — Business Impact Analysis