By their very nature, hospitals are “always on.” Through tornadoes and hurricanes, multi-car pile ups, and other emergencies, hospitals and health systems are on the front lines of healthcare, ready to triage, evaluate and treat everyone who comes through their doors. But what if access to patient data comes to a sudden halt? How can a facility continue to care for patients in the middle of an organization-wide crisis? Despite circumstances that would shut down other organizations in other industries, hospitals and other care settings are expected to be available 24/7 to help patients in need.
Unfortunately, not every hospital wing or technology system can remain operational 24/7/365. Software systems need updating, construction projects occur in operating rooms and patient areas, new imaging devices must be installed, and much more. Scheduling and monitoring planned downtime for software maintenance and upgrades, facility improvements, and other activities is just as important as preparing for unexpected emergencies that can knock a hospital offline. While downtime systems are important in many industries, they should be critical components of a hospital or health system preparedness plan, and ensure that patient data can be accessed when systems are offline for either planned or unplanned events.
Hospital executives and IT leaders should honestly assess the state of hospital operations and plan for the most common scenarios that can bring IT systems and hospital infrastructure down. A software solution that aggregates critical data on a schedule and distributes information to non-network computers can help hospitals continue to operate in a crisis.
Downtime costs extend well past lost revenue
Depending on the industry, the average hourly cost of downtime is between $320,000 and $540,000. Given the critical nature of healthcare and its always-on status, hospital downtime is likely near the top of this range, not including indirect costs, such as compromised patient safety, reputational risk, and reduction of trust and standing in the community.
Not only is a reliable downtime plan necessary for quality patient care, but it is also mandated for HIPAA and Meaningful Use. Facilities need a software solution that fully satisfies both the HIPAA Final Rule addressing system downtime and Meaningful Use Part Two Core Objective 7. It’s not enough to merely check the planning box; hospitals must ensure downtime reporting needs are met in a safe, compliant way, with secure report encryption and distribution, as well as 100% access to patient information.
While technology is important to ensure patient data is available during an outage, hospitals that ignore the human element to downtime and cyber risks operate at their own peril. A survey from the Information Technology Industry Council shows that 50% of IT downtime can be attributed to human error, which often occurs when staff members don’t follow standard procedures or protocol. More than 80% of breaches involve human error in some way. Staff members can accidentally fall for a spear-phishing campaign designed to solicit credentials, click on a malicious link, or unknowingly make a simple error that opens a security vulnerability.
Any hospital downtime mitigation plan must include a technology element to ensure that records are readily available, but it should also take into account the oversized role humans play in unplanned downtime incidents and cyberattacks.
Cyberattacks remain a credible threat to hospitals
Healthcare data breaches have increased by 250% over the past decade, before leveling off last year with just under 700 breaches. While that might sound like good news, it should be tempered by the fact that more than 51.4 million patient records were breached in 2022. That’s the highest number of breaches on record, in over eight years. The nature of healthcare data breaches also has been changing — and not for the better. Until 2018, hacking incidents accounted for fewer than 50% of all breaches. However, that percentage was nearly 79% in 2022.
Despite the fact that the federal government declared healthcare technology as a “critical infrastructure,” the healthcare industry has topped the breach list for 12 consecutive years, incurring breach costs that are double the norm for financial services. The estimated cost to remediate a single healthcare data breach exceeds $10 million, including detection costs, notification, remediation, lost revenue, and negative publicity.
Practical steps for downtime planning
In order to develop and deploy an effective downtime plan, close cooperation is needed among hospital executives, clinical department leaders, IT staff, and frontline workers. The reporting function is central to any downtime plan. Examples of critical reports include: medication administration records, medication summaries, lab results, census information, rounds reports and clinical notes.
Constant vigilance is necessary to ensure that the plan and software are ready to go when a planned or unplanned outage occurs. Depending on the cause of the downtime, for example an EHR outage, your organization may still be able to rely on the web for access to patient data. However, if there is a widespread power outage and the network is down, consider these four additional factors:
- Determine how downtime computers will work during a power outage. Computers that hold downtime reports should be deployed at key locations to receive encrypted reports on a regular basis. Downtime systems must be plugged into an emergency power outlet attached to a generator or uninterruptible power supply. Check with the hospital plant operations or maintenance team leaders to make sure a device will work when it’s needed most.
- Clearly mark your downtime machines. A stark contrast should be made between “regular” computers throughout a facility and downtime machines. Some organizations place a distinctive mark on downtime machines, such as a large red dot or some other attention-grabbing image or sign. A keyboard of a striking color also can make this distinction. Definitely place a “do not turn off” sticker over the power button so scheduled reports can be added. Every user should learn the location of the nearest downtime system, along with how to log in and retrieve patient data.
- Create an authentication contingency plan for Active Directory (AD) scenarios. If the network/AD is down and cached AD credentials are not an option, users should be able to call a specific help desk number and/or log in with the unit supervisor. After the downtime period ends, the emergency user passwords should be reset for the next use.
- Plan. Test. Learn. Repeat. Much like fire drills and other emergency preparedness exercises, your downtime plan and technology should be tested periodically. A mock downtime drill will familiarize people with the preparedness plans and help identify gaps and deficiencies that may need attention.
It’s never a question of whether a hospital will experience downtime — it’s a matter of when. Adopting the right downtime technology means hospitals can cut costs, reduce stress on staff and mitigate risk of cyberattack by automatically encrypting data to HIPAA standards. Most importantly, advance planning and the right downtime solution ensures that hospitals, despite external circumstances or system failures, can always be counted on to provide quality care.
Photo: Yuichiro Chino, Getty Images
