In the Eye of the Cyber Hurricane: Business Continuity & Emergency Preparedness

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:22] Welcome to the CyberPHIx, your audio resource for information security, privacy risk and compliance for the health care industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders in health care, cybersecurity and privacy. And in this episode, will be speaking with Patrick Hinnant. Patrick is the director of IT Operations, Facilities and emergency management for Trillium Health Resources.

Brian Selfridge: [00:00:45] Our session today is titled In the Eye of the Cyber Hurricane, Business Continuity and Emergency Preparedness. The Cyber Hurricanes are coming fast and furious four health care organizations, and we want to tap into Patrick's years of experience to help us improve our preparedness and response to these all too frequent cyber storms. So let's dive into yet another great conversation with yet another amazing guest, Patrick Hinnant.

Brian Selfridge: [00:01:13] Hello and welcome to the CyberPHIx, the leading podcast for information security and privacy, specifically for the health care industry. I'd like to welcome my guest, Patrick Hinnant. Patrick is the director of IoT Operations, Facilities and emergency management for Trillium Health Resources. Trillium is based in North Carolina and provides specialty behavioral care services to help those with mental health conditions, intellectual and developmental disabilities and substance use disorders to get the services they need to improve well-being and live fulfilling lives. And certainly, we have need for all of the above these days.

Brian Selfridge: [00:01:45] Prior to Trillium, Patrick served as the CIO for Coastal Care, along with other leadership roles. He's held at several public and private health care and IT organizations. Patrick also served over 21 years in the U.S. Navy and IT and telecoms management roles, and we thank Patrick for his service. I'm excited to be speaking to Patrick today about business continuity and emergency preparedness best practices for health care organizations. We'll talk about incident response and continuity from the ground level staff perspective all the way up to the executive level. We'll also discuss some IT specific challenges and approaches to emergency response, including dealing with hybrid and cloud hosted infrastructures and much more. We'll also spend some time digging into evolving models of behavioral health and how they've been able to maintain these critical services during the pandemic. So with that, Patrick, thank you so much for taking the time to join us on the CyberPHIx today.

Patrick Hinnant: [00:02:35] Good morning, Brian. Appreciate the opportunity to join you today. I do need to get the legal stuff out of the way, though, by saying my experience and insights I share today on my own and don't represent those of my current or past employers.

Brian Selfridge: [00:02:47] Absolutely. And we appreciate the legal sentiment there and perhaps the candor that that will allow you to elucidate during this conversation. Now that we've gotten to the legal hurdles out of the way. So getting started here, Patrick, you know, the last year or two has certainly seen no shortage of disasters, emergencies and incidents for health care entities. I suspect everyone listening has had some form of, you know, quote unquote on the job emergency response training in response to these pandemics, hurricanes, ransomware attacks and other cyber incidents. So in short, we need your help and we're very appreciative of you, of you sharing your insights with us. Now, before we get into some of the best practices, I want to hear some more stories and I have to imagine you have some. Would you be willing to share with us some high level examples of the the types of disasters or emergencies that you've had to deal with over the years and keep it systems and business continuity going? You don't need to name names by any means, but I have to imagine you have a story or two for us.

Patrick Hinnant: [00:03:42] Well, certainly I can speak to the more recent events and given our location here in the East Coast, North Carolina, we've definitely experienced more than a few hurricanes. And as you said earlier, you know, I do wear several hats. As director of IT Operations Infrastructure Service Desk Security, I'm responsible for organization wide business continuity and the facilities department, so I'm plenty busy during hurricane season. So as Trillium, we've been through four hurricanes since 2016, with Florence in twenty eighteen being our biggest challenge. I personally slept in the data center for more than a week during that time. I'm proud to say we we experienced no loss or outages, a loss of service or outages. I attribute that to the remarkable foresight and planning of my infrastructure team and because of our experiences with the Hurricanes. When the pandemic, you know, forced the move to 100 percent remote operations last year, we were able to make the shift in three business days. And that's including our four seven crisis call center. As of today, we are still working remotely and likely will be until early next year.

Brian Selfridge: [00:05:06] Well, it sounds like you've got your hands full. I hope that's the last hurricane for at least the foreseeable future that you have to deal with, although for in the last four or five years means you might, you may have some more in front of us. So, you know, tell us a little bit about I want to talk about some of the the challenges and approaches for for managing these types of incidents. And as we mentioned in the intro here, we want to talk about how it's impacted or the roles that organizations need to to lay out there from the staff level all the way up to executive level. So let's start with some of the I.T. and help desk in particular, as we don't often realize how critical those first level responders are to effective response to emergencies. Could you walk us through a little bit the role that the helpdesk needs to play and managing a crisis? And how does that differ from their day to day responsibilities?

Patrick Hinnant: [00:05:53] Well, I just want to say I'm an incredibly lucky because I have a talented and dedicated IT operations team and I say IT operations team. Yes, service desk, you know, is the face of it, but they're backed up, you know, by the infrastructure and facilities team who built and maintain a resilient infrastructure. So I think the challenge for the service desk team has been, you know, supporting a 100 percent remote workforce for an extended period of time as opposed to a few weeks, you know, for a hurricane. And this required a change of of how we deliver our services and provision our users and support onboarding new users. Ironically, my IT service desk manager had only been on board for a week when all of this happened. But he did an outstanding job leading his team through that shift.

Brian Selfridge: [00:06:49] Are there any pitfalls or missteps that you've seen help desks and IT technician type teams make in either preparing for or maybe reacting to emergencies and security incidents? You don't again don't need to name names here, but what are some things that that our audience can avoid when the the panic strikes of of the actual incident hitting the hitting the scene?

Patrick Hinnant: [00:07:09] You know, Brian, I think I don't think I know an effective IT team is only as good as their leadership and the technology they support. Any missteps by the team is directly attributed to the lack. Leadership or clear direction, really, regarding the technology side. I think an organization must commit to investing in the best ICT infrastructure it can afford and maintain it because under investing in the technology, places a burden on the team to support it. Interestingly enough, I just had that conversation with one of my service desk team this week about that, you know, he commented that, you know? What makes my job so much easier here, as opposed to my last job, is that you guys invest in great technology and so it makes my life so much easier. You know, and I. I we very much appreciated that. You know, his comment on that.

Brian Selfridge: [00:08:10] You mentioned the importance of having good leadership, especially again limited to this, this sort of help desk type scene for now, what what would what good leadership look like in either again preparing or responding to the incidents? What are some of the behaviors? What are those folks doing when when they do it well?

Patrick Hinnant: [00:08:29] Well, I say again, to the degree possible, invest in the best technology your organization can afford. Invest in the team through training and providing them with the tools they need to get the job done. You know, if you're not. You know, if you're not investing in your team and your people and, you know, obviously and I know that's sort of a broad thing and a lot of people do say, but I really feel here at Trillium, we really do that. We do support our team in any way possible. In terms of response and preparedness, you know, if you're not getting enough real world experience like like we clearly are. Yeah. You know, I really think training scenarios are critical so that your team acts, you know, automatically in a real emergency event, you know, and it's it's it's a very hard thing to do in a very busy environment to to set time aside to do tabletop exercises, walkthroughs or anything in that nature. But I really think it pays off. You know, when when the real thing happens, you know? And also, I guess finally, you know, make sure your team know that you support them and that you have trust in their ability to respond appropriately to the situation. They have to have that flexibility because we all know that. Emergency situations don't happen. In a scripted way, so they got to have that flexibility and know that you support them.

Brian Selfridge: [00:10:01] Does that go back to the whole idea of sort of allowing your folks to to fail in a controlled way and being kind of more positive about it than than sort of beating them over the head, especially when in crisis times? So we talk about the staff level and the mid-level management there a little bit. Let's let's zoom ourselves up to the executive level as well as there's always sort of a a different day to day job that needs to happen for them when when the stuff is hitting the fan. So when we look at executive levels either inside or outside of it could be in the business. What are some behaviors and models that you have seen work well or maybe not so well for that matter, from from leaders and executives in these moments of crisis?

Patrick Hinnant: [00:10:45] Well, this is kind of a tongue in cheek response, but. When I'm sitting in a meeting or had been sitting in meetings in the past and the subject of business continuity planning, you know, comes up and then all heads turned to me. You know, my response is don't don't look at me. Business continuity is about. What would you do without me? What would you do without it? And of course, that that that causes them to sort of pause and think, Wow, you know, what would I do? Seriously, though, you know? That's to say, you know, what doesn't work well is when management again outside it sees continuity, business continuity is IT problem instead of an organizational problem. I've encountered that mindset in the past. I'm happy to report, you know, the executive leadership here at Trillium, you know, thankfully doesn't have that view. I mean, we've been through enough hurricanes. You know that that we know we've lost continuity is certainly an organizational and responsibility.

Brian Selfridge: [00:11:59] So how about everybody else involved the incident, so we talk about executive staff, IT folks, obviously the sort of crisis responders from an IT perspective. What about the rest of the workforce? And you know, is this is this one of those, you know, ask not what your country can do for you, but what you can do for your country. Like what? What should the regular working schlubs like ourselves, some of us be doing during an incident when they don't have their hands on the reins of actually actively responding to it?

Patrick Hinnant: [00:12:28] Certainly be patient. You know, flexible and adaptable, you know, understand during emergency situations, response times for less critical services that are going to be slower or even paused until after the event, you know, has passed. So if your issue is not mission critical, you know, please don't call the service desk until after the and until after we return to normal operations. You know, it's not the time to call up and complain. You know that your printer doesn't work.

Brian Selfridge: [00:12:59] Is this like don't go to the emergency room for that scraped knee during the pandemic?

Patrick Hinnant: [00:13:06] I will share this one anecdote with you and this happened several years ago and again, because of the fact that facilities is is under me as well. I had a new boss who just joined the CIO, you know, VP of technology. He was in the office that week and was headed out to lunch and. Do you could have been more than 30 seconds after he went to lunch that we had a major fiber cut in Wilmington and you could almost see it visibly happen sitting at your desk because cell services were lost, you know? You know, we lost cell service. We lost internet. I mean, it was just, you know. And so I got up and I, you know, was literally running down the hallway to try to catch him before he went out the door to lunch to let him know. And as I did that, one of the staff came out of the men's room and said, Hey, the toilet doesn't work. And I, for a second, I just stopped and looked at him and I thought, OK, I don't have time for that. And so, you know, but it was just it just it was kind of humorous.

Brian Selfridge: [00:14:16] I think you've just accurately described my household. I've got four young kids and you know, there's always, I'm in the middle of something. They're watching me do something important and sort of high value, and then they come up to me with their their quote unquote important issue of the moment like and it is the toilet is broken. I'm like, I can't can't deal with that right now.

Patrick Hinnant: [00:14:38] Exactly. And like I said, that just kind of comes with the territory when you have the hats. All those hats.

Brian Selfridge: [00:14:44] That's a lot of hats you have, for sure. So what I want you to put on right now or keep on is your your technical IT techie hat for a minute because I want to I want to get into the weeds a little bit, and a lot of our audience can can can go there. So we'll we'll go there. You know, we used to just have to worry about keeping a flow to single data center or a couple of data centers maybe that manage that. We managed ourselves and sort of had oversight of and you know, how has emergency response, incident response, business continuity, whichever flavor you want to take? How has that changed now that we have all these either hybrid or cloud hosted ecosystems that are running really critical pieces of our infrastructure, it's not even just ancillary stuff anymore. You know what's different now and how do we need to behave differently?

Patrick Hinnant: [00:15:29] You know, I think Trillium has been overwhelmingly been a positive, you know, for for emergency response and delivery of services in general for that matter. You know, we're a classic example of a hybrid environment. You know, we have an on premise data center and as well as a mix of different cloud, you know, solutions software as a service solutions to support our staff. So I think it's I'm more confident now in our ability to kind of continue to provide critical services during an emergency response. You know, for the most part, as long as the user has internet access, you know, they can do their job from anywhere. And so that's that's the flexibility that that having our hybrid environment provides. If I had to think of a difficult. Or I would say the challenge for most organizations is budgeting for cloud services. You know, you're calculating your your phone cost of ownership for cloud solution isn't always as easy as it is for an on premise data center. So for example, when we were planning our initial move to a hosted solution, I had to prepare the finance department, you know, for the fact that our month and month cost would fluctuate based on use. Not it wasn't a fixed cost, which is something they were traditionally used to experiencing, you know, so. But I'd probably say that, you know, in my mind, is probably the most difficult part of the of the new hybrid environment.

Brian Selfridge: [00:17:01] Everything comes back to budget one way or another.

Patrick Hinnant: [00:17:04] Absolutely. Especially when you're in a state government, local government organization.

Brian Selfridge: [00:17:12] So, Patrick, there's a lot of discussion these days about securing the supply chain and for good reason, right? With the breaches we've seen with Microsoft and the Colonial Pipeline. So everybody's getting hit with these, these third party breaches. What happens when the emergency or incident impacts one or more of your critical vendors or source by one or more of your critical vendors? How do you how does your emergency response, either preparation or response itself, have to change when when one or more vendors are involved?

Patrick Hinnant: [00:17:46] I'd say thus so far, I would not say our emergency response has been impacted, I'd say more. So our day to day services have been impacted, certainly with trying to support the, you know, the users. And, you know, we've continued to hire staff throughout the through the pandemic. So we've got to onboard them. And of course, we've got to provide them with the equipment they need. And so, you know, we've experienced shortages and delays and in receiving, you know, equipment, you know, just based on on the world situation in general. So I would probably say that that's probably been our biggest one we've seen so far.

Brian Selfridge: [00:18:31] So it was I want to switch gears a little bit here and talk more about the behavioral health side of things, because I know you've had extensive experience working in that field or that niche for for a number of years. The pandemic has, of course, generated a substantial uptick in demand for mental health services. I think everyone needs some kind of therapy at this point or help dealing with, you know, the fallouts of shelter in place, remote work models, all the relationship changes that have happened. So how has the delivery of mental health and behavioral health evolved in the last few years from your perspective, particularly even from an IT side of things?

Patrick Hinnant: [00:19:09] I'll tell you a number of ways, so, you know, regarding, say, telehealth, you know, as a health plan or managed care organization, you know, we don't directly provide the services, you know, we manage a network of providers who serve our members in 26 counties here in North Carolina. So the challenge for our providers in serving our members during this pandemic is that, you know, many of our members live in very rural areas without internet access, and some don't even have mobile phones. So getting in contact with them and providing that critical therapy they need has been certainly a challenge. And. You know, overall, I would say, evolution wise, is that many of our providers are very small practices, you know, and traditionally their access to affordable IT solutions, you know, support the practices is kind of really been out of reach for them. You know, I've seen, you know, is more of the software as a service solutions become available and more affordable. I see that changing. So now they're they're able to do their jobs a little bit more efficiently and and in that way as well.

Brian Selfridge: [00:20:26] Well, now now that we have more telehealth capability and that stuff started to really pick up. Are there any new challenges that have arisen to maintain continuity of these systems and protect them from cyber attacks? I mean, it's not like you would just go to your local, you know, behavioral health center and meet with a physical human being anymore, and that obviously has its own constraints. But now, if that if that fiber gets cut again, you know, all of a sudden, are people left stuck, stuck without support? Has it introduced any new challenges?

Patrick Hinnant: [00:20:57] A new challenge, but you know, the bad actors or the nation state actors, they really kind of doubled down on their attacks and, you know, with few exceptions, they haven't really demonstrated any signs of compassion toward health care organizations. You know, they're they're attacking them as well. So. And I think, you know, the work from home trend has exponentially increased that risk, especially for organizations who traditionally kind of had that that castle and moat approach to protecting their systems and information, you know, defense in-depth internally. But now they have to start to plan and protect for the cloud. So that's something. And they had to do it quickly. And so I think that has certainly increased the risk as well.

Brian Selfridge: [00:21:46] I'd like to ask you a little bit about the sort of macro trends around privacy, particularly so some I'm in a past life was a security officer for health system and we had a behavioral health arm of the of the company. And I remember sort of everything being isolated and segmented into its own little ecosystems because of the the state laws, as well as just the desire to recognition that this is very, very super sensitive information. Not that patient information generally isn't, but now that we've got so much of a larger footprint with all this telehealth and everything else to you. What's your perspective on the privacy implications of delivering this volume of mental health services via telehealth and otherwise? Do you think we think we're able to handle it or should we be worried?

Patrick Hinnant: [00:22:34] I think there's no question that health care organizations face an increased risk during the pandemic, you know, specifically with regard to telehealth, you know, we know that that, you know, HHS Office of Civil Rights, you know, his temporary, relaxed enforcement of the rules, allowing health care providers more flexibility, you know, in delivery of services via collaboration solutions that that weren't fully or even nearly HIPAA compliant at the outbreak of the pandemic. You know, they're they specifically mentioned, you know, the use of face time, Facebook Messenger, Zoom, et cetera. You know, and so this temporary relaxation, I think, creates a challenge for those responsible for compliance and risk management because, you know, now that the proverbial genie is out of the bottle, how do you contain the risk? You know, when OCR rescinds that temporary relaxation of enforcement, you know, now you know, now, you know, risk and compliance has to address, you know, those issues.

Brian Selfridge: [00:23:38] So the train is coming.

Patrick Hinnant: [00:23:44] Yeah. Ransomware, again, ransomware is certainly not showing any signs of abating anytime soon and coming to terms with it. So, you know. You know, the the instances of of personal health information, you know, being shopped on the market, you know, shopped out there in. Since, you know, in the dark net, and so, yeah, those are things that can definitely keep keep you up at night.

Brian Selfridge: [00:24:13] Well, we often are a lot of doom and gloom on these conversations, it's hard in our field not to be looking at all the challenges, risks and scary things, but I want to I want to ask you, I guess, kind of one final thought here around what resources and support, particularly external resources. There's a lot of whether it's government body standards, bodies putting out resources and information to help us get better at all the things we've talked about today on emergency responses and it responds to those types of things. Now, given that you've been been in the field, are there any go to resources that you use or you would recommend to our audience to check out that are that are good, that you would recommend organizations take a look at, at least as they build their own plans?

Patrick Hinnant: [00:24:57] No, certainly, I mean, there are there are so many, you know, today, certainly far more than it were, you know, even five years ago, you know, of course, I think, you know, most were aware of, you know, CISA cybersecurity and Infrastructure Security Agency has great material. Of course, NIST has, you know, their special publications, specifically the 800 Dash one sans institute. You know, these are ones that I think most are, you know? Aware of maybe perhaps less is, you know, FEMA has a cybersecurity cyber security defense initiative, you know, they provide free cybersecurity training. Um, you know, the Cyber Readiness Institute, it's founded by the Center for Global Enterprise, I believe they they do the same. They provide free security training. Think specific to health care. Dhs, you know, has set up their own Cyber Security Coordination Center. And then Health Care Information Management System Society Himms has great resources, but with all of that, I think it's, you know, it's important to sense, sensitize all that the resources and kind of refine the plan so it fits your organization. I think a lot of times there's a lot of great material out there templates, you know, but you can almost be overwhelmed by the amount of that information, especially when you've got a kind of. You know. Fine tune it. And so it fits your organization. You know, that's that's obviously important.

Brian Selfridge: [00:26:41] Well, we appreciate that that list, at least as a place to start, and then we can get on refining that down into something, something useful for our own entities. And I love the anecdote you mentioned around posing the question back to the business. You know, we can come to the table with all these standards and ideas and procedures, but ultimately a lot of it comes down to how the business wants to handle the situation, and that's probably half the battle, just getting them engaged in that conversation.

Patrick Hinnant: [00:27:08] Absolutely. Absolutely. And I've had some success and not so much in others.

Brian Selfridge: [00:27:15] Well, that's that's that's probably the state of state of affairs for some time to come, as is moderate success where we can responding to incidents and and work through the challenges otherwise. That's another that's well, that's the other route, yeah, that's that's what there's some organizations and leaders I'll talk to. It's always surprises me. They'll say, Well, we have so many incidents the hard way that we don't need to create an incident response plan or do tabletop exercise. I'm like, I don't know I would. I would want to do a little bit of both myself.

Patrick Hinnant: [00:27:45] No, absolutely. I had in the past, you know, in previous organizations, told people, you know, we do a lot of things well, we just don't document it well, you know, so. We kind of thrive off of the tribal knowledge and and so, you know, again, eventually that's going to it's going to come back to bite you.

Brian Selfridge: [00:28:07] Absolutely. Well, Patrick, I want to thank you so much and the interest of time. I think we'll we'll probably wrap up here and had some great insights for you of your experience over time. And we appreciate you sharing that with with our audience. And I want to thank my guest today, Patrick Hinnant, who is the director of IT Operations, Facilities and emergency management for Trillium Health Resources. Thanks so much for talking through business continuity and emergency preparedness with us. We've learned a ton and I suspect our audience has as well. So thank you so much, Patrick. Really appreciate it.

Patrick Hinnant: [00:28:39] Thank you, Brian, I really enjoyed I really enjoyed the discussion today.