Disaster Planning Your Health IT

Andrew Gettinger, M.D. and Justin Cross M.D. | September 4, 2018

September is National Preparedness Month, which makes it the perfect time for clinicians and healthcare entities to consider what would happen if their health information technology (health IT) systems are unavailable or in some way compromised. This issue has become more important over time as healthcare is increasingly dependent on technology and a growing percentage of the workforce have never practiced without health IT and may not know what to do if their systems or information are unavailable.

Unfortunately, the reality that an organization’s health IT systems will become unavailable or compromised is a matter of when, not if. In some cases this may be due to natural disasters that extend the loss of electrical power, or massive flooding that takes essential servers offline. (In some cases a natural disaster will simultaneously cause patient admissions to spike.)  In other cases the downtime may be due to a bad actor such as a malicious attacks. Sometimes it’s simply a hardware failure that causes a chain reaction of failures. Regardless of the reason, the needs of patient care must continue.

The most important thing that an organization can do to mitigate the potential impact to patient care and normal workflows is to practice what to do if such an event occurs (The Centers for Medicare & Medicaid Services issued a regulation in 2016 requiring adequate planning). Drills, preparedness exercises, and training that focus on how the organization will continue to provide patient care during health IT downtime (likely using electronic or paper-based backup workflows) should be practiced. The organization should also drill how to resume normal health IT-based operations once the downtime passes, and how to integrate all data orders generated during the downtime.

Federal government agencies maintain Continuity of Operations Plans, which ensure that they can continue mission essential functions during a wide range of situations. Business continuity plans in large organizations are similarly aimed at planning for alternate workflows that allow organizations to continue business activities. This mindset should be adopted by healthcare organizations with a mission to provide patient care at all times.

There are numerous tools and resources available to healthcare organizations as they plan their contingencies and backup operations.  To help organizations comply with the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC), in concert with the HHS Office for Civil Rights (OCR) created a HIPAA security risk assessment tool.  This tool contains a series of helpful questions for an organization, from a preparedness standpoint, to ensure the availability and integrity of electronic patient health information.  The technical safeguards portion of this tool provides the user with a series of questions and recommendations relating to access and availability of electronic patient data during emergencies.

Another resource available to healthcare organizations is a series of ONC tools known as SAFER (Safety Assurance Factors for Electronic Health Record (EHR) Resilience) guides.  These interactive guides are meant to help organizations perform a self-assessment of their health IT systems to optimize them from a patient safety standpoint. One of the guides, Contingency Planning, is focused on recommendations to aid an organization during periods of health IT downtime, and includes guidance ranging from ensuring the presence of backup generators with adequate fuel, to the proper training of employees on ransomware prevention strategies.

Workforce readiness should also be considered a part of an all hazards approach to preparedness. This is critical to ensure that both volunteers and healthcare professionals are identified, credentialed, and properly pre-authorized to access an emergency system that can grant access to patient health information.  Many states have systems in place to coordinate volunteers to serve in the event of a disaster, including first responders and healthcare workers. By maintaining a disaster volunteer system and an emergency electronic authorization policy, these volunteers can quickly be given access to systems that connect them with patient’s health information. One example of this is the Patient Unified Lookup System for Emergencies, or PULSE, system, available in California and now accessible to other communities and states.

It is critical that healthcare facilities and institutions have a system downtime plan and a backup and recovery plan for their health IT systems. Healthcare facilities must regularly practice operations in a simulated downtime environment to be ready when a situation occurs.

Just as importantly, healthcare institutions must have training, backup and recovery plans for patient data contained in electronic health record and other clinical systems. This should be operational in both disaster-related system failures and malicious attacks. Institutions must regularly perform system backups, regularly test the recovery procedure, and preferably employ offsite backups to protect against total loss in case of the facility’s structural loss.

While it is likely that an organization will face one or a combination of the challenges described above, planning, communication, and adequate practice and training can lessen the impact and allow the organization to continue its mission of providing care for those that need it.