The list of things that can go wrong with the technology powering your EHR or practice management (PM) system is long, and the threats to their proper function are growing. Medical practice leaders must be prepared for outages or downtime, regardless of the cause:
- Cyberattacks (e.g., ransomware) that disable or hold systems hostage
- Natural disasters or severe weather that interrupt power supplies and/or internet connections to cloud data
- Upgrades or other planned outages that take longer than normal.
A July 27, 2021, MGMA Stat poll found that 82% of medical practices have an EHR/PM system downtime protocol, versus 18% that do not. The poll had 448 applicable responses.
By 2014, a study published in the International Journal of Medical Informatics found that 96% of healthcare institutions had at least one unplanned downtime of any length in the previous three years, and 70% of them had an unplanned downtime more than eight hours long in that same period. Particularly concerning in that study was the fact that “most institutions had only partially implemented comprehensive contingency plans to maintain safe and effective healthcare during unexpected EHR downtimes.”
The importance of having proper protocols or staff education for EHR/PM system downtime has only grown in recent years. As Lee Holmes, chief executive officer, Intensive Specialty Hospital of Shreveport and Bossier City, La., noted on a recent MGMA Insights podcast, cyberattacks aimed at healthcare facilities aren’t simply growing in number — the severity has intensified, too.
By summer 2020 when Holmes’ organization faced an attack, the range of what ransomware schemers sought from medical practices was closer to $25,000 to $30,000, but they have since reevaluated what larger groups might pay. “Very quickly, [the attackers] assessed that we were a larger organization … and weren’t even willing to talk to us about any number smaller than $100,000.”
That type of ransom, if an organization chooses to pay it, is only part of the bigger financial impact to the organization as part of the attack and its associated downtime on an affected system, Holmes cautioned:
- Inability to enter orders or interruption of patient care due to lack of access to patient vitals/history, which can affect revenue
- Time and resources spent restoring your system and checking for data integrity
- Time and costs associated with reporting a potential HIPAA breach.
In the past, downtime protocols relied primarily on paper versions of the practice’s clinical documentation and workflows. In recent years, MGMA members noted that many EHR and PM system vendors have offered system updates to allow for locally stored documentation that can later be reconciled with a cloud system once downtime has ended.
What to do when things go wrong
The impacts of EHR downtime are well-documented. A 2019 study published in Applied Clinical Informatics found that lab testing results were delayed by 62% on average during EHR downtime, and that downtime paper records were often inconsistent or incomplete. The authors concluded that there’s a need for “better and more detailed downtime contingency plans with a focus on communications, resource allocation and training are necessary.”
Ways to manage downtime
Healthcare provider organizations should have continuity of operations plans for events or situations that interrupt normal business, and a chapter on loss of an EHR or PM system can be useful, as Steve Gravely, chief executive officer, Gravely Group, told EHR intelligence in 2018.
- The Office of the National Coordinator (ONC) for Health Information Technology has produced SAFER (Safety Assurance Factors for EHR Resilience) Guides — nine guides in total — that provide recommendations for safe use of EHRs, including a contingency planning team worksheet to address scenarios such as an extended power outage, shifting to backup systems and more.
- In a May 2020 report in the Online Journal of Nursing Informatics, a “Badge Buddy” program was piloted, with a double-sided reference card/cheat sheet affixed to clinical staff members’ badge holders “for speedy access” to outline appropriate steps, including a CLEAR process:
- Check and communicate the problem
- Locate the system downtime plans and downtime carts/kits
- Establish alternative patient care continuity processes
- Activate IT downtime plan and document information
- Recover by entering data back into the electronic environment after the downtime.
- The Academic Medical Center Patient Safety Organization (AMC PSO) has an extensive report, “Patient Safety Guidance for Electronic Health Record Downtime,” that outlines how to prepare for EHR downtime, communication/messaging strategies, migrating to paper-based systems and all other steps leading to recovery/restoration of an EHR.
Do you have any best practices or success stories to share on this topic? Please let us know by emailing us at email@example.com.
JOIN MGMA STAT
Our ability at MGMA to provide great resources, education and advocacy depends on a strong feedback loop with healthcare leaders. To be part of this effort, sign up for MGMA Stat and make your voice heard in our weekly polls. Sign up by texting “STAT” to 33550 or visit mgma.com/stat. Polls will be sent to your phone via text message.
- For an in-depth look at business continuity and improvement strategies for a post-COVID-19 world, read “Ready for the next big ‘what if’” in the July issue of MGMA Connection magazine.
- Learn about the benefits of cyberinsurance and considerations for assessing your coverage needs in this May 26, 2021, MGMA Stat data story.
- MGMA members can download an incident response plan checklist to assist in their responses to information security incidents.
- MGMA Government Affairs has numerous resources related to health IT and EHR policy, as well as:
- Cybersecurity Action Steps — To help protect your practice against cyberattacks, download this 10-step tool from MGMA Government Affairs.
- HIPAA Breach Toolkit — Download this member-exclusive resource from MGMA Government Affairs to help your practice better understand and implement the HIPAA breach requirements.