Regulation of Medicine

article

Downtime: How to Respond When Third-Party EHR Systems Fail

By: Raj Shah, Esq., Baker Swain

As more healthcare providers have gone online with medical records and implemented electronic health record systems with third-party vendors, it’s vital they understand the risks that accompany electronic data exchanges. One important risk to prepare for is downtime — when your system cannot be accessed. It’s important to have a downtime policy and procedures to ensure that your practice can still provide quality patient care and protect itself from cybersecurity risks. 

Recommended Actions
  • Evaluate your practice’s existing cybersecurity system each year and confirm that the EHR vendor you’ve chosen does not create vulnerabilities for your practice.
  • Before choosing either an off-site or on-site backup system, consult with at least two other providers to vet the system.
  • If using a paper backup system, routinely update paper backups and ensure that all staff members know where to find and how to use these backups in the event of a disruption.

Most healthcare organizations have switched from paper medical records to electronic health records (EHR). But what happens when you cannot access your EHR or other network systems? The average system downtime[1] costs a healthcare organization $7,900 per minute. Downtimes can compromise patient data and disrupt patient care. Common examples of EHR downtime on third-party systems include cyberattacks on EHR systems, software malfunctions, hardware malfunctions and Internet problems.

Healthcare organizations are required by the HIPAA Security Rule to have a contingency plan to continue patient care delivery in the event of a system downtime, whether caused by their own IT system or by a third-party system.

This article describes how healthcare organizations should respond during EHR downtimes and provides best practices on how to mitigate the extent of downtime caused by a third-party vendor or IT system provider. This article is intended for small physician practices that may not have an internal IT department.

What to Do When Electronic Healthcare Record Software Goes Down

System disruptions due to service downtimes can be frustrating, especially in healthcare. Having a plan in place, though, can alleviate panic and provide actionable steps to begin resolving the problem.

First, healthcare organizations should communicate with staff, executives and necessary third parties about the downtime. During EHR downtime, communication is essential for ensuring a quick and efficient response. In preparation for downtime, healthcare organizations should designate a point of contact for internal and external communications. The point of contact would have the primary responsibility of facilitating a call command center so that the point of contact may provide status updates to the clinical staff and necessary personnel during the downtime. Responsibilities may also include notifying vendors. 

Best Practices for Responding to EHR Downtimes Caused by a Third Party

1.   Create and implement an incident response downtime plan for electronic health records.

An incident response plan is crucial to responding to EHR downtime. Without a strong incident response plan, a healthcare organization can be nonoperational for days, weeks and even months. To create a good incident response plan, healthcare organizations should ask the following questions:

  • Who is in charge of managing the incident? 
  • Who is the point of contact for internal and external communications?
  • What are the roles and responsibilities of each person on the response team?
  • Is there a plan for short-term downtime (e.g., a few hours)? For an extended downtime (e.g., several days, maybe even a week)?
  • Is there a plan for every kind of downtime caused by a third party (e.g., internal and external EHR downtime)?
  • If the EHR downtime results from a security incident, does the incident response plan include other policies and procedures such as responding to a cyberattack?
  • If the downtime results from a security incident, what vendor is available to conduct a forensic investigation? 

Sample incident response plan templates can be found in the MagMutual Cyber Center. (All PolicyOwners have access to the Cyber Center. These instructions describe how to access it if you don’t already know how to do so.)

After answering those questions in the incident response plan, the incident response team should list circumstances that may lead to short-term disruptions in patient care. EHR downtimes from a data breach will require different responses from other downtimes. So, for each kind of downtime, the healthcare organization should develop checklists of action items for each type of downtime that staff can use.

Healthcare organizations should routinely run practice drills of each kind of downtime. Practice drills can involve simulations of certain outages, including EHR downtime in certain sectors and certain portions of the physical space not having their IT systems running. Healthcare organizations should also involve third-party vendors in these practice drills, especially in drills involving EHR downtime. After running the drills, healthcare organizations should assess and evaluate the drills. Future practice drills should focus on improving weaknesses in the incident response time.

Healthcare organizations should institute a EHR downtime plan for transferring information from backup systems (such as paper records). This plan will occur at the final steps of an outage. And organizations should regularly test and maintain backup systems by conducting regular drills on how to access and restore them when EHR downtime occurs.

For outages that happen because of a data breach, healthcare organizations should retain outside counsel once they are notified of the breach. Having legal counsel at the beginning of the process will help organizations strategize how to contain the breach and when and how to notify the correct authorities to ensure compliance with federal, state and local notification laws. Several disclosure requirements depend on a certain number of patient records being compromised, so healthcare organizations should consider engaging a forensic investigator to determine the full extent and damage of an EHR downtime. 

2.   Designate a person to document EHR downtime.

This documentation will be helpful for insurance purposes and for notifying authorities. The documentation should include the date and time the outage occurred, when authorities were notified and what steps were taken to mitigate the extent of the outage.

Healthcare organizations should involve executive leadership in developing, coordinating and testing incident response plans. Having executives involved in the incident response plans will reduce confusion among clinical staff and limit delays in patient care delivery.

3.   Implement and follow policies to preserve EHR.

Healthcare organizations should institute and follow policies addressing how they will document phone messages, lab results, diagnostic test results and patient encounters without EHR. As part of the policies, healthcare organizations should go through each type of documentation used during a patient visit, such as paper records, lab diagnostics, appointment schedules and patient charge forms, and ensure that paper backups are in place for each type of documentation.

Healthcare organizations should routinely update paper backups and train clinical staff and third parties on finding and using those backups.

4.   Run backups and store backups in different locations.

Failure to conduct routine backups internally can leave healthcare organizations vulnerable to compromising patient data. If systems are not backed up regularly, outages can cause unsaved data to be lost and extend the length of a system outage. Running routine backups on IT systems and EHR can help healthcare organizations preserve the most recently saved data and save time in trying to return to normal operations.

Healthcare organizations should have a backup system off-site that can be easily accessed in the event of an outage. This backup system can be either a cloud-based storage system or a physical server. Cloud-based storage is an Internet-based system that can be connected to multiple organizations, network systems and devices. Having a cloud-based system typically is more cost-effective than physical servers but may lead to more security risks depending on how much of the healthcare organization’s IT systems are connected to the cloud.

On the other hand, physical servers allow healthcare organizations to control data storage and access that data. But physical servers are a more expensive investment than cloud-based storage and may not be feasible logistically and financially for some healthcare organizations.

Having a system off-site will help healthcare organizations preserve information and minimize the extent of an outage. This off-site system should be a read-only system that is available for any outage or downtime. This read-only system should be updated along with other online systems, and healthcare organizations should institute and follow protocols for when and how to access the off-site backup when an outage occurs.

5.   If an outage is caused by a data breach, contact the relevant authorities.

Once a breach occurs, healthcare organizations must notify certain authorities of the breach. MagMutual has created separate guidance that goes more into depth about how organizations can respond when they receive notice of a data breach from a third-party vendor. This guidance can be found here.

6.   Debrief and analyze the system outage.

Before analyzing a system outage, healthcare organizations and third parties must first contain the outage, according to the incident response plan. Containing an outage will depend on the type of incident, but common practices include disconnecting affected systems, isolating malware, disabling network access points and restricting Internet traffic.

After you have contained the system outage and contacted the relevant authorities, healthcare organizations should debrief and analyze why the downtime occurred. When conducting an analysis, organizations and third parties should consider the following questions:

  • What happened and at what times?
  • How well was the incident handled?
  • Were documented procedures followed? Were the documented procedures adequate?
  • Were any steps or actions taken that may have inhibited recovery?
  • How could communications have been improved during the incident?
  • What corrective actions could prevent a similar incident?
  • Were there signs that were missed? Does monitoring need to be refined?

Policies and Procedures to Prevent Future Outages

To prevent future EHR downtimes, healthcare organizations should treat third-party risk as their own risk. Therefore, organizations should require third parties to comply with security requirements under applicable privacy and security laws. Compliance may include assurance from third parties that their security systems comply with applicable federal, state and local privacy and security laws.

Healthcare organizations should also review their business associate agreements (BAAs) with third parties. BAAs should have provisions about data storage and disposal, descriptions of vendor privacy and security programs, right-to-audit clauses and protocols for disclosing deficiencies in security systems.

Third-Party Compensation for Outages

After an outage caused by a third party, a healthcare organization and its third-party vendor may want to maintain their professional relationship. The organization should review its agreement with the vendor to see what services it will offer in the event of EHR downtime. These services may include discounts, credit monitoring for patients, the ability to modify agreement and reimbursement for outage-related expenses. If the agreement does not indicate any services, healthcare organizations should reach out to the vendor’s sales representative to see what the vendor offers to other clients in the event of an outage.

If the agreement does not say how third parties will reimburse healthcare organizations for EHR downtime, organizations should negotiate with third parties on how they will reimburse the organization for expenses related to the downtime, including notification expenses, liability expenses and other expenses that helped minimize the downtime. If the third-party vendor is not willing to negotiate, consider engaging an outside attorney.

If a healthcare organization believes legal recourse is necessary because of the outage, the organization should review its contract with the third-party vendor to see what recourse is available under the contract. Examples of legal recourse include arbitration and mediation. If the healthcare organization decides legal recourse is necessary, consider engaging an outside attorney.

Additional Resources

Safety Assurance Factors for EHR Resilience (SAFER) – Contingency Planning for EHR Outages

Healthcare Innovation – Lessons from an Extended Outage

Xtelligent Healthcare Media, LLC – Cloud v. On Premise EHRs

Logically, Inc. – 6 Ways to Minimize IT Downtime

Xtelligent Healthcare Media, LLC – How to Optimize EHR Downtime Preparedness

Lessons Learned:

  • If your healthcare organization is involved in a data breach, consult with outside counsel early to understand any reporting requirements under federal, state and local notification laws.
  • After evaluating your practice’s potential downtime practice drills, ensure that you keep a copy of any notes taken during the evaluation.
  • Ensure that your incident response plan is reviewed annually. Consider using MagMutual’s incident response plan template, which can be found in the Cyber Center.

Potential Damages

Failure to appropriately safeguard your patient’s protected health information from cybersecurity attacks and data breaches could be a HIPAA violation, resulting in costly damages and fines to your practice. Although these violations carry serious penalties, the frequency of such incidents is relatively low.

[1] EHR downtime occurs any time where EHR systems are not fully operating. This article uses the terms “downtime” and “outage” to refer to when electronic systems are not working.

Quiz

Answers are provided below

True or false?

Question 1: My practice must have a contingency plan in place to prepare for the possibility of a EHR downtime or disruption.

Question 2: Downtimes can be caused by a cyberattack. Therefore, my practice needs to prepare for such in the incident response plan.

Question 3: My practice must ensure that proper patient documentation continues in the event of a downtime.

 

 

Answer 1: True. Healthcare organizations are required by the HIPAA Security Rule to have a contingency plan to continue patient care delivery in the event of system downtime whether caused by their own IT system or a third-party system.

Answer 2: True. If the downtime results from a security incident, such as a cyberattack, your practice’s incident response plan should include steps for responding to and reporting any potential data breaches.

Answer 3: True. Your practice should ensure that all staff are trained and prepared for how they will continue to document patient care during EHR downtime. Policies should address how clinical staff will document phone messages, lab results, diagnostic test results and patient encounters without EHR.

09/22

Want to learn more?

Interested in how MagMutual can help?

View our products

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.