Maintaining Clinical-Care Continuity During an IT Crisis

Healthcare providers have become highly dependent on technology. IT tools can improve patient care, workflow efficiencies and innovation, but they may pose a serious risk if organizations aren’t prepared for unplanned downtime. Given the increase in ransomware and other cyberthreats targeting healthcare providers, it is essential to evaluate and improve readiness for an IT crisis that may take systems offline for an extended period. 

Most providers already have downtime procedures, but often these are outdated or employees aren’t aware of them. In the busy cadence of day-to-day healthcare delivery, it is easy to overlook the need to update these procedures continually to reflect new technologies and processes. As a result, a hospital facing an IT crisis might find that its only guidance comes from a dusty binder or that its employees lack the tools to do their jobs manually. 

Unfortunately, many healthcare providers need to pay more attention to this critical preparation. That’s starting to change as top executives recognize the immense risk that can accompany IT downtime, particularly if it lasts for days or even weeks. When that happens, providers need a robust plan of action that goes beyond typical downtime strategies. Providers shouldn’t rely solely on a backup data center; a cyberattack could penetrate that resource or sever the connection to it. 

For these reasons, healthcare providers must become truly resilient regarding their technology. Here are the steps we recommend for healthcare organizations.

Every hospital is different, with a unique mix of manual and automated systems that support the patient care journey. Consistently, however, one of the most significant weaknesses we see is a lack of awareness of all the links in the chain that may depend on technology. Electronic health records are obvious, but the technology underpinning EHRs and many ancillary systems must be accounted for too; for instance, systems and applications that are unique to specialty areas within the care environment, supply chain, patient registration, or scheduling and finance.

The first step toward resilience is a department-by-department technology assessment. This means understanding which tech tools are involved in everyday workflows and which systems each department depends on. The evaluation should include everything, from EHRs and biomedical devices to the badges physicians use to authenticate their access. 

In parallel with this assessment, we learn about providers’ application resilience, including any procedures they have established for downtime scenarios. This includes binders, training, materials and anything else that might come into play during an IT crisis. For example, if IT systems are down, clinicians could manually write prescriptions or transfer lab orders and results, but they would need specific resources to do so. 

Providers should also know how IT downtime could affect staffing. After all, the appeal of many technology solutions is that they increase employee efficiency. But if a hospital suddenly reverts to manual processes it may require more personnel.

Governance is essential because even if a healthcare organization shores up its resilience today, it must continue to pay attention to this issue. A year from now, the organization may slide back to a vulnerable position if it doesn’t maintain downtime readiness. Building in governance ensures that when providers introduce new technology systems, they have processes to document downtime procedures and include them in ongoing training. 

Often, IT departments schedule systems maintenance at night, so nurses and other employees who work at these times may be more familiar with alternative processes. But it is essential to provide training to everyone who might be affected by unplanned IT downtime.

As the need for technology resilience in healthcare has become more evident, boards of directors are paying closer attention to the risks for organizations that are unprepared. More boards are posing the question to their executives: How many days can we survive without technology? (That question is often followed by another: How much will it cost?)

Some providers partner with an expert to help them mitigate risk more quickly. Others take an incremental approach by reducing risks over time. In either case, the goal should be to understand technology dependencies, assess and increase resilience, and establish proper governance going forward.

Story by Eli Tarlow, a Healthcare Strategist as part of the CDW Healthcare team. In this role, Eli partners as a strategic advisor to healthcare IT executives across the country, assisting them in taking advantage of the best technology solutions to improve clinical outcomes, patient experience and their unique organizational strategic initiatives. Prior to joining CDW/Sirius, Eli served for many years as a CIO at various healthcare organizations, including Bellevue Hospital, Brookdale Hospita, and Metropolitan Hospital as well as other long-term care facilities and diagnostic and treatment centers.