by Sarah Bush, MBA, CPHRM
Headlines about cyberattacks in health care have become commonplace, and risk management professionals and providers receive cybersecurity alerts and updates almost daily. According to the U.S. Department of Health and Human Services, health care data breaches have consistently trended upward from 2012-2021 and have doubled in a 3-year period. Given this trend and the negative impact it can have on patient safety and risk financing, it is imperative that risk management professionals are prepared to act appropriately and quickly should their organization become the victim of a cyberattack. In this article, we will review some of the major considerations risk professionals need to be aware of to prepare for a cyberattack.
Cybersecurity Insurance
Reviewing your organization’s cybersecurity insurance policy is important to be prepared before a major disruption occurs. Risk management professionals also need to have printed copies of these documents - as well as contact information – in case systems go down. Risk management professionals should regularly review their policy limits and understand what is truly covered should an event occur.
Communication Considerations
When a cyberattack occurs, electronic means of communication will more than likely become unavailable. Email, telephone and internet capabilities may be limited or completely off-line – consider whether your phones are VOIP-based ("voice over IP") or otherwise internet dependent. Organizations should have an effective plan in place to ensure communication is ongoing. How will leadership communicate with each other? How will staff communicate with patients/families/other departments? How will leadership communicate pertinent updates and information to staff? Suggested solutions include having backup cell phone devices not connected to the organization’s main communication system to ensure seamless communication. Organizations need to consider having backup laptops or tablets available containing the phone numbers and email addresses of leaders across the organization and throughout their corporate headquarters, if applicable.
Patient Census
When an organization’s electronic health record (EHR) and tracking systems are no longer available, accessing the patient census can be a challenge, if not impossible. Risk management professionals should inquire as to their organization’s downtime process to track which patients are in-house and where they are located. For example, does the house supervisor run a daily report containing patient data? Ask individual departments if they have a process of tracking patients daily that doesn’t only involve use of the EHR. Work with your IT department to develop a backup plan regarding the daily patient census should the network experience an outage. This process may include a report being run and/or saved on a backup server that’s not affiliated with the main server. By incorporating a solid and effective backup plan, risk management professionals and their organizations will be prepared to continue patient care should a cyberattack occur.
Supply Chain
Most supply chain vendors operate 100% on electronic platforms. Orders, supplies and par levels are typically calculated and saved through software systems accessible to your supply chain department. Additionally, inventory systems within organizations tend to be on an electronic system. Risk management professionals should work with their supply chain leadership to ensure there is a process in place should the network fail. It is important to consider vendor contacts and how to contact vendors should your organization lose access to these software platforms. Confirm your supply chain leadership has a list of your vendors and their contacts so they could easily call them during a cyberattack. Ascertain how the inventory back-up system is designed and encourage your supply chain department to run mock drills of their processes, i.e. stocking and restocking, should a cyberattack occur. They should also share their downtime process with all clinical areas to increase awareness and avoid potential care delays.
Medical Residents and Generational Challenges
In 2010, CMS finalized its requirements for the Medicaid Electronic Health Records Incentive Program, which provided incentive payments for the adoption of meaningful use of certified EHR technology. Essentially, most health care organizations have used technology and the EHR to document, treat and care for patients for over a decade. This can pose a generational challenge for those clinicians and employees who have never been trained and/or written an order with pen and paper. Risk management professionals should make certain that departments are equipped with downtime paper forms that are unit specific, easy to use and contain only pertinent information. These documents should be included as part of the on-boarding/training process for all new employees and should also be drilled periodically.
Medical Records
Like most departments throughout health care organizations, Medical Records is not immune to its staffing challenges and shortages. In a recent survey conducted by the American Health Information Management Association (AHIMA) and NORC (National Opinion Research Center) at the University of Chicago, two-thirds (66%) of respondents reported understaffing of health information professionals at their organizations since 2021. When a cyberattack occurs, medical records departments feel a significant backlog impact as it pertains to keeping patient records complete and up to date. Staffing shortages contribute to an already strained system of getting records updated timely and efficiently. This also has an impact on Risk Management as it may be difficult getting information to defense counsel should a claim arise from a cyberattack. It can also cause increased patient complaints and decreased patient satisfaction. Additionally, cyberattacks increase the chances of health information getting missed or having an incomplete record. Prior to a cyberattack occurring, risk management professionals are encouraged to meet with their medical records departments to review the potential impact it may have on patient care, reimbursements and downtime procedures that will streamline the continuity of health information.
Labor Pool
Although a cyberattack can be stressful, daunting and uncertain, utilizing resources in an innovative way can help keep staff calm and will assist with safe patient care. Initializing a labor pool early will help mitigate safety events and issues. You can optimize your labor pool by assigning roles strategically. For example, runners can replace tube stations by delivering paper orders or facilitating communication between units. Non-clinical leaders can assist auxiliary staff with tasks like delivering meal trays, while environmental services staff can focus on maintaining cleanliness in the facility. Additionally, volunteers can be engaged in non-clinical functions such as patient rounding, which can help reduce complaints and keep patients calm.
Emergency Preparedness
Emergency management and cyberattacks in health care are interconnected, as effective preparedness and response are critical to safeguarding patient care during such incidents. The emergency preparedness department and/or committee plays a vital role by developing and implementing plans to mitigate the risks associated with a cyberattack, including but not limited to, robust cybersecurity measures, staff training, and incident response protocols. Coordination with IT specialists, law enforcement, and other stakeholders ensures a comprehensive approach to managing the crisis before it occurs. By integrating cyberattack scenarios into emergency preparedness plans, health care organizations can enhance their resilience and minimize downtime.
Downtime Procedures
During a cyberattack, downtime procedures are essential to maintaining patient care and minimizing operational disruptions. These procedures involve activating pre-established contingency plans, such as switching to manual documentation for tracking patient care, medication administration, and diagnostic results. Staff should be trained to use downtime tools, including paper forms and alternative communication methods, to ensure continuity of care. Regular backups of critical data are vital, as they enable swift restoration of affected systems once the threat is neutralized. Communication during downtime is crucial; leaders must provide clear instructions to staff, patients and external stakeholders about the situation and response efforts. By adhering to well-practiced downtime procedures, health care organizations can mitigate risks, protect patient safety, and reduce the overall impact of the cyberattack.
Practice Makes Perfect
Health care has unfortunately been a prime target for cyberattacks within the last decade, and there is no indication that it will be slowing down. As Risk Management professionals, we are reassured that our teams are taking the necessary precautions to avoid disasters and prepare for the worst. Important precautions include developing and maintaining appropriate downtime forms and order sets. Ensure these documents are up-to-date and are reviewed on a periodic basis. Risk management professionals can perform a risk assessment quarterly to review downtime procedures with leaders, confirm staff have been trained and educated on downtime procedures. Finally, conducting routine mock codes and/or drills will be beneficial in the face of a cyberattack.
ASHRM and AHA offer resources and updates for administration, clinicians and staff at health care organizations of all strips. Visit https://www.aha.org/cybersecurity for more information.
By taking a proactive approach to mitigate the risks and challenges of a cyberattack, organizations will be equipped with the best defense in keeping patients safe and financial impacts at a minimum.
References
AHIMA. (2023, June). Retrieved from Health Information Workforce: Survey Results on Workforce Challenges and the Role of Emerging Technologies: https://7932134.fs1.hubspotusercontent-na1.net/hubfs/7932134/Whitepapers/Workforce-AI%20Study%20Final.pdf
Health and Human Services. (2023, February 9). 2022 Healthcare Cybersecurity Year in Review and a 2023 Look-Ahead. Retrieved from hhs.gov: https://www.hhs.gov/sites/default/files/2022-retrospective-and-2023-look-ahead.pdf
Kohn, L. C. (2000). Building a Safer Health System. Retrieved from Institute of Medicine (US) Committee on Quality of Health Care in America; Kohn LT, Corrigan JM, Donaldson MS, editors. To Err is Human: Building a Safer Health System. Washington (DC): National Academies Press (US); 2000. 2, Errors in Health Care: A Lead.
Sarah Bush is the Sr. Director of Risk Management at Bradford Health Services. She earned her Master of Business Administration degree in health care administration in 2017 and became a certified professional in health care risk management in 2018. Sarah has over 10 years of risk management experience working in both the acute care and substance abuse settings. Prior to working in health care, she was a paralegal working in medical malpractice defense in Maryland, Pennsylvania, and California. She is a board member of AlaSHRM, has served on numerous committees for ASHRM and has most recently become ASHRM Faculty.