
How 'digital darkness' threatens patient safety
ECRI names outages tied to cyberattacks and natural disasters among the leading dangers to patients, and hospitals need to have strong readiness plans.
If hospitals lose access to their computers, patient safety can be compromised, Dr. Marcus Schabacker says.
Schabacker is the president and CEO of ECRI, an organization focused on improving patient safety. The group recently released its annual list of the 10 biggest threats to patient safety, and ECRI placed “digital darkness” events right near the top. Outages of computer systems ranked second, trailing only
Hundreds of health systems
“It's actually a big concern for us, because it's not just a cyberattack,” he says. “It can be a natural disaster.”
“It can be cybersecurity. It can be a fire in part of your hospital … It can be a grid outage, and your generator is not covering, generating enough power,” he says.
Hospitals need to have strong readiness plans in place, and healthcare leaders shouldn’t be thinking of these as rare events that may only occur once in a lifetime.
“These things can happen and they will happen,” Schabacker says. “It's not a question of if they happen. The question is, when it's going to hit you. And if you are woefully unprepared, then you put patient lives at risk.”
(See part of our conversation in this video. The story continues below.)
Responding to crisis
If hospitals lose access to computer systems, they face enormous challenges in maintaining patient care, Schabacker says.
Health systems rely heavily on electronic medical records, and without access to that data, it’s harder to get information on patients’ medication history or allergies. Health systems have to shift to patient records, which can be time-consuming and can increase the risk of mistakes, he says. Some medical devices won’t be working in outages.
And with computers down for an extended period, there are obvious financial implications. Health systems will be hampered with billing and payments. And health systems can probably expect the possibility of lawsuits, Schabacker notes.
“There's lots of reasons why you wouldn't want to have a prolonged outage,” Schabacker says.
Health systems should have regular drills for digital darkness events, once or twice a year, he suggests.
Schabacker points to Prisma Health in South Carolina as a system that has shown resilience. When Hurricane Helene unleashed devastation in 2024, Prisma was able to maintain patient care and system operations due to its strong readiness and planning.
“They were able to bounce back rapidly within hours, because they had a disaster plan in place or a digital darkness event,” he says.
- Read more:
Chatbots and bias in medicine
Plan for weeks
John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, told Chief Healthcare Executive in
Riggi says health systems must ask themselves, “How will you care for your patients for 30 days or longer?” And he says that’s the typical amount of time it takes to recover from a ransomware attack.
While Riggi stresses that health systems need to be sure they have robust cybersecurity programs, they also need to maintain detailed plans for taking care of patients in the event of an attack or outage.
“Focus on resiliency, focus on clinical continuity as much as defense,” Riggi says.
The Joint Commission
Health systems should be prepared to have life-saving technology offline for four weeks or longer. Health systems also need contingency plans if they manage electronic records from a central location, and if disruptions are occurring at multiple hospitals.
Schabacker says health systems should have input from doctors, nurses and key staff across the organization in developing plans for working without computers and other key technology for an extended period.
“Have your clinicians, your administration think about how would they react, and then develop the plan based on their input,” Schabacker says. “This is not something you can do in an ivory tower. You’ve got to talk to the people on the ground, and you have to run them through the scenario. What would you do?”
For health systems with multiple campuses, they need to figure out the impact on other hospitals if the outage is at one facility.
As Schabacker says, “If we have centralized our data collection and data management in one place, what happens if that one place goes out? Who else is impacted? Do I have local backups?”
Anika Gardenhire, chief digital and information officer of Ardent Health,
“It's the way that your teams show up, how quickly you can activate people,” she said at the conference. “It's the partnership with your executive leadership team and really understanding who can make what decisions, how you'll make decisions, creating a coordinated effort.”































































