Cultural Change at CMS is Needed to Mend Adversarial Relationship With Physicians
Increasingly hazardous healthcare environment should urge Congress to create a National Health IT Safety Center

Improved Physician Practice Preparedness To Recover from EMR Downtime and Other Technology Risks is Needed

It should not take 3 weeks to restore an EMR system.  

I was not surprised when one of my colleagues told me his EMR unexpectedly "went down", as there are many threats to hardware and software--wind, fire, water, construction equipment, human error and cyber crimes to name a few.  It was the rest of his story that was so disheartening.  As he recalled the struggles that his group endured for three weeks, his facial expression contorted into what I can best describe as that of "helpless resignation".   The complexities of technology had held him and his group hostage for three weeks.   At the time of our initial discussion he was still in the "grieving" stage, so I felt it to be too early to engage in a healthy discussion about IT risk management.   He needed to vent.   I needed to listen.  

And this story exemplifies what drives me to spend time collaborating with the Texas Medical Association (TMA) and others to raise physician awareness about the safe use of EMRs.   I do not have data, but my gut tells me that the majority of physician practices underestimate how vulnerable they are to EMR threats, especially small physician practices who lack internal IT expertise.  Perhaps the recent rise in ransomware attacks will actually be beneficial.  A ransomware attack on a physician office in South Texas earlier this year has led the TMA to increase communications to physicians about the threat of ransomware and other cyber attacks.    

Until recently the focus of preventive strategies against cyber attacks has been to ensure that the privacy and confidentiality of electronic medical records (EMRs) are maintained.   HIPAA stuff.   And this is understandable since privacy breaches are expensive for a practice to manage, and such breaches have the potential to financially hurt patients if their data is used maliciously.  But ransomware attacks are different because they make a physician's EMR unusable until a ransom is paid (or the EMR is otherwise restored).  Unlike privacy breaches, ransomware attacks are disruptive to the daily operations of the practice.  It is a disruption that impairs the ability to take care of patients who are in the office as well as those who call the office.  At the end of the day the physician is left struggling to take care of patients who are sick without access to information that is really needed.  This is a "new normal" that should brightly illuminate the need for improved disaster recovery preparedness and IT risk management for physician practices.    

There are ways to reduce the threat of ransomware attacks and other health IT risks.  A thorough security risk analysis can identify weaknesses that could be targeted by cyber criminals.  Steps can then be taken to reduce the chances of being victimized.  Establishing a habit of continually identifying and managing these technical risks will further reduce the chances of an EMR shutdown.  

But one of the major obstacles is that physicians generally do not have the knowledge, expertise and time to do this themselves.  Another obstacle is that security risk analyses tools are designed primarily for large healthcare systems and do not translate well onto a small physician practice.  That is why the TMA's ad hoc Health IT Committee is currently collaborating with a vendor, a state agency and one small physician practice to hone down a security risk planning tool into something that would be feasible and effective for small physician practices to adopt.  For now physicians have to rely on consultants or train/hire IT staff to identify and manage technology security risks.

Nevertheless, no system can be 100% "downtime-proofed".  So even if a physician practice adopts best practices for security risk management, they must be prepared for a disaster to strike at any time.  After a disaster strikes, maintaining the ability to effectively care for patients must be the first priority.  I have coined the term, "clinical continuity planning", to characterize this planning.  I base the term on a similar commonly used term, "business continuity planning", which is the plan businesses develop to maintain daily operations during technology downtimes and disasters.  A physician office certainly is a business and should have a business continuity plan to maintain economic viability during disasters.  But the life-and-death nature of patient care is so unique that I believe a clinical continuity plan should be developed by each practice and be considered as the first priority in disaster planning.  Business continuity is integrated with clinical continuity and is also vital to the physician practice, but it should be considered as a lower priority.  In the real world this means that when weaknesses in security and downtime planning are identified, clinical continuity weaknesses should be addressed before business continuity weaknesses are addressed.  
 
The most effective protection against a ransomware attack and other types of "downtime" is to have a complete back up of EMR data and an ability to quickly restore the EMR system.  If the practice can do that, they may not have to pay a ransom, and the impact on patient care can be minimized if the back up and restore tools/processes are effective.  
 
With the rise of ransomware attacks I believe the primary focus of health IT risk management for physician practices should be to ensure an acceptable degree of clinical continuity can be maintained during EMR downtimes.  Secondarily, the practice should understand the tools and processes that are in place to back up and restore the EMR in the event of a disaster.  And to make sure they get tested.    The first time a physician discovers that it will take 3 weeks to restore their EMR should not be after a real disaster strikes.   
 
 
mattmurraycook children's
 mgg
 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Interesting! With introduction of new technology comes a whole host of new challenges. I would think there are many effective solutions for backup and quick recovery. These are used in many industries. Why are they not being used for EMR?

The comments to this entry are closed.