Dissatisfied with how it determined which business functions and IT assets needed to be restored first following a cyber incident, central Floridian healthcare system Health First recently revised its disaster recovery tiering criteria to make the prioritization process more quantitative and less subjective.
Click for more special coverage
The new decision-making criteria are largely predicated around how severely the business would be impacted if a cyber disaster affected a particular application, according to Kimberly Alkire, system director, cyber wellness at HealthFirst, a presenter at InfoSec World 2023 in Orlando, Florida.
“We’re healthcare. So obviously, patient safety is our No. 1 priority,” said Alkire in an interview with SC Media held prior to her ISW session on the same topic. “So if there’s anything that is going to be putting a patient at risk, or an employee at risk during a downtime, that’s going to be really highly rated in our algorithms that are on the back end of our quantitative scoring.”
Other factors that affect a business function’s DR tier ranking include financial impact, regulatory compliance requirements, reputation damage and the number of employees who use a particular application. Alkire noted that the revised tiering system applies to both preexisting applications as well as new functions and assets that are added to the business as time goes on. “And only our executive team is able to veto [a ranking] or move something up on the list,” she added.
An application’s ranking doesn’t just affect how quickly it sees a post-incident recovery effort. Higher-tier functions also get more robust proactive DR and business continuity protections in advance of any potential cyberattack. These protections include high-availability capabilities, hot-hot configurations and back-ups, as well as downtime procedures, a DR plan, an annual DR test and 24/7 vendor support.
“We want to make sure we’ve got… the best stuff on our crown jewels. Same thing for our alerting and monitoring,” said Alkire, noting that HealthFirst’s tiering system is “used by our infrastructure teams and our security teams for all of our processes to be able to identity what is more important and what gets first dibs on limited resources.”
In a separate follow-up email exchange, Alkire told SC Media that the majority of HealthFirst’s tiering criteria changes were put into place in August 2022, and that 15 enterprise apps have currently been granted tier-one disaster recovery status. “We’re just wrapping up our first review cycle, which will be occurring annually to keep it operational, refining along the way as needed,” she added.
For more details on HealthFirst’s DR tiering process and Alkire’s presentation, watch the embedded video within this article.