Having a contingency plan or be prepared?

In risk prevention, I distinguish three levels: understanding the risk, having a plan and being prepared. Depending on the situation, you will either accept the risk or prepare to reduce it. For risks that affect your critical operations, there are no secrets, you have to be ready. I explain how to move from one level to the next.

Take the risk of flooding in your home. The assessment of the risk is simple: “The river is far enough away, there has never been any flooding in my neighborhood. In this case, you rely on the chance that the risk will not materialize. You can also have a contingency plan: “I will contact my insurance company, I have my bills in a drawer with pictures of valuables, I will put sandbags at the front door”. Finally, you can be prepared by testing your plan: do you have the contact information for your insurance company? Where are the sandbags? How will you put the furniture up? You will learn and improve your plan, then you will be truly ready!

To give you some concrete reference points, I will use the example of a sports medicine practice.

Appointments are managed in an online tool. The medical secretary uses the tool for people who make appointments on site or by phone. Therapists have access to the agenda and document their care in medical records.

Step 1 – Become aware of my risk environment

The first step is to be aware of the risk. If this seems obvious, it is not. Our brains are not very good at assessing risk. Thus, improbable but impressive events seem more critical than what could really happen to us. The media highlights certain events. They make sensational stories out of it, which prevents us from identifying the right risks. I am more afraid of being attacked by a shark than of being killed by a mosquito-borne virus. However, it is the second risk that is the most important. In the same way, I am more afraid when the plane takes off than riding my bike in traffic every day, whereas the risk in a plane is very low.

To properly assess the risks, here is what I suggest:

  1. Identify your critical operations
  2. List the tools and processes you use for these operations
  3. From a generic analysis of the risk environment, determine what applies to you.

Remember Ockham’s razor: the simplest solutions are the best. The most obvious risk scenarios are the most likely. Your scenarios should have as few conditions as possible. Otherwise, you will be dealing with exceptions and wasting your time.

In the case of the medical practice, the most critical operation is of course the care and treatment.

No need for a computer to perform the treatments. However, therapists rely on data recorded in medical records to tailor exercises and treatments. The two critical software programs are the medical database and appointment management. The main risks are a disruptive attack (e.g. ransomware) or a leak of medical data whether hosted by them or by their SaaS provider. However, the risk is greater for data recorded locally on the stations.

Step 2 – Document a response and continuity plan

Now that you have a few scenarios of events that could impact your critical operations, you need to decide what to do. Preparing yourself means reducing the risk and its impact if it occurs.

The more time you spend analyzing your context, your operations and deciding what you should do, the fewer incidents you will have. It’s an equivocal situation: if you prepare, you lower your risk level. So, beware of slackening your efforts and thus becoming a victim of a cyber attack.

Once you have identified the risk, what could you do to avoid it, reduce its impact, transfer it, or manage the situation if it were to occur?

When creating your contingency plan, you will need tools and solutions. Of course, you will have to put them in place. It’s good to know what to do, but it’s even better to have the means to do it. Your plan will combine incident response, recovery of your IT systems and continuity of operations.

Here is the minimum emergency plan for our medical practice

To prevent data loss, the medical secretary makes a backup every night and stores it in a locked drawer. He also prints out the next day’s appointments just in case. Therapists keep their paper notes, and make weekly backups of their medical records, also on an external drive. The goal is to be able to restore data in case their system is compromised.

Step 3 – Simulate an incident

Theory and practice are often very different. It’s good to have a plan, but it’s even better to test it. Things rarely go according to plan, and it’s not as pleasant to find out in a crisis. There are several ways to test your plan.

You can perform a partial simulation. In a planned way, you use one of the backup solutions you have planned. This is useful when you are implementing a new tool, such as an emergency communication channel external to your IT environment. Testing at the time of installation is ideal to ensure that it is working properly.

You can organize a simulation according to one of your scenarios on your own, or have someone support you. From your scenario, you imagine the events unfolding and put the emergency plan in place. For more realism, you can voluntarily interrupt some of your equipment.

Finally, the most formative solution is the unprepared simulation. It is the same principle as the fire alarm. When it goes off, very few know if it’s a drill or a real evacuation. You launch the scenario, informing the least number of people as possible. I advise you to have someone support you for this type of exercise. You don’t want a simulated incident to turn into a real disaster!

Obviously, the operational impact is greater, but it is also more formative. No one knows if it’s a real attack or a drill, and you’ll detect gaps in your contingency plan faster. This investment will greatly reduce the downtime of your IT environment in the event of a real incident.

Here is an example of the medical practice’s emergency plan test.

One Sunday, the therapist, who set up the systems, tries to restore a backup. Unfortunately, she can’t do it. She looks for, but does not find a solution. In addition, she realizes that not everyone backs up as often as they should.

Following the exercise, she improves the contingency plan. With the vendor, she documents and tests the medical database restoration procedure. She notes the contact information of people who could help. Since she is not always the first one in the office, she prepares reflex cards, which she places next to the alarm. She informs everyone and reminds them of the risks and their responsibilities.

Finally, she plans to test again in a few months, but this time she will do an unprepared simulation, to check the reaction of her colleagues.

Take small steps forward

With this three-step method, you’ll be ready. Knowing your critical operations is the basis for informed decisions. It’s better to be prepared than to have an untested single emergency.

Take one step at a time: there is no right or wrong way to do it. You can do the whole process, but focus on one area or activity. The important thing is to be aware of your situation and to take concrete actions to preserve the continuity of your activities.