Improved Physician Practice Preparedness To Recover from EMR Downtime and Other Technology Risks is Needed
It should not take 3 weeks to restore an EMR system.
I was not surprised when one of my colleagues told me his EMR unexpectedly "went down", as there are many threats to hardware and software--wind, fire, water, construction equipment, human error and cyber crimes to name a few. It was the rest of his story that was so disheartening. As he recalled the struggles that his group endured for three weeks, his facial expression contorted into what I can best describe as that of "helpless resignation". The complexities of technology had held him and his group hostage for three weeks. At the time of our initial discussion he was still in the "grieving" stage, so I felt it to be too early to engage in a healthy discussion about IT risk management. He needed to vent. I needed to listen.
And this story exemplifies what drives me to spend time collaborating with the Texas Medical Association (TMA) and others to raise physician awareness about the safe use of EMRs. I do not have data, but my gut tells me that the majority of physician practices underestimate how vulnerable they are to EMR threats, especially small physician practices who lack internal IT expertise. Perhaps the recent rise in ransomware attacks will actually be beneficial. A ransomware attack on a physician office in South Texas earlier this year has led the TMA to increase communications to physicians about the threat of ransomware and other cyber attacks.
Until recently the focus of preventive strategies against cyber attacks has been to ensure that the privacy and confidentiality of electronic medical records (EMRs) are maintained. HIPAA stuff. And this is understandable since privacy breaches are expensive for a practice to manage, and such breaches have the potential to financially hurt patients if their data is used maliciously. But ransomware attacks are different because they make a physician's EMR unusable until a ransom is paid (or the EMR is otherwise restored). Unlike privacy breaches, ransomware attacks are disruptive to the daily operations of the practice. It is a disruption that impairs the ability to take care of patients who are in the office as well as those who call the office. At the end of the day the physician is left struggling to take care of patients who are sick without access to information that is really needed. This is a "new normal" that should brightly illuminate the need for improved disaster recovery preparedness and IT risk management for physician practices.
There are ways to reduce the threat of ransomware attacks and other health IT risks. A thorough security risk analysis can identify weaknesses that could be targeted by cyber criminals. Steps can then be taken to reduce the chances of being victimized. Establishing a habit of continually identifying and managing these technical risks will further reduce the chances of an EMR shutdown.
But one of the major obstacles is that physicians generally do not have the knowledge, expertise and time to do this themselves. Another obstacle is that security risk analyses tools are designed primarily for large healthcare systems and do not translate well onto a small physician practice. That is why the TMA's ad hoc Health IT Committee is currently collaborating with a vendor, a state agency and one small physician practice to hone down a security risk planning tool into something that would be feasible and effective for small physician practices to adopt. For now physicians have to rely on consultants or train/hire IT staff to identify and manage technology security risks.