According to the Health and Human Services Office for the Inspector General (OIG), in 2014 almost 60% of hospitals had an outage in their Electronic Health Records (EHR) and 25% of those say it delayed patient care. Of those outages, 20% lasted longer than eight hours with 15% having a negative impact on patient care and 9% of patients having to be rerouted.
While hacking only consisted of 1% of EHR outages, the vast majority were caused by hardware malfunctions, internet connectivity issues, power failures, etc. Unfortunately, this data was collected in 2014, before the recent rash of data breaches and before hackers had really begun targeting medical facilities with ransomware.
In March the HHS Office for Civil Rights began a second wave of HIPAA audits with part of its focus being on EHR contingency plans. This along with releasing guidelines in July, are steps in the right direction. Fortunately, the vast majority of facilities have plans for dealing with EHR outages.
HIPAA has four requirements organizations need to have when it comes to Electronic Health Records to deal with outages: backup data, disaster recover, emergency operations plans, and a process to test and revise those plans. In addition to these requirements, OIG suggests medical facilities update their plans on a regular basis and set up a cybersecurity framework from the National Institute of Technology and Standards or follow the recommended practices from the Office of the National Coordinator’s SAFER Self-Assessment.