As the cybersecurity environment changes and our understanding of how to safeguard data improves, it’s becoming increasingly evident that new philosophies and approaches are needed.
And it starts with something as simple as changing the terminology, according to Heather Costa, whose own title – Director of Technology Resilience at Mayo Clinic – reflects that transformation.
“Disaster recovery has historically been about physical disruption. It’s been an all-or-nothing approach of being able to failover if a meteor hits the data center,” she noted. “We all know that’s not what the threat landscape looks like.”
Heather Costa
Instead, healthcare organizations are dealing with phishing attacks and malware that are forcing leaders to dig deeper when examining data and backups and ask if they’re clean and available. “Those aren’t questions that we had to answer in a traditional disaster recovery setting, and that changes everything.”
It’s a change, however, that Costa welcomes with open arms. During a recent Unhack the Podcast with Drex DeFord (Ppresident of This Week Health's 229 Cyber and Risk Community), she opened up about why the focus should be on resilience, how her own team’s strategy has evolved, and the importance of strong governance in making any plan work.
Costa may have a somewhat of a reputation as a “disruptor,” yet still, she undoubtedly raised some eyebrows when she made a move to rebrand her team just weeks after joining Mayo Clinic. But based on her experiences with Cleveland Clinic and PNC, shifting from disaster recovery to resilience was the right move.
One reason? The recovery process for a cybersecurity incident takes five times as long as other processes, which makes it critical to prioritize resilience. Another key factor is scalability, she added. “We’re looking at how we can get the most benefits from the work that we're doing; that it can serve us for a small disruption, a physical disruption, or simply a technology issue.”
With the different philosophy Costa brings to the table comes a different approach; one that involves more asking and less telling. “The key is to meet people where they are. We don't talk about our work; we talk about their work. I want to understand what they do and what they need,” she explained. And not just in terms of the technology, but people and processes as well. “Those things are foundational, and then you layer technology on top of it to support them.”
And by getting staff to open up, her team is able to identify the problem and develop a set of solutions. On the other hand, if leaders try to implement a tool without understanding the actual problem, “you’ll spin around trying to find a solution,” she said.
Another core component of resilience is the strategy used to determine which areas need attention first in the event of an incident. “The order in which we’re recovering matters to the patient, to clinical operations, and to business operations,” Costa said. “You have to map that out very closely and you have to be able to granularly say, ‘this is priority one, this is two, this is three,’ instead of having big buckets that are tier one and tier two.”
In doing so, organizations create what she termed a “minimum viable” to determine the processes that are most critical to patient care and safety – most of which sit inside the ED and ICU – and prioritize them.
Of course, no systems will be at 100 percent, Costa cautioned. “They won’t be the most efficient. They won’t have all of the enhancements and bells and whistles that they normally have. It’s going to be clunky. And it's going to require manual processes in some of those areas, which is going to slow them down. But at minimum, this is what keeps people alive.”
Preventing that catastrophic impact is what’s most important, she said. And so, when her team conducts recovery tests, they look at more than just whether data were recovered and in what time frame. “We’re looking at what we recovered and how it’s different from previous tests,” she noted. “Did we improve some areas? Did we shorten the recovery time? There needs to be a marker of improvement.”
That improvement, whether it’s in testing or any aspect of resilience, is going to be gradual, which requires a patience not often found in healthcare initiatives. “We tend to want perfection and if there’s anything I've learned, there’s no perfection in this work,” she said. “It’s a program, not a project. We’ll never put a pin in it and call it done. We have to be on that path of continuous improvement, and we have to be okay with that.”