Hospitals and health systems across the country have been returning to paper medical records during IT outages caused by the unceasing number of cyberattacks plaguing the industry.
While IT executives say the best way to prepare for a hack is prevention, health systems must also plan for potential downtime procedures when EHRs are offline. Here are tips for how to do that, four leaders told Becker's:
Erik Decker. Chief Information Security Officer of Intermountain Health (Salt Lake City):
— Stand up incident command, based on your existing hospital incident command structure, ensuring your command roles are well understood and assigned (review the Operational Continuity Cybersecurity Incident checklist for assistance).
— Ensure the incident commander is the right operations leader, depending on the type of outage underway.
— Meet regularly, ensuring communications reach all levels of caregivers involved in altered procedures necessary to ensure safe and effective patient care.
— Ensure logistics and resources are available to support being on paper, which can include labor and non-labor resources.
— Prepare for external communications so patients are aware of differences in processes but assured no difference in care.
Scott MacLean. Board Chair for the College of Healthcare Information Management Executives: Downtime plans ought to be written by clinical operations leaders: nurses, physicians, people working the inpatient and outpatient operations. We hear regularly about how physicians these days don't know how to write a paper order. If it's 15 or 30 days, you need to know how to do paper orders.
I heard an example of someone who couldn't read the handwritten prescription so they had to call back and verify with the ordering physician: "What is it you're actually trying to order here?" So obviously this is a big deal in terms of efficiency, complexity and safety.
Many hospitals have toolkits they'll break out for planned or unplanned downtime that have paper order sheets, so being able to drill that occasionally so the various clinicians and other contributors in the inpatient and ambulatory space know what to do when this happens.
Shefali Mookencherry. Chief Information Security Officer of UI Health (Chicago):
— Keep paper copies of the downtime, incident response plans, disaster recovery plans, emergency operations plans, and business continuity plans.
— Have a large supply of varying sizes and colored Post-it notes, flip charts, and construction paper. These can come in handy when working through many workflow changes.
— Keep a paper "forms" binder at least with the risk management office. This binder would contain vital and critical paper forms needed to provide care and communications such as a phone directory of essential workers and relevant authorities. Include paper copies of various informed consents and critical contracts for critical systems. One form that stands out is the paper prescription script. A challenge an organization might have with paper scripts is training newer clinicians or physicians on how to write in the appropriate information as most of these processes today are electronic and clicks away.
— Keep a paper "policies" binder to ensure critical operations are addressed and policy on paying or not paying ransomware attackers, should a guidance or reference need to be made.
— Have paper downtime instructions for ordering supplies, billing operations, and payment collections.
— Have a paper list of stores nearby that can provide equipment needed such as laptops, pagers, phones, portable radios, and other devices.
— Have a VoIP [Voice over Internet Protocol] line(s) as a contingency plan for loss of emails and voice communications.
— Have a paper list of trainers and educators who can help facilitate downtime procedures.
— Have a paper copy that documents how the organization can manage access points if CCTV [closed-circuit television] cameras, motion detection, alarms, and badging are impacted during a cyber event.
— Engage cybersecurity insurance and forensics firms as necessary.
Anahi Santiago. Chief Information Security Officer of ChristianaCare (Newark, Del.): The most important component of clinical preparedness is for the clinicians to understand that typical cybersecurity outages last weeks, not days or hours. Once that is understood, cybersecurity leaders can partner with clinicians and emergency management to conduct business impact analysis and identify critical paths for achieving intended outcomes. Once those have been defined, procedures for extended downtime operations should be created and regularly practiced.