• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

Tech outage fallout: Hospitals need strong response plans when systems go down

News
Article

Health systems delayed appointments and procedures due to the disruption. Hospitals need procedures for serving patients when the worst happens.

The worldwide computer outages that affected hospitals this month illustrated how vulnerable health systems are in a connected world.

While hospitals have dealt with cyberattacks, this disruption was triggered by a faulty software update from CrowdStrike, a cybersecurity company. Since CrowdStrike is used in Microsoft Windows, businesses worldwide faced major problems.

Some hospitals didn’t have access to electronic health records and postponed appointments and surgeries. Thousands of flights were canceled or delayed due to the outages.

The disruptions also underscored another important lesson: Hospitals must have robust response plans and procedures for operating when key computer systems aren’t available.

Cybersecurity experts say the CrowdStrike debacle should be a warning sign for hospitals to review their response plans, and revise them if necessary.

Steve Cagle, CEO of Clearwater, a cybersecurity firm, tells Chief Healthcare Executive® that hospitals have made strides in developing plans for network disruptions. But he says there are some mistakes hospitals are making.

“What we have seen, unfortunately, in the past is a lot of these response plans are created and then may or may not be tested,” Cagle says.

“So it's important to keep those incident response plans up to date, to contemplate different types of scenarios that may occur, to exercise those response plans, very important against those scenarios, and then to learn from that experience, and then make further updates,” he says.

In the wake of the CrowdStrike disruptions, John Riggi, national adviser for cybersecurity and risk for the American Hospital Association, urged health systems to use the opportunity to identify downtime procedures for live-saving and mission-critical technology. He also suggested hospitals should test their emergency plans and communications channels.

(Watch part of our conversation with Steve Cagle in this video. The story continues below.)

Business continuity plans

Some hospitals may have developed a response plan a few years ago, but haven’t made modifications to it, such as key leaders leaving the organization or the addition of new technologies.

Health systems need to design response plans that can be deployed at the worst possible time, such as an attack early in the morning or over a weekend. Plans should also include multiple contacts and backups, just in case some top leaders can’t immediately be reached.

“What if somebody is on vacation? What if somebody is not available? Who's next in line to make those decisions? I don't think people are thinking about that all the time. Because at two o'clock in the morning, it's not always easy to get people, so you have to have a chain of backups that are going to be available. And so yeah, I think that's a big challenge,” Cagle says.

Hospitals also need to have robust business continuity plans, he adds.

“The business continuity plan should be informed by a business impact analysis,” Cagle says. The analysis should include an assessment of how different technologies support key business processes, and the impact if those technologies aren’t available for some time.

Some hospitals also fall short in their response plans by planning for outages that last for a short time, rather than developing contingencies for being without key technologies for longer periods.

“That's an area that we've seen a lot of challenges, because when these types of assessments and incident response plans and business continuity plans are created, a lot of times organizations don't think about being down for long periods of time, extended periods of time,” Cagle says. “And it's one thing if you're down for a few hours, right? You might be able to live off or survive off of these backup procedures, maybe with minimal impact. But what happens if now you're down for days, weeks, maybe even over a month?”

The Ascension health system encountered such a scenario when it experienced a ransomware attack in the spring. Some hospitals were without access to their electronic health records for weeks, and some appointments and surgeries were delayed.

The Joint Commission has released guidance for hospitals and health systems in dealing with cyberattacks and developing response plans. The commission stresses that providers should develop continuity plans to deal with key systems being down for weeks.

“Organizations should be prepared to have life- and safety-critical technology offline for four weeks or longer,” the commission suggests.

Hospitals also need to develop contingency plans if they manage electronic health records from a central location, and if disruptions are occurring at multiple hospitals.

The Joint Commission also suggests hospitals should assemble multidisciplinary teams from across the organization to develop response and continuity plans. Those teams should include leadership, IT experts, hospital emergency managers, nursing, pharmacy, operating rooms, and food services, among others.

Think about vendors

Hospitals should also look at revising response plans if they work with a new vendor who adds a new technology to the system, Cagle says.

Health systems should be in regular contact with their vendors to gauge their vulnerabilities, and offer to work with them to address any issues.

And hospitals should also have a response plan if a key vendor that provides essential services is having problems. Hospitals and medical groups nationwide were disrupted by the Change Healthcare cyberattack, because the company handles so many business functions for providers, from billing to pharmacy services.

“It's not only your organization,” Cagle says, adding, “What if you have a vendor that's down for an extended period of time?”

Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, told Chief Healthcare Executive® in a February interview that response plans should be crafted with expectations that attacks or disruptions could occur when there is limited staffing.

“Attackers follow our holiday calendar,” Steinhauer says. “They know when we're asleep, they know when we're celebrating Christmas, and they plan their attacks around those times on purpose.”


Recent Videos
Image: Johns Hopkins Medicine
Image credit: ©Shevchukandrey - stock.adobe.com
Image: Ron Southwick, Chief Healthcare Executive
Image credit: HIMSS
Related Content
Image credit: ©Gajus - stock.adobe.com

As hospitals close obstetric units, maternity care deserts become more common

Ron Southwick
September 13th 2024
Article

More Americans are having to travel outside their communities for their care during pregnancy, according to a March of Dimes report.

Image: CHE

Rural hospitals are struggling, but they can be helped | Healthy Bottom Line

Ron Southwick
July 11th 2024
Podcast

In the latest episode of our podcast, Jay Anders of Medicomp Systems talks about the difficulties facing these critical providers, and how technology can make a difference.

Image credit: ©drazen - stock.adobe.come

Hospitals improve in patient safety, even compared to pre-pandemic levels: Study

Ron Southwick
September 12th 2024
Article

Health systems made strides in safety and quality measures over a five-year span, according to an analysis by Vizient conducted for the American Hospital Association.

How a small Texas hospital upgraded its technology | Data Book podcast

How a small Texas hospital upgraded its technology | Data Book podcast

Ron Southwick
June 20th 2024
Podcast

In the latest episode of our podcast, we talk with Lynn Falcone, the CEO of Cuero Health in Texas. She talks about moving to a new electronic medical record system, cybersecurity and much more.

Image: Ohio Nurses Association

Two Ohio hospitals slated for closure get new ownership

Ron Southwick
September 12th 2024
Article

Insight Health Systems is slated to take over Trumbull Regional Medical Center and Hillside Rehabilitation Hospital. Steward Health Care planned to close the facilities later this month.

Images: The White House, National Archives

Kamala Harris-Donald Trump debate: What they said about healthcare

Ron Southwick
September 11th 2024
Article

The vice president and former president engaged in heated exchanges over abortion and the Affordable Care Act during their debate in Philadelphia.

© 2024 MJH Life Sciences

All rights reserved.