Disaster Recovery Plan- Cardinal Health, Inc.

Introduction

In a fast-paced data-driven environment, organizations can continue to operate only when other forces are under control. However, external or internal issues continue to evolve. Disaster is one of the common issues that every other organization faces consistently. It might be a sudden fire, hurricane, flood, or any cyber attack. Usually, cyber-attacks are more rampant in this digital world. The impact of a cyber attack is devastating. Consequently, firms shut down or bear a loss of millions as it affects the basic infrastructure and operational units. A large business can use resources and time to rebuild the infrastructure, or it can develop a Disaster Recovery Plan and include the response team to manage and prevent such intrusions. In this paper, a large organization operating in the healthcare industry shall be selected. The need for developing the plan shall be outlined. Following that, the DR plan would be created and presented to the company’s executive board. Lastly, the probable outcomes shall be analyzed, and the success rate shall be anticipated.

History /Background of the firm

Cardinal Health, an America-based healthcare organization, mainly offers pharmaceutical and medical services or products. It operates within the American pharmaceutical industry. It is a public company, and it serves worldwide. It was founded in 1971, and the present headquarters is in Ohio, US. It operates across 100,000 locations, and therefore the organization can be under threats and disaster (Cardinalhealth.com, 2020). It also manufactures surgical products such as surgical apparel, gloves or fluid management items. In the US alone, the organization offers medical products to more than 75% of clinics and hospitals. The operating income of the firm is the US $ 126 million as of 2018, and the company possesses total assets worth $ 39.95 billion. As of 2018, approximately 50,000 workers are employed in Cardinal Health. The company has been subjected to various controversies, including restatements and FDA action. Since, the firm operates in the pharmaceutical industry, it has an added responsibility to reduce the probability of incidents so that the impact on operations can be minimized. The organization is vulnerable to cyberattacks, and a cybersecurity breach would create havoc for the firm.

Figure 1: Company logo

(Source: Cardinalhealth.com, 2020)

Determining the need for developing a DR Plan

The landscape of cybersecurity has been evolving at a faster rate. Cardinal Health operates in the pharmaceutical industry, and it comprises sensitive digital assets that ensure the smooth running of the firm. The DR plan would be effective because cybersecurity breaches can be potentially damaging. The company has critical systems, and a disaster is likely to damage the resources along with people’s hours or funds. As per the Data Breach Study of Ponemon Institute, 2018, data breaches cost approximately $ 3.86 million to companies in the US. The global cost has also risen by 6% from 2017-2018 (Wiboonratr & Kosavisutte, 2009). Again, Cardinal Health is an organization that provides medical products and services after gathering data related to drugs. The information might be patented. The information is also sensitive, as well as valuable. It is vital to keep information related to advances in the drug types and technological inputs necessary to control the effects of the drug. Any cybersecurity breaches are likely to affect a consumer’s trust and erode the patient’s perspectives (Lozupone, 2017). The need of the hour is to build a comprehensive strategy that would be effective in safeguarding the digital assets of Cardinal Health.

The companies that are less likely to prioritize a comprehensive and flexible DR plan are more likely to leave the sensitive data at a vulnerable state. Cybersecurity attacks occur against the pharmaceutical companies because the hackers are interested in stealing the intellectual property. It can definitely lead to revenue loss, along with litigation and lawsuits. The costs of clinical trials go in vain, and consequently, the brand image is affected. Hackers target these companies because these companies store valuable data online due to the increasing trend of digitization. After stealing the data, it would be sold on the dark web. The hackers would get access to critical documents related to patient information and trial results. Therefore, Cardinal Health is supposed to solve the issue by taking the incident response approach. In this manner, the company can target unauthorized users after they are discovered. The IP addresses, malware, along with domain names, can be considered for forensic analysis (Bandyopadhyay, 2000). The company can even determine the reasons for the occurrence of the disaster. The gaps in security can be identified, and computers, along with network systems, can be further secured. The DR approach would be effective only when personnel dedicates their expertise in implementing the plan.

Figure 1: The elements of a DR plan

(Source: researchgate.net, 2020)

The DR Plan

A business requires an applicable DR plan in order to secure its operations after encountering a disaster. Notably, technology, people, and processes are valuable components that are vulnerable to threats and attacks. A basic DR plan shall be prepared for Cardinal Health so that catastrophe and business-breaking elements can be minimized. As a large organization, it should have already set up a DR plan to ensure the safeguarding of its digital assets. The plan is a document that would be presented to the management department, and the executive members shall be given a slight overview of a workable approach. As the organization operates in the drug industry and a new DR plan would be created, it is vital to incorporate simple steps only. The following steps must be incorporated into the plan-

Creation of an emergency response plan- The first step would be developing a response plan that would include employees. The purpose is to create awareness among the employees regarding their duties and responsibilities in case of an emergency. Employees have the responsibility to prevent the loss of inventory, assets, and any sensitive property-related information (Stephens, 2003). Within the emergency plan, information regarding the following shall be presented- “Who to contact,” “Where to contact,” “What order should be followed,” etc. It must be included as a protocol. Once the protocol is decided, it would be easier to assign responsibilities. Most importantly, training sessions should be part of the response plan.

Development of a BCP – A Business Continuity Plan, alternatively known as the BCP, can be created to resume the operations of the organization. The various components of BCP are BIA or Business Impact Analysis, Recovery Strategies, Plan Development, and Testing. In the case of BIA, the organization is supposed to conduct an analysis of the impact of the disruptions. Disruptions occur due to multiple reasons, and it is vital to consider the timing of the disruption. Secondly, the recovery strategies must be created to lessen the severe impact of a disruption. For example, the organization can consider the strategies such as data backups, the creation of duplicate copies of vital records, remaining in touch with third-party providers because they provide relief services during emergencies (Sommer, 2013). Following that, a BCP involves plan development. In case of loss of infrastructure, it is necessary to assign responsibilities to the team members and codifying recovery procedures. Lastly, testing on a consistent basis would ensure business continuity. It can help the incident response team to identify the gaps and weaknesses in a plan.

Conducting a review of the organization’s insurance coverage- Cardinal Health is a reasonably large firm, and it must possess a relevant insurance coverage plan. The insurance plan would ensure safety from the disaster. A review of current policies can be conducted so that gaps in insurance coverage can be mitigated. For instance, the company might encounter a range of indirect costs associated with a sudden disaster. The insurance coverage is supposed to ensure sufficient coverage. Costs associated with physical damages can be covered within the insurance coverage. It can be recommended that the company can consider purchasing add-ons as it can cover damages outside premises such as threats to suppliers.

Creation of essential supply kits- A stock of essential supply kits would be effective because employees need to grab the kit in times of emergency. The company must be willing to invest in high-end backup systems. The backup systems would ensure the smooth running of the business, and it can act as a secondary source of communication and power system.

Documentation of vital contact information- Most organizations wait until the occurrence of a disaster before compiling vital contact information of key personnel. However, to be on a safer side, Cardinal Health must consider identifying the key personnel first and then creating a contact list. The list must entail the key people such as database administrator or incident response team members along with local agencies that offer emergency management services. The contact information of major clients, insurance agents, lenders, suppliers, customers, and representatives of the insurance company must be included in the list. They are likely to offer support during emergency events.

Creation of an effective communication strategy- Communication is the source of all operations in a business. A strong communication strategy involving the clients and customers regarding business states and conditions must be created (Medina, 2016). Social media channels can be an effective way of forming a secure communication and bonding with clients. Again, newsletters can be used, and high-tech communication must be maintained with customers and clients.

Discussion on logistics with the suppliers- The vendors and suppliers of the organization can be severely affected in case of any disruption. It can either be a physical disruption such as fire or theft, or it can be a significant cyberattack. The disruption would hamper the entire supply chain of the firm. Hence, they must be informed beforehand. This in turn, would help them to prepare for the disaster. Again, communication at both sides of the supply chain and identifying the backup options would ensure the running of the business (Haight & Byers, 1991). The satisfied clients would not consider any alternatives to the firm.

Creation of duplicate data and backup records- The sensitive contracts, documents and records must be up-to-date so that the organization can develop a duplicate copy. The copy can be kept at off-site locations such as within a secured cloud environment or any deposit box. Apart from cyberattacks, it is common to encounter hardware failure. In that case, the organization must consider creating a BDR or “Backup and Disaster Recovery Solution”. The purpose of BDR would be keeping the data safe. It is possible by providing continuous backup along with a constant data restoration services with the help of cloud.

Hence, the plan would be effective because it has considered various resources, including financial and human resources that can be integrated in a comprehensive manner. Ideally, the organization should also consider the expert advice of a disaster recovery consultant. It would save time and resolve fund issues. Funding issues might occur because modern-day cloud-based services can be costly. Even after deploying the services, the organization cannot ensure disaster prevention because expert knowledge and application are required to ensure business continuity.

Anticipated outcomes of the plan

It can be anticipated that the organization is bound to experience downtime and data loss once the corporate network is affected due to the disaster. The above-created plan can be beneficial because it shall resume operations quickly, and interruptions can be reduced as well. IT recovery is sufficient as the organization can ensure the continuity despite the circumstances and failures. A list of anticipated outcomes of the proposed DR Plan has been outlined-

• Enhanced knowledge of scalability- The developed plan might enhance the scalability because it is providing innovative solutions. For instance, the cloud-based technology that ensures safe backup storage can enhance the overall effectiveness of the organization (Schulman, 2004). The creation of an off-site data center would increase the flexibility within the firm. In case of a disaster strikes, the off-site data center would meet the technical demands of the firm. It is a kind of storage solution for the organization.
• Customers can be retained- Since the firm operates in the pharmaceutical industry, it is vital to gain the trust of the customer because they are relying on the medical products and services of the organization. It is common for customers to demand reliability as well as perfection. Hence, in case of downtime and failure, the business can meet the customer expectations by quickly resuming to the services. The emergency response plan would play a vital role in this regard. After implementing the plan, the organization can ensure greater service quality. Along with customers, the suppliers can be retained as well. Client enterprises would be safeguarded, and the organization can avoid a loss of reputation or cyber security-related controversies which it previously faced.
• Enhancement of employee efficiency- In this plan, the importance of delegating the right responsibilities to the right people has been mentioned. Therefore, the role assignment would enhance the productivity levels of team members. It also implies that at least two team members are capable and trained enough to conduct the same task. In case an expert of the DR team is unable to attend the site during an emergency, it is necessary that another equally qualified member can take his/her space. It also implies that cross-training is vital for the employees. Cross-training must be a vital part of the DR strategy because it will enhance the integrity of the firm.
• Cost-saving strategy- Since the DR strategy highlighted the importance of transferring data to cloud services, it might be anticipated that the cost of funding would be high. However, the opposite might occur because detective and corrective measures would allow the organization to stay calm after the aftermath of a probable disaster. After running an analysis of the probable threats and maintaining the IT-based systems at an optimal condition, the organization would ensure reduced maintenance costs of these systems. A major shift has already occurred because organizations are realizing the significance of data management only on cloud systems. The real benefits are low cost for archive maintenance and development of comprehensive and integrated backups.

Conclusion

The purpose of creating the DR plan is to ensure disaster prevention at all costs and under all circumstances. Nevertheless, it can be concluded that a flexible approach is vital for ensuring the success of the plan. In this paper, the case of Cardinal Health has been considered. The organization is operating within the pharmaceutical industry and cybersecurity risks are rampant. Sensitive data of clinical trials and customer-related information can be easily hacked and uploaded in the dark web. Therefore, a DR strategy or plan has been suggested along with anticipated outcomes. It will be shown to the executive members of the firm and it is anticipated that proper implementation and documentation shall improve the scope of the plan. The organization must not tolerate downtime after a certain threshold. Overall, it can be suggested that despite the presence of cloud-based platforms, failures are likely to occur. Here, an effective communication strategy would be effective as noted in the plan. The stakeholders such as employees, customers and suppliers must also participate post-disaster and recovery.

References